Skip to main content

Privacera Documentation

Create scheme policies

You can create scheme policies to restrict data users or groups in their use of specific encryption or presentation schemes.

On Privacera Platform, you can create scheme policies that provide certain users access to the encryption and masking schemes described in Encryption schemes and Masking schemes.

Add user in default policy

To create a scheme policy, you need to add a privacera_service_discovery user in the default privacera_peg policy using the Privacera Portal.

To add the user, follow these steps:

  1. From the navigation menu, select Access Management > Scheme Policies.

  2. In the PEG section, click privacera_peg.

  3. In the peg policy row, click the Edit icon.

  4. In the Allow Conditions section, search for and select the privacera_service_discovery user from the Select User dropdown menu.

Create scheme policies on Privacera Platform

You can create scheme policies using the Privacera Portal.

To create scheme policies, follow these steps:

  1. From the navigation menu, select Access Management > Scheme Policies.

  2. In the PEG section, click privacera_peg.

  3. Click Add New Policy.

  4. If you want this scheme policy to be in effect for a specific time period, click Add Validity Period and enter the details into the Policy Validity Period dialog.

    The Enabled toggle allows you to create a policy.

  5. In the Policy Name text box, enter a name for the scheme policy.

  6. From the Policy Labels dropdown menu, select the labels that you want to to the scheme policy.

  7. In the Encryption scheme dropdown, you can select either the Encryption scheme or the Masking scheme.

    • If you select Encryption Scheme, enter the name of the encryption scheme to which you want to apply the policy. Repeat this for all required encryption schemes.

      When you select the Encryption scheme, the Presentation Scheme appears automatically.

    • If you select Masking Scheme, enter the name of the masking scheme to which you want to apply the policy. Repeat this for all required masking schemes.

      When you select Masking Scheme, the mask permission appears in the Permissions section.

  8. From the Presentation Schemes dropdown menu, select the name of the presentation scheme that you want to apply the policy to. Repeat this for all required presentation schemes.

  9. In the Description field, enter a description of the scheme policy.

  10. If you do not want audit logs, disable the Audit Logging toggle.

Define allow conditions

In the Allow Conditions section, you can select the names of roles, groups, or users that you want to give access to the schemes.

To define the allow conditions for a scheme policy, follow these steps:

  1. In the Allow Conditions section, search and select the privacera_service_discovery user from the Select User dropdown menu.

  2. Select the names of roles, groups, or users you want to give access to the schemes.

  3. In the Permissions column, click Add Permission and specify the permission you want to give.

  4. In the Delegate Admin column, select the checkbox if you want the service user to be able to make API endpoints on behalf of the application user.

  5. In the Exclude from Allow Conditions section, select the roles, groups, or users that you want to exclude from the allow conditions.

Define deny conditions

In the Deny Conditions section, you can select the roles, groups, or users that you want to deny access to the schemes.

To define the deny conditions for a scheme policy, follow these steps:

  1. In the Deny Condition section, click Add Permission and specify the permission you want to deny.

  2. Click Delegate Admin if you want the service user to be able to make API endpoints on behalf of the application user.

  3. If you want to deny access to specific roles, groups, or users, under Exclude from Deny Conditions, select those roles, groups, or users you want to exclude.

  4. In the Exclude from Deny Conditions section, select the roles, groups, or users that you want to exclude from the deny conditions.

  5. Click Save to save the scheme policy.

Prerequisites:

  • Decide which users, groups, or roles you want to apply the scheme policy to.

  • Decide how you want to give permissions to those users, groups, or role. You can either allow them or deny them the use of encryption or presentation schemes.

To create scheme policies on PrivaceraCloud, follow these steps:

  1. Go Access Management > Scheme Policies.

  2. Find and click the PEG resource name.

  3. If you want this scheme policy to be in effect for only a specific time period, in the upper right, click Add Validity Period and enter the details of that period.

  4. Enter a name for the scheme policy.

  5. If desired, select any policy labels you want for this scheme policy.

  6. If you do not want audit logging, use the Audit Logging toggle to turn it off.

  7. With the Enabled toggle, you can create the policy but not yet enable it.

  8. In the Encryption scheme dropdown, you can select either the Encryption scheme or the Masking scheme.

    • If you select Encryption Scheme, enter the name of the encryption scheme to which you want to apply the policy. Repeat this for all required encryption schemes.

      When you select the Encryption scheme, the Presentation Scheme appears automatically.

    • If you select Masking Scheme, enter the name of the masking scheme to which you want to apply the policy. Repeat this for all required masking schemes.

      When you select Masking Scheme, the mask permission appears in the Permissions section.

  9. For Presentation Schemes field, select the name of the presentation scheme to which you want to apply the policy. Repeat this for all required presentation schemes.

  10. Enter a description of this scheme policy.

  11. Depending on how you have decided to allow or deny access, use the fields in Allow conditions or Deny Conditions and follow the corresponding steps below:

    • Allow Access

      1. Under Allow Conditions, in the role, group, and user fields, select the names of roles, groups, or users you want to give access to the schemes.

      2. On the right, click Add Permission and specify the permission you want to give.

        • getSchemes permission is required for Databricks UDFs.

        • protect/unprotect permissions are required for REST API calls.

      3. On the far right, click Delegate Admin if you want the service user to be able to make API requests on behalf of the application user.

      4. If you want to deny access to specific roles, groups, or users, under Exclude from Allow Conditions, select those roles, groups, or users you want to exclude.

    • Deny Access

      1. Under Deny Conditions, in the role, group, and user fields, select the names of roles, groups, or users you want to deny access to the schemes.

      2. On the right, click Add Permission and specify the permission you want to deny.

      3. On the far right, click Delegate Admin if you want the service user to be able to make API requests on behalf of the application user.

      4. If you want to give access to specific roles, groups, or users, under Exclude from Deny Conditions, select those roles, groups, or users you want to allow.

  12. Save your scheme policy.