Skip to content

Encryption Scheme Policy Management

Privacera Encryption enforces granular access control to encryption, decryption, and masking operations through Scheme Policies. These policies determine who can perform what operations on which scheme, enabling secure usage across all supported integrations.

What Is a Scheme Policy?

A scheme policy defines access permissions for one or more Privacera Encryption schemes. Each policy includes:

  • Target Scheme(s): Encryption, Presentation, or Masking schemes
  • Permission Types: What operations the user/group/role can perform
  • Principals: The user, group, or role granted permission

Scheme policies are critical for ensuring that encryption functions are used only by authorized entities, and that proper data security and compliance standards are upheld.

Permission Types

The following permissions can be assigned via a scheme policy:

Permission Description
Protect Allows the subject to encrypt data using the scheme
Unprotect Allows the subject to decrypt data using the scheme
Mask Allows the subject to apply a one-way masking scheme
Get Scheme Allows the subject to retrieve scheme metadata
Impersonate Allows the subject to perform operations on behalf of another user (doAs)

Policy Enforcement Points

Scheme policies are enforced uniformly across all interfaces:

  • PEG REST API: JWT-based access authorization
  • Databricks UDFs: Permissions checked during UDF execution
  • File Encryption Utility (FEU): Validates scheme access via CLI
  • StreamSets Pipelines: Applies protection rules based on meta file mapping

Creating a Scheme Policy

You can create scheme policies using the Privacera Portal:

  1. Navigate to Access Management > Scheme Policies
  2. Choose the PEG service context
  3. Click Add New Policy
  4. Fill in the following:
  5. Policy Name and Description
  6. Select the target scheme(s)
  7. Assign permissions (Protect, Unprotect, etc.)
  8. Define the users, groups, or roles for each permission
  9. Save the policy

Example Policies

Full Access to Encryption Schemes for Data Engineering Team

YAML
1
2
3
4
5
6
Policy Name: Full_Encryption_Access
Description: Allow data engineers to protect and unprotect PII
Schemes: SYSTEM_EMAIL, SYSTEM_SSN
Permissions:
  - Protect: data-engineering-group
  - Unprotect: data-engineering-group

Presentation-Only Access for Analysts

YAML
1
2
3
4
5
Policy Name: Analyst_Presentation_Only
Description: Allow analysts to decrypt using presentation schemes only
Schemes: SYSTEM_EMAIL, SYSTEM_PRESENTATION_EMAIL
Permissions:
  - Unprotect: analytics-role (with presentation scheme applied)

Best Practices

  • Follow Least Privilege: Grant minimal permissions required for each role
  • Use Roles and Groups: Easier to manage than user-specific grants
  • Audit Regularly: Review policy assignments periodically
  • Combine with Access Policies: Use in conjunction with Ranger access policies for columns to achieve comprehensive security

Troubleshooting

If users report access issues with encryption or decryption:

  1. Verify the user is a member of the group or role specified in the scheme policy
  2. Check that the scheme policy grants the appropriate permission (Protect or Unprotect)
  3. Ensure the scheme specified in the API call matches the scheme protected by the policy
  4. Review audit logs to identify any permission errors

Comments