- PrivaceraCloud Release 7.4
- Enhancements and updates in PrivaceraCloud release 7.4
- Known Issues in PrivaceraCloud 7.4
- PrivaceraCloud User Guide
- Overview of PrivaceraCloud
- Connect applications with the setup wizard
- Connect applications
- About applications
- Connect Azure Data Lake Storage Gen 2 (ADLS) to PrivaceraCloud
- Connect Amazon Textract to PrivaceraCloud
- Athena
- Privacera Discovery with Cassandra
- Connect Databricks to PrivaceraCloud
- Databricks SQL
- Databricks SQL Overview and Configuration
- Planning and general process
- Prerequisites
- Databricks SQL with Privacera Hive
- Connect Databricks SQL application
- Grant Databricks SQL permissions to PrivaceraCloud users
- Define a resource policy
- Test the policy
- Databricks SQL PolicySync fields
- Configuring column-level access control
- View-based masking functions and row-level filtering
- Create an endpoint in Databricks SQL
- Databricks SQL Fields
- Databricks SQL Hive Service Definition
- Databricks SQL Masking Functions
- Databricks SQL Encryption
- Use a custom policy repository with Databricks
- Connect Databricks SQL to Hive policy repository on PrivaceraCloud
- Databricks SQL Overview and Configuration
- Connect Databricks Unity Catalog to PrivaceraCloud
- Connect S3 to PrivaceraCloud
- Prerequisites in AWS console
- Connect S3 application to PrivaceraCloud
- Enable Privacera Access Management for S3
- Enable Data Discovery for S3
- S3 AWS Commands - Ranger Permission Mapping
- S3
- AWS Access with IAM
- Access AWS S3 buckets from multiple AWS accounts
- Add UserInfo in S3 Requests sent via Dataserver
- Control access to S3 buckets with AWS Lambda function on PrivaceraCloud
- Dremio Plugin
- DynamoDB
- Connect Elastic MapReduce from Amazon application to PrivaceraCloud
- Connect EMR application
- EMR Spark access control types
- PrivaceraCloud configuration
- AWS IAM roles using CloudFormation setup
- Create a security configuration
- Create EMR cluster
- How to configure multiple JSON Web Tokens (JWTs) for EMR
- EMR Native Ranger Integration with PrivaceraCloud
- Connect EMRFS S3 to PrivaceraCloud
- Files
- GBQ
- Google Cloud Storage
- Connect Glue to PrivaceraCloud
- Google BigQuery for PolicySync
- Connect Kinesis to PrivaceraCloud
- Connect Lambda to PrivaceraCloud
- Microsoft SQL Server
- MySQL for Discovery
- Open Source Apache Spark
- Oracle for Discovery
- PostgreSQL
- Connect Power BI to PrivaceraCloud
- Presto
- Redshift
- Snowflake
- Starburst Enterprise with PrivaceraCloud
- Starburst Enterprise Presto
- Trino
- Connect users
- Data access Users, Groups, and Roles
- UserSync
- Portal user LDAP/AD
- Datasource
- Okta Setup for SAML-SSO
- Azure AD setup
- SCIM Server User-Provisioning
- User Management
- Identity
- Access Manager
- Access Manager
- Resource Policies
- Tag Policies
- Scheme Policies
- Service Explorer
- Reports
- Audit
- About data access users, groups, and roles resource policies
- Security zones
- Discovery
- Classifications via random sampling
- Privacera Discovery scan targets
- Propagate Privacera Discovery Tags to Ranger
- Enable offline scanning on Azure Data Lake Storage Gen 2 (ADLS)
- Enable Real-time Scanning of S3 Buckets
- Enable Real-time Scanning on Azure Data Lake Storage Gen 2 (ADLS)
- Enable Discovery Realtime Scanning Using IAM Role
- Encryption
- Overview of Privacera Encryption
- Encryption schemes
- Presentation schemes
- Masking schemes
- Create scheme policies
- Privacera-supplied encryption schemes for the Privacera API
- Privacera-supplied encryption schemes for the Bouncy Castle API
- API date input formats
- Deprecated encryption formats, algorithms, and scopes
- Privacera Encryption REST API
- PEG API endpoint
- PEG REST API encryption endpoints
- Prerequisites
- Common PEG REST API fields
- Construct the datalist for the /protect endpoint
- Deconstruct the response from the /unprotect endpoint
- Example data transformation with the /unprotect endpoint and presentation scheme
- Example PEG API endpoints
- Make encryption API calls on behalf of another user
- Privacera Encryption UDF for masking in Databricks on PrivaceraCloud
- Privacera Encryption UDFs for Trino on PrivaceraCloud
- Syntax of Privacera Encryption UDFs for Trino
- Prerequisites for installing Privacera Crypto plug-in for Trino
- Download and install Privacera Crypto jar
- Set variables in Trino etc/crypto.properties
- Restart Trino to register the Privacera encryption and masking UDFs for Trino
- Example queries to verify Privacera-supplied UDFs
- Privacera Encryption UDF for masking in Trino on PrivaceraCloud
- Encryption UDFs for Apache Spark on PrivaceraCloud
- Launch Pad
- Settings
- Dashboard
- Usage statistics
- Operational status of PrivaceraCloud and RSS feed
- How to Get Support
- Coordinated Vulnerability Disclosure (CVD) Program of Privacera
- Shared Security Model
- PrivaceraCloud Previews
- Preview: File Explorer for S3
- Preview: File Explorer for Azure
- Preview: File Explorer for GCS
- Preview: Scan Generic Records with NER Model
- Preview: Scan Electronic Health Records with NER Model
- Preview: OneLogin setup for SAML-SSO
- Preview: Azure Active Directory SCIM Server UserSync
- Preview: OneLogin UserSync
- Preview: PingFederate UserSync
- Quickstart for Databricks Unity Catalog on PrivaceraCloud
- What do I need to do in my Databricks Workspace?
- Where is the sample dataset in my Databricks Workspace?
- What should I do in the PrivaceraCloud web portal?
- Access use-case - How do I give a user access to a table or restrict from running a SQL select query?
- Access use-case - How do I restrict a user from seeing contents of a column in the result of a SQL select query?
- Column masking use-case - How do I restrict a user from seeing contents of a column by masking the values in the result of a SQL select query?
- Access use-case - How do I disallow a user from seeing certain rows of a table?
- PrivaceraCloud documentation changelog
Resource Policies
The Resource Policies page displays a list of resource service groups and resource services.
A resource service represents:
Connection to one or more data repositories.
A set of policies.
A resource service group is a collection of services sharing similar attributes and configuration parameter requirements. A service group and its first default service is created in Settings > Applications. For more information about application, see .
The first default service in each service group is assigned a name using the form "privacera_<service_type>".
Each resource service contains a set of resource policies, which, in turn, contain access rules for this data resource or subset.
Service/Service group global actions
Refresh button: updates service groups and resource services.
Security Zone filter: Filter service groups and services to display only those associated with selected Security Zones. For more information about Security Zones, see .
EXPORT button: You can export all service types, and services in the service group will be pre-loaded. You have the option of removing the service type and the service name. Click the Save button, then all policies in the selected elements will be exported to a JSON formatted policy set.
IMPORT button: You can import previously exported policy set. Browse the file and and then Click the IMPORT button. If the Override Policy checkbox is selected then it will allow the import to overwrite existing destination service policies. Click the IMPORT button to initiate the import.
Click the three vertical dots in the service group to see the following actions:
Add Service: a new resource-based service, click the Add 'icon in the applicable box on the Resource Policies page. Enter the required configuration details, then click Save. Different service types have different attributes but all service types include a Service Name (required), Description (optional), optional associated Tag Service and accept a Username, Common Name for Certificate, and optional Key/Value pairs.
Export : You can export one or more services in the service group. By default, all services in a group are listed in the dialog but can be deselected. All policies in the selected services will be exported to JSON formatted policy set. Click Save to initiate a file browser and save dialog.
Import : You can import previously exported policy set. Browse the file and then click the IMPORT button. If the Override Policy checkbox is selected then it will allow the import to overwrite existing destination service policies. Click the IMPORT button to initiate the import.
Service actions
In front of each service type, you will see the following action buttons:
View button: View the service details in read-only format.
Edit button: Edit the configuration details.
Delete button: Delete a resource-based service.
Policy definition
Click a service name (for example, privacera_hive) to open to the Policy definition and management page for this service . The page will display the existing polices for this service along with an Add New Policy button.
Each Policy definition row shows key attributes (Policy ID, Policy Name, Policy Labels, Roles, Groups, Users, and Action).
Under the Action column are three action icons:
Preview button
Edit button
Delete button
To see an individual policy detail, either click the Policy ID number or Edit button. Policy Detail page will be displayed.
The Policy Details page contains the following fields:
Policy Type: The basis for controlling access. For example, a policy can be based on the resource, on a tag, or on a scheme.
Policy Id: Each policy is assigned an immutable numeric identifier. These ids are monotonically incremented and unique within each PrivaceraCloud account. Policy identifiers are referenced in the audit trail event messages, so that action taken and recorded to the audit trail is associated with a specific policy.
Policy Name: Polices are assigned a name, either by the system or when created by a portal user. Default, system-created policies can be renamed.
ADD VALIDITY PERIOD: A policy can be defined as being effective only for a period of time. Start and end dates and times (defined to the minute), as well as a time zone selection
Policy Label: Policies can be assigned a new or existing label. Labels assist in filtering and with search reports.
Add Validity Period: A policy can be defined as being effective only for a period of time. Start and end dates and times (defined to the minute), as well as a time zone selection.
Resource Specifier: Underneath the Policy Label field are the Resource specifiers. These will be different for each type of resource, and the set of specifiers will change depending on the top down choices. For example, by default a Hive resource will display fields for database, table, and column. However, each prompt field, is a drop-down menu list with other options. Click the down-arrow in the database prompt field and there will be two other options: url and global. Select url to specify a URL as the Hive resource. Note that table and column are not relevant to specifying a URL, so those choices are removed.
Description: This field required description of policy which can be used to identify among others policies.
Audit Logging: Enable/disable Audit Logging. Toggle to No, if this policy doesn't need to be audited. By default, it is selected as Yes.
Condition Sets: These are the rules that are used to determine allowed or denied access to the identified resource(s). Each is defined in terms of a set of data access permissions and data access individual users, user groups, or user roles. The permission selection list is specific to the type of service. For example, for the ADLS service, the permission set is read, write, delete, metadata read, metadata write, and admin. The following access conditions are available:
Allow Conditions
Exclude from Allow Conditions
Deny Conditions
Exclude from Deny Conditions
At least one rule must be defined. Rules for the other condition sets can be omitted.
Any service named "privacera_<service type>" automatically creates one or more default all... policies. (The policy names vary depending on the service. For example, the all policy for hive services is all - database. The default policy name for database repository services is all - database, schema, table, column, etc.).
Configure Hive resource policy
This section describes how to configure Hive resource policy, including the Accessed Together and Not Accessed Together policy conditions.
On the Policy Details page, do the following:
Database: Specify the database name.
Table/UDF: Specify the table or udf name
Column: Specify the column name.
Note
By default the 'Include' option is selected to allow access for all the above fields. In case you want to deny access, toggle to the 'Exclude' option.
URL: Specify the cloud storage path. For example - s3a://user/poc/sales.txt where the end-user permission is needed to read/write the Hive data from/to a cloud storage path.
Recursive
Non-recursive
Global: Specify global dataset.
Allow Conditions: In this section, you can specify the policy conditions and permissions for resources.
Policy Conditions: This option allows a user to add custom conditions while evaluating authorization requests. Click the Add Conditions button. In the pop-up, you can see the Accessed Together ? and Non Accessed Together ? conditions.
Accessed Together ?: This option allows you to access a specified request (minimum two columns) in the query format.
For example:
default.employeepersonalview.EMP_SSN, default.employeepersonalview.CC
Above query allows user to access EMP_SSN & CC columns only when both are mentioned together in the query else it will give denied permission error.
Not Accessed Together?: This option denies specified requests (minimum two columns) in the query format.
For example:
default.employeepersonalview.EMP_SSN, default.employeepersonalview.CC
Above query deny user to view EMP_SSN & CC columns data when both are mentioned together in the query and give denied permission error.
Permission: Permissions are common for all the resources, add them as per your requirement.
The list of permissions are:
Select
Update
Create
Drop
Alter
Index
Lock
All
Read
Write
Data_admin