- PrivaceraCloud Release 7.4
- Enhancements and updates in PrivaceraCloud release 7.4
- Known Issues in PrivaceraCloud 7.4
- PrivaceraCloud User Guide
- Overview of PrivaceraCloud
- Connect applications with the setup wizard
- Connect applications
- About applications
- Connect Azure Data Lake Storage Gen 2 (ADLS) to PrivaceraCloud
- Connect Amazon Textract to PrivaceraCloud
- Athena
- Privacera Discovery with Cassandra
- Connect Databricks to PrivaceraCloud
- Databricks SQL
- Databricks SQL Overview and Configuration
- Planning and general process
- Prerequisites
- Databricks SQL with Privacera Hive
- Connect Databricks SQL application
- Grant Databricks SQL permissions to PrivaceraCloud users
- Define a resource policy
- Test the policy
- Databricks SQL PolicySync fields
- Configuring column-level access control
- View-based masking functions and row-level filtering
- Create an endpoint in Databricks SQL
- Databricks SQL Fields
- Databricks SQL Hive Service Definition
- Databricks SQL Masking Functions
- Databricks SQL Encryption
- Use a custom policy repository with Databricks
- Connect Databricks SQL to Hive policy repository on PrivaceraCloud
- Databricks SQL Overview and Configuration
- Connect Databricks Unity Catalog to PrivaceraCloud
- Connect S3 to PrivaceraCloud
- Prerequisites in AWS console
- Connect S3 application to PrivaceraCloud
- Enable Privacera Access Management for S3
- Enable Data Discovery for S3
- S3 AWS Commands - Ranger Permission Mapping
- S3
- AWS Access with IAM
- Access AWS S3 buckets from multiple AWS accounts
- Add UserInfo in S3 Requests sent via Dataserver
- Control access to S3 buckets with AWS Lambda function on PrivaceraCloud
- Dremio Plugin
- DynamoDB
- Connect Elastic MapReduce from Amazon application to PrivaceraCloud
- Connect EMR application
- EMR Spark access control types
- PrivaceraCloud configuration
- AWS IAM roles using CloudFormation setup
- Create a security configuration
- Create EMR cluster
- How to configure multiple JSON Web Tokens (JWTs) for EMR
- EMR Native Ranger Integration with PrivaceraCloud
- Connect EMRFS S3 to PrivaceraCloud
- Files
- GBQ
- Google Cloud Storage
- Connect Glue to PrivaceraCloud
- Google BigQuery for PolicySync
- Connect Kinesis to PrivaceraCloud
- Connect Lambda to PrivaceraCloud
- Microsoft SQL Server
- MySQL for Discovery
- Open Source Apache Spark
- Oracle for Discovery
- PostgreSQL
- Connect Power BI to PrivaceraCloud
- Presto
- Redshift
- Snowflake
- Starburst Enterprise with PrivaceraCloud
- Starburst Enterprise Presto
- Trino
- Connect users
- Data access Users, Groups, and Roles
- UserSync
- Portal user LDAP/AD
- Datasource
- Okta Setup for SAML-SSO
- Azure AD setup
- SCIM Server User-Provisioning
- User Management
- Identity
- Access Manager
- Access Manager
- Resource Policies
- Tag Policies
- Scheme Policies
- Service Explorer
- Reports
- Audit
- About data access users, groups, and roles resource policies
- Security zones
- Discovery
- Classifications via random sampling
- Privacera Discovery scan targets
- Propagate Privacera Discovery Tags to Ranger
- Enable offline scanning on Azure Data Lake Storage Gen 2 (ADLS)
- Enable Real-time Scanning of S3 Buckets
- Enable Real-time Scanning on Azure Data Lake Storage Gen 2 (ADLS)
- Enable Discovery Realtime Scanning Using IAM Role
- Encryption
- Overview of Privacera Encryption
- Encryption schemes
- Presentation schemes
- Masking schemes
- Create scheme policies
- Privacera-supplied encryption schemes for the Privacera API
- Privacera-supplied encryption schemes for the Bouncy Castle API
- API date input formats
- Deprecated encryption formats, algorithms, and scopes
- Privacera Encryption REST API
- PEG API endpoint
- PEG REST API encryption endpoints
- Prerequisites
- Common PEG REST API fields
- Construct the datalist for the /protect endpoint
- Deconstruct the response from the /unprotect endpoint
- Example data transformation with the /unprotect endpoint and presentation scheme
- Example PEG API endpoints
- Make encryption API calls on behalf of another user
- Privacera Encryption UDF for masking in Databricks on PrivaceraCloud
- Privacera Encryption UDFs for Trino on PrivaceraCloud
- Syntax of Privacera Encryption UDFs for Trino
- Prerequisites for installing Privacera Crypto plug-in for Trino
- Download and install Privacera Crypto jar
- Set variables in Trino etc/crypto.properties
- Restart Trino to register the Privacera encryption and masking UDFs for Trino
- Example queries to verify Privacera-supplied UDFs
- Privacera Encryption UDF for masking in Trino on PrivaceraCloud
- Encryption UDFs for Apache Spark on PrivaceraCloud
- Launch Pad
- Settings
- Dashboard
- Usage statistics
- Operational status of PrivaceraCloud and RSS feed
- How to Get Support
- Coordinated Vulnerability Disclosure (CVD) Program of Privacera
- Shared Security Model
- PrivaceraCloud Previews
- Preview: File Explorer for S3
- Preview: File Explorer for Azure
- Preview: File Explorer for GCS
- Preview: Scan Generic Records with NER Model
- Preview: Scan Electronic Health Records with NER Model
- Preview: OneLogin setup for SAML-SSO
- Preview: Azure Active Directory SCIM Server UserSync
- Preview: OneLogin UserSync
- Preview: PingFederate UserSync
- Quickstart for Databricks Unity Catalog on PrivaceraCloud
- What do I need to do in my Databricks Workspace?
- Where is the sample dataset in my Databricks Workspace?
- What should I do in the PrivaceraCloud web portal?
- Access use-case - How do I give a user access to a table or restrict from running a SQL select query?
- Access use-case - How do I restrict a user from seeing contents of a column in the result of a SQL select query?
- Column masking use-case - How do I restrict a user from seeing contents of a column by masking the values in the result of a SQL select query?
- Access use-case - How do I disallow a user from seeing certain rows of a table?
- PrivaceraCloud documentation changelog
Connect Databricks Unity Catalog to PrivaceraCloud
For background, see Quickstart for Databricks Unity Catalog on PrivaceraCloud.
Prerequisites
Before configuring the connection, at a minimum, have the following ready:
The value of the Databricks Unity Catalog URL to connect to.
The value of the Databricks personal access token.
Determine if your personal access token gives you administrative permissions in Databricks Unity Catalog. By default, PrivaceraCloud assumes that the token does not. If it does, you will need to set the field Enable if the personal access token has account admin privileges to true.
Look at the BASIC fields in the Field descriptions for Databricks Unity Catalog to see if there are other fields you might want to configure, such as catalog names or table names. You can always configure fields after making the initial connection.
Procedure
To connect your PrivaceraCloud account to Databricks Unity catalog, follow the steps in Connect an application. The name to connect to is Databricks Unity Catalog.
Field descriptions for Databricks Unity Catalog
These Databricks Unity Catalog connector fields can be set for PolicySync on PrivaceraCloud.
The fields are divided across two tabs.
Start by setting the fields on the BASIC tab, which are fields for authentication or features that are more rudimentary than ADVANCED.
Examine the features on the ADVANCED tab to determine which of them you might want to enable.
Category | Field | Description | Default Value |
JDBC configuration properties | |||
BASIC | Databricks Unity Catalog URL [BASIC-MANDATORY] | This is the Databricks URL for PolicySync to connect to. Example: https://dev-environment.cloud.databricks.com | |
BASIC | Databricks personal access token [BASIC-MANDATORY] | A personal access token used to connect to the Databricks api. This access token should come from an admin user who has access to the resources that PolicySync will manage. Example: dapi123456789... | |
BASIC | Enable if the personal access token has account admin privileges [BASIC-MANDATORY] | Toggle this on if the personal access token has account admin privileges. PolicySync will only be able to create and update users/groups in Unity Catalog if the personal access token has account admin privileges. If the token does not have account admin privileges, then PolicySync will not create or update users/groups in Unity Catalog. In this case, the users/groups should be created in Unity Catalog beforehand. | false |
Resources management | |||
BASIC | Catalogs to set access control policies for [BASIC] | Set list of catalog names which access control should be managed by Privacera. If you want to manage all catalogs then you can keep it blank. | |
ADVANCED | Schemas to set access control policies for [ADVANCED] | Set list of schema names which access control should be managed by Privacera. If you want to manage all schemas then you can keep it blank. | |
ADVANCED | Tables to set access control policies [ADVANCED] | Set list of tables Fqdn (Fully Qualified Domain Name) which access control should be managed by Privacera. If you want to manage all tables from managed schemas then you can keep it blank. | |
ADVANCED | User defined functions to set access control policies for [ADVANCED] | Set list of user defined function Fqdn (Fully Qualified Domain Name) which access control should be managed by Privacera. If you want to manage all functions from managed schemas then you can keep it blank. | |
BASIC | External locations to set access control policies for [BASIC] | Set list of external location names which access control should be managed by Privacera. If you want to manage all external locations then you can keep it blank. | |
BASIC | Storage credentials to set access control policies for [BASIC] | Set list of storage credential names which access control should be managed by Privacera. If you want to manage all storage credentials then you can keep it blank. | |
ADVANCED | Catalogs to ignore while setting access control policies [ADVANCED] | Set list of catalog names whose access control should not be managed by Privacera. This list has precedence over [Catalogs to set access control policies]. | |
ADVANCED | Schemas to ignore while setting access control policies [ADVANCED] | Set list of schema names whose access control should not be managed by Privacera. This list has precedence over [Schemas to set access control policies]. | |
ADVANCED | Tables to ignore while setting access control policies [ADVANCED] | Set list of table Fqdn (Fully Qualified Domain Name) whose access control should not be managed by Privacera. This list has precedence over [Tables to set access control policies]. | |
ADVANCED | User defined functions to ignore while setting access control policies [ADVANCED] | Set list of user defined function Fqdn (Fully Qualified Domain Name) whose access control should not be managed by Privacera. This list has precedence over [Functions to set access control policies]. | |
ADVANCED | External locations to ignore while setting access control policies [ADVANCED] | Set list of external location names whose access control should not be managed by Privacera. This list has precedence over [External locations to set access control policies]. | |
ADVANCED | Storage credentials to ignore while setting access control policies [ADVANCED] | Set list of storage credential names whose access control should not be managed by Privacera. This list has precedence over [Storage credentials to set access control policies]. | |
Users/Groups/Roles management | |||
ADVANCED | Regex to find special characters in names [ADVANCED] | Regex that finds the matching characters in a user name and replaces them with the characters specified in [String to replace with the special characters found all names] | [~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}] |
ADVANCED | String to replace with the special characters found in names [ADVANCED] | String used to replace the characters found by the regex specified in [Regex to find special characters in all names] | _ |
ADVANCED | Regex to find special characters in user names [ADVANCED] | Regex that finds the matching characters in a user name and replaces them with the characters specified in [String to replace with the special characters found in user names] | [~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}] |
ADVANCED | String to replace with the special characters found in user names [ADVANCED] | String used to replace the characters found by the regex specified in [Regex to find special characters in user names] | _ |
ADVANCED | Regex to find special characters in group names [ADVANCED] | Regex that finds the matching characters in a group name and replaces them with the characters specified in [String to replace with the special characters found in group names] | [~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}] |
ADVANCED | String to replace with the special characters found in group names [ADVANCED] | String used to replace the characters found by the regex specified in [Regex to find special characters in group names] | _ |
ADVANCED | Regex to find special characters in role names [ADVANCED] | Regex that finds the matching characters in a role name and replaces them with the characters specified in [String to replace with the special characters found in role names] | [~`$&+:;=?@#|'<>.^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}] |
ADVANCED | String to replace with the special characters found in role names [ADVANCED] | String used to replace the characters found by the regex specified in [Regex to find special characters in role names] | _ |
ADVANCED | Persist case sensitivity of user names [ADVANCED] | By default, all user names are converted into lowercase, if you want to keep it in same case as the portal then enable this. | false |
ADVANCED | Persist case sensitivity of group names [ADVANCED] | By default, all group names are converted into lowercase, if you want to keep it in same case as the portal then enable this. | false |
ADVANCED | Persist case sensitivity of role names [ADVANCED] | By default, all role names are converted into lowercase, if you want to keep it in same case as the portal then enable this. | false |
ADVANCED | Create users in Databricks SQL Endpoint by policysync [ADVANCED] | Enable if you want Privacera to create account users in Databricks Unity Catalog for each user created on portal. Even if this property is set to true, account users will only be created if the provided personal access token has account admin privileges. | true |
ADVANCED | Create groups in Databricks SQL Endpoint by policysync [ADVANCED] | Enable if you want Privacera to create account groups in Databricks Unity Catalog for each group created on portal. Even if this property is set to true, account groups will only be created if the provided personal access token has account admin privileges. | true |
ADVANCED | Manage members of groups in Databricks SQL by policysync [ADVANCED] | Enable if you want Privacera to manage the group members of account groups in Databricks Unity Catalog for each group created on portal. Even if this property is set to true, account groups will only be updated if the provided personal access token has account admin privileges. | true |
ADVANCED | Manage users from portal [ADVANCED] | Enable if you want Privacera to handle Databricks Unity Catalog Endpoint users create/update/delete based on portal users create/update/delete. | true |
ADVANCED | Manage groups from portal [ADVANCED] | Enable if you want Privacera to handle Databricks Unity Catalog Endpoint groups create/update/delete based on portal groups create/update/delete. | true |
ADVANCED | Manage roles from portal [ADVANCED] | Enable if you want Privacera to handle Databricks Unity Catalog Endpoint roles create/update/delete based on portal roles create/update/delete. | true |
ADVANCED | Users to set access control policies [ADVANCED] | Set list of user names whose access control should be managed by privacera. If you want to manage all users then you can keep it blank. | |
ADVANCED | Groups to set access control policies [ADVANCED] | Set list of group names whose access control should be managed by privacera. If you want to manage all groups then you can keep it blank. | |
ADVANCED | Roles to set access control policies [ADVANCED] | Set list of role names whose access control should be managed by privacera. If you want to manage all roles then you can keep it blank. | |
ADVANCED | Users to be ignored by access control policies [ADVANCED] | Set list of user names whose access control should not be managed by privacera. This list has precedence over [Users to set access control policies]. | |
ADVANCED | Groups be ignored by access control policies [ADVANCED] | Set list of group names whose access control should not be managed by privacera. This list has precedence over [Groups to set access control policies]. | |
ADVANCED | Roles be ignored by access control policies [ADVANCED] | Set list of role names whose access control should not be managed by privacera. This list has precedence over [Roles to set access control policies]. | |
ADVANCED | Prefix of Databricks SQL Endpoint roles for portal groups [ADVANCED] | Prefix for the role which we will be creating in Databricks Unity Catalog Endpoint for the group from the portal. | priv_group_ |
ADVANCED | Prefix of Databricks SQL Endpoint roles for portal roles [ADVANCED] | Prefix for the role which we will be creating in Databricks Unity Catalog Endpoint for the role from the portal. | priv_role_ |
ADVANCED | Use Databricks SQL Endpoint native public group for public group access policies [ADVANCED] | Enable if you want privacera to use Databricks Unity Catalog Endpoint native public group for access grants whenever there is policy created referring to public group inside it. | true |
ADVANCED | Set access control policies only on the users from managed groups [ADVANCED] | Enable if you want to manage only the users who belongs to the groups defined in [Groups to set access control policies]. | false |
ADVANCED | Set access control policies only on the users/groups from managed roles [ADVANCED] | Enable if you want to manage only the users who belongs to the roles defined in [Roles to set access control policies]. | false |
Access control management | |||
ADVANCED | Enforce masking policies using secure views [ADVANCED] | Enable if you want to enforce masking policies using secure views. | true |
ADVANCED | Enforce tr filter policies using secure views [ADVANCED] | Enable if you want to enforce tr filter policies using secure views. | true |
ADVANCED | Create secure view for all tables/views [ADVANCED] | Enable if you want to create secure view for all tables/views regardless of any masking/tr filter policy present on the UI for table. | true |
ADVANCED | Default masked value for numeric datatype columns [ADVANCED] | Default masked value for numeric datatype columns | 0 |
ADVANCED | Default masked value for text/varchar/string datatype columns [ADVANCED] | Default masked value for text/varchar/string datatype columns | <MASKED>' |
ADVANCED | Secure view name prefix [ADVANCED] | The secure view name is created by prepending this value to actual table/view name. | |
ADVANCED | Secure view name postfix [ADVANCED] | The secure view name is created by appending this value to actual table/view name. | |
ADVANCED | Secure view schema name prefix [ADVANCED] | The secure view schema name is created by prepending this value to actual table/view schema name. | |
ADVANCED | Secure view schema name postfix [ADVANCED] | The secure view schema name is created by appending this value to actual table/view schema name. | _secure |
ADVANCED | Any spark properties to use when creating a secure view. [ADVANCED] | When creating a secure view with the unity catalog api, the api does not set any spark properties for the view. If there are spark properties that you would like for the secure views to have when they are created, they can be specified here as a comma separated list. | |
BASIC | Enable policy enforcements and user/group/role management [BASIC] | Enable for policy enforcements and user/group/role management | true |
ADVANCED | Enable dataadmin [ADVANCED] | Enable to use data admin functionality. | true |