User Group Roles
The Access Management > Users/Groups/Roles page is for managing Ranger users, groups, and roles.
Apache Ranger uses users, groups, and roles to manage and enforce fine-grained access control.
Users represent individual identities accessing resources. Ranger users can be part of a Group, or can be assigned to a role created within Ranger Admin UI or via REST APIs.
Groups are collections of users, allowing bulk assignment of permissions.
Roles provide a logical grouping of privileges that can be assigned to users or groups, enabling role-based access control (RBAC) across multiple services and policies.
This structure simplifies policy management and helps ensure scalable and consistent access control across large environments.
Users:¶
In Apache Ranger, users can be directly specified in policy conditions to allow or deny access to resources, or they can be added to groups or roles, which are then referenced in policies.
Ranger classifies users into two types based on how they are created: - Internal Users - External Users
Internal Users:¶
- Created manually within the Ranger Admin UI or via REST APIs.
- Below are the users created by the system as internal users:
| Text Only | |
|---|---|
Note
In Pcloud, when user is created for the first time as an admin user or when portal user gets created, a corresponding Ranger user with the same username is also created as an internal user.
Recommendation
In Pcloud,it is recommended to use only Ranger internal users for Ranger API authentication.
External Users:¶
- In self Managed environment, when user is created for the first time as an admin user or when portal user gets created, a corresponding Ranger user with the same username is also created as an external user.
- System generated users for each data resource service are also created as an external users
| Service Name | User Name |
|---|---|
| privacera_hive | hive |
| privacera_s3 | s3 |
| privacera_adls | adls |
| privacera_athena | athena |
| privacera_bigquery | bigquery |
| privacera_cloudwatch | cloudwatch |
| privacera_databricks_sql_analytics | databricks_sql_analytics |
| privacera_databricks_unity_catalog | databricks_unity_catalog |
| privacera_dremio | $dremio$ |
| privacera_dremio_ps | dremio_ps |
| privacera_dynamodb | dynamodb |
| privacera_files | files |
| privacera_gcs | gcs |
| privacera_glue | glue |
| privacera_kafka | kafka |
| privacera_kinesis | kinesis |
| privacera_kms | kms |
| privacera_lakeformation | lakeformation |
| privacera_lambda | lambda |
| privacera_mssql | mssql |
| privacera_peg | peg |
| privacera_postgres | postgres |
| privacera_powerbi | powerbi |
| privacera_presto | presto |
| privacera_redshift | redshift |
| privacera_s3 | s3 |
| privacera_snowflake | snowflake |
| privacera_starburstenterprise | starburstenterprise |
| privacera_starburstenterprisepresto | starburstpresto |
| privacera_tag | rangertagsync |
| privacera_trino | trino |
| privacera_vertica | vertica |
Below are some more system generated users:
| User |
|---|
| dbx-integration-user |
| discovery_service_user |
| feu-integration-user |
| streamset-integration-user |
| oss-integration-user |
| vertica-integration-user |
| emr-hive-integration-user |
| emr-spark-integration-user |
| emr-presto-integration-user |
| emr-trino-integration-user |
| trino-integration-user |
| dremio-integration-user |
| snowflake-integration-user |
| gbq-integration-user |
| redshift-integration-user |
| peg |
| padmin |
| hdfs |
| om |
| hbase |
Note
- In Pcloud, service users gets created only if the service is enabled for the account
- padmin user is available in the self managed only
3 . In Ranger, users synchronized through UserSync from LDAP or Active Directory are automatically created as external users. For more information on UserSync, see UserSync
Groups¶
Groups are collections of associated users. Users can be members of more than one group. Similar to user objects, groups are used in definition of resource policies.
Groups can be included or excluded specifically or in association with other groups for allowed or denied access.
Groups are also classified as Internal and External groups
Internal¶
Groups created in Ranger are getting created as Internal groups
Note
Public group is system generated internal group
External¶
Groups synchronized in Ranger through UserSync are created as external groups.
Note
Below groups are system generated External groups:
- peg-native-integration-service-group
- peg-remote-integration-service-group
Roles¶
With the Roles tab, you can create custom roles to use when you define access policies. Custom roles are distinct from the user roles (Admin, User, Auditor).