Skip to main content

Privacera Documentation

Table of Contents

PostgreSQL connector properties for PolicySync on Privacera Platform

These PostgreSQL connector properties can be set for PolicySync in Privacera Platform.

The properties are grouped by general function, such as JDBC connection properties, properties for user, group, and role management, and other functions.

The properties are also categorized as BASIC or ADVANCED:

  • BASIC pertains to the most fundamental aspects of the connector, such as authentication.

  • ADVANCED indicates additional features beyond the BASICs, such as row-filtering or group member handling.

Start by setting the BASIC properties and then examine the ADVANCED properties to determine which of these features you might want to enable.

For a general process to migrate values from old YAML files to the new YAML files, see Migration to PolicySync v2 on Privacera Platform 7.2.

Category

Property name

Description

Default Value

Allowable values

JDBC configuration properties

BASIC

CONNECTOR_POSTGRES_JDBC_URL

This property is used to set jdbc jdbc url which can be used to connect to postgres server. JDBC URL should follow below convention jdbc:postgresql://<POSTGRES_SERVER_HOST>:<POSTGRES_SERVER_PORT> Example :- jdbc:postgresql://testdb.cxwi0ttzd22i.us-east-1.rds.amazonaws.com:5432

BASIC

CONNECTOR_POSTGRES_JDBC_USERNAME

This property is used to set jdbc Username to be used to make connection to postgres.

BASIC

CONNECTOR_POSTGRES_JDBC_PASSWORD

This property is used to set jdbc user's password to be used to make connection to postgres.

BASIC

CONNECTOR_POSTGRES_JDBC_DB

This property is used to set jdbc database to be used to make initial connection to postgres.

BASIC

CONNECTOR_POSTGRES_DEFAULT_USER_PASSWORD

This property is used to set password to every new user creation in postgres by PolicySync.

BASIC

CONNECTOR_POSTGRES_OWNER_ROLE

This property is used to set ownership for all the resources managed by PolicySync. The specified role will become owner for all managed resources and will have full control on those resources.We support changing owners of database, schema, tables and views.

Note

If owner role is kept as blank, then ownership will not change and users who creates table/view or any other object he will be owner of those objects and PolicySync won't be able to do access control on that object.

Resources management

BASIC

CONNECTOR_POSTGRES_MANAGE_DATABASE_LIST

This property is used to set comma separated database names which access control should be managed by PolicySync. If you want to manage all databases then you can skip specifying this property. This supports wildcards as well. The ignore database list has precedance over manage database list. For example: testdb1,testdb2,sales_db*.

Note

Values for this property are case-sensitive.

ADVANCED

CONNECTOR_POSTGRES_MANAGE_SCHEMA_LIST

This property is used to set comma separated schema Fqdn which access control should be managed by PolicySync. If you want to manage all schemas then you can skip specifying this property. This supports wildcards as well. The ignore schema list has precedance over manage schema list. For example: testdb1.schema1,testdb2.schema2,sales_db*.sales*.

Note

Values for this property are case-sensitive.

ADVANCED

CONNECTOR_POSTGRES_MANAGE_TABLE_LIST

This property is used to set comma separated table/view Fqdn which access control should be managed by PolicySync. If you want to manage all tables/views then you can skip specifying this property. This supports wildcards as well. The ignore table list has precedance over manage table list. For example: testdb1.schema1.table1,testdb2.schema2.view2,sales_db*.sales*.*

Note

Values for this property are case-sensitive.

ADVANCED

CONNECTOR_POSTGRES_IGNORE_DATABASE_LIST

This property is used to set comma separated database names which access control you don't want to be managed by PolicySync. If you don't want to ignore any database then you can skip specifying this property. This supports wildcards as well. This has precedance over manage database list. For example: testdb1,testdb2,sales_db*.

Note

Values for this property are case-sensitive.

ADVANCED

CONNECTOR_POSTGRES_IGNORE_SCHEMA_LIST

This property is used to set comma separated schema Fqdn which access control you don't want to be managed by PolicySync. If you don't want to ignore any schema then you can skip specifying this property. This supports wildcards as well. This has precedance over manage schema list. For example: testdb1.schema1,testdb2.schema2,sales_db*.sales*.

Note

Values for this property are case-sensitive.

Users/Groups/Roles management

ADVANCED

CONNECTOR_POSTGRES_USER_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in a user name and replaces them with the characters specified in property. If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\[\\]!\\-\\/\\\\{}]

ADVANCED

CONNECTOR_POSTGRES_USER_NAME_REPLACE_TO_STRING

The value specified in this property is used to replace the characters found by the regex specified user name regex property. If kept blank, no find and replace operation is performed.

_

ADVANCED

CONNECTOR_POSTGRES_GROUP_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in a group name and replaces them with the characters specified in property. If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\[\\]!\\-\\/\\\\{}]

ADVANCED

CONNECTOR_POSTGRES_GROUP_NAME_REPLACE_TO_STRING

The value specified in this property is used to replace the characters found by the regex specified group name regex property. If kept blank, no find and replace operation is performed.

_

ADVANCED

CONNECTOR_POSTGRES_ROLE_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in a role name and replaces them with the characters specified in property. If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*()_%\\[\\]!\\-\\/\\\\{}]

ADVANCED

CONNECTOR_POSTGRES_ROLE_NAME_REPLACE_TO_STRING

The value specified in this property is used to replace the characters found by the regex specified role name regex property. If kept blank, no find and replace operation is performed.

_

ADVANCED

CONNECTOR_POSTGRES_USER_NAME_PERSIST_CASE_SENSITIVITY

After loading user from Ranger API's all are converted into lowercase, but in some cases, you would need to have the users in the same case as they are in Ranger. When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger.

false

false, true

ADVANCED

CONNECTOR_POSTGRES_GROUP_NAME_PERSIST_CASE_SENSITIVITY

After loading group from Ranger API's all are converted into lowercase, but in some cases, you would need to have the users in the same case as they are in Ranger. When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger.

false

true, false

ADVANCED

CONNECTOR_POSTGRES_ROLE_NAME_PERSIST_CASE_SENSITIVITY

After loading role from Ranger API's all are converted into lowercase, but in some cases, you would need to have the users in the same case as they are in Ranger. When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger.

false

false, true

ADVANCED

CONNECTOR_POSTGRES_CREATE_USER

This property controls whether we should create user in postgres for users fecthed from ranger.

true

true, false

ADVANCED

CONNECTOR_POSTGRES_CREATE_USER_ROLE

This property controls whether we should create role over the end user in postgres for users fecthed from ranger.

true

false, true

ADVANCED

CONNECTOR_POSTGRES_MANAGE_USERS

This property controls whether PolicySync should manage the membership between user and user role.

true

true, false

ADVANCED

CONNECTOR_POSTGRES_MANAGE_GROUPS

This property controls whether we should create role in postgres for groups fecthed from ranger.

true

true, false

ADVANCED

CONNECTOR_POSTGRES_MANAGE_GROUP_MEMBERS

This property controls whether we should update the members of groups in Postgres for groups fetched from ranger.

true

true, false

ADVANCED

CONNECTOR_POSTGRES_MANAGE_ROLES

This property controls whether we should create role in postgres for roles fecthed from ranger.

true

false, true

ADVANCED

CONNECTOR_POSTGRES_MANAGE_ROLE_MEMBERS

This property controls whether we should update the members of roles in Postgres for roles fetched from ranger. For example,, if CONNECTOR_POSTGRES_MANAGE_ROLES is set to true, but CONNECTOR_POSTGRES_MANAGE_ROLE_MEMBERS is set to false, then PolicySync will create roles, but it won’t add or remove members from those roles.

true

true, false

ADVANCED

CONNECTOR_POSTGRES_MANAGE_USER_LIST

This property is used to set comma separated user names which access control should be managed by PolicySync. If you want to manage all users then you can skip specifying this property. This supports wildcards as well. The ignore users list has precedance over manage users list. For example: user1,user2,dev_user*

ADVANCED

CONNECTOR_POSTGRES_MANAGE_GROUP_LIST

This property is used to set comma separated group names which access control should be managed by PolicySync. If you want to manage all group then you can skip specifying this property. This supports wildcards as well. The ignore group list has precedance over manage group list. For example: group1,group2,dev_group*

ADVANCED

CONNECTOR_POSTGRES_MANAGE_ROLE_LIST

This property is used to set comma separated role names which access control should be managed by PolicySync. If you want to manage all role then you can skip specifying this property. This supports wildcards as well. The ignore role list has precedance over manage role list. For example: role1,role2,dev_role*

ADVANCED

CONNECTOR_POSTGRES_IGNORE_USER_LIST

This property is used to set comma separated user names which access control you don't want to be managed by PolicySync. If you don't want to ignore any users then you can skip specifying this property. This supports wildcards as well. This has precedance over manage users list. For example: user1,user2,dev_user*

ADVANCED

CONNECTOR_POSTGRES_IGNORE_GROUP_LIST

This property is used to set comma separated group names which access control you don't want to be managed by PolicySync. If you don't want to ignore any groups then you can skip specifying this property. This supports wildcards as well. This has precedance over manage groups list. For example: group1,group2,dev_group*

ADVANCED

CONNECTOR_POSTGRES_IGNORE_ROLE_LIST

This property is used to set comma separated role names which access control you don't want to be managed by PolicySync. If you don't want to ignore any roles then you can skip specifying this property. This supports wildcards as well. This has precedance over manage roles list. For example: role1,role2,dev_role*

ADVANCED

CONNECTOR_POSTGRES_USER_ROLE_PREFIX

This property is used to set a prefix for role which we will be creating in postgres for user from ranger. For example, if you have user named john in ranger and you have defined prefix as test_user_ then the role which we create for john in postgres will have name test_user_john

priv_user_

ADVANCED

CONNECTOR_POSTGRES_GROUP_ROLE_PREFIX

This property is used to set a prefix for role which we will be creating in postgres for group from ranger. For example, if you have group named dev in ranger and you have defined prefix as test_group_ then the role which we create for dev in postgres will have name test_group_dev.

priv_group_

ADVANCED

CONNECTOR_POSTGRES_ROLE_ROLE_PREFIX

This property is used to set a prefix for role which we will be creating in postgres for role from ranger. For example, if you have role named finance in ranger and you have defined prefix as test_role_ then the role which we create for finance in postgres will have name test_role_finance.

priv_role_

ADVANCED

CONNECTOR_POSTGRES_USE_NATIVE_PUBLIC_GROUP

Set this property to true, if you want PolicySync to use porstgres native public group for access grants whenever there is policy created referring to public group inside it.

true

true, false

ADVANCED

CONNECTOR_POSTGRES_MANAGE_USER_FILTERBY_GROUP

Set this property to true, if you want to manage only the users who belongs the the groups defined in manage groups list property.

false

true, false

ADVANCED

CONNECTOR_POSTGRES_MANAGE_USER_FILTERBY_ROLE

Set this property to true, if you want to manage only the users who belongs the roles defined in manage roles list property.

false

true, false

Access control management

ADVANCED

CONNECTOR_POSTGRES_ENABLE_ROW_FILTER

Set this property to true, if you want to enable native tr filter functionality. This is not recommend to use, since the native tr filters can only be created on tables, they can't be created on views.

false

true, false

ADVANCED

CONNECTOR_POSTGRES_ENABLE_VIEW_BASED_MASKING

Set this property to true, if you want to enable secure view based masking in postgres PolicySync.

Note

Postgres don't support native masking yet, thus recommended to use view based masking.

true

true, false

ADVANCED

CONNECTOR_POSTGRES_ENABLE_VIEW_BASED_ROW_FILTER

Set this property to true, if you want to enable secure view based tr filter in postgres PolicySync.

Note

Postgres support native tr filters, but due to its some limitations we recommened to use view based tr filter.

true

true, false

ADVANCED

CONNECTOR_POSTGRES_SECURE_VIEW_CREATE_FOR_ALL

Set this property to true, if you want to create secure view for all tables as well all view which were created by end users. This will create secure view for resource regardless whether there any masking/tr filter policy exists in ranger.

true

true, false

ADVANCED

CONNECTOR_POSTGRES_MASKED_NUMBER_VALUE

This property is used to specify the default masking value for numeric columns

0

ADVANCED

CONNECTOR_POSTGRES_MASKED_TEXT_VALUE

This property is used to specify the default masking value for text/string columns

<MASKED>'

ADVANCED

CONNECTOR_POSTGRES_SECURE_VIEW_NAME_PREFIX

By default view-based tr filter and masking related secure views have the same name as the table name with postfixed by _secure. If you want to change the secure view name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view name will be in this format : {prefix}{table_name}{postfix}

ADVANCED

CONNECTOR_POSTGRES_SECURE_VIEW_NAME_POSTFIX

By default view-based tr filter and masking related secure views have the same name as the table name with postfixed by _secure. If you want to change the secure view name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view name will be in this format : {prefix}{table_name}{postfix}

_secure

ADVANCED

CONNECTOR_POSTGRES_SECURE_VIEW_SCHEMA_NAME_PREFIX

By default view-based tr filter and masking related secure views have the same schema name as the table schema name. If you want to change the secure view schema name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view schema name will be in this format : {prefix}{view_schema_name}{postfix} For {view_schema_name} refer to variable CONNECTOR_POSTGRES_SECURE_VIEW_SCHEMA_NAME.

ADVANCED

CONNECTOR_POSTGRES_SECURE_VIEW_DATABASE_NAME_PREFIX

By default view-based tr filter and masking related secure views have the same database name as the table database name. If you want to change the secure view database name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view database name will be in this format : {prefix}{view_database_name}{postfix} For {view_database_name} refer to variable CONNECTOR_POSTGRES_SECURE_VIEW_DATABASE_NAME.

ADVANCED

CONNECTOR_POSTGRES_SECURE_VIEW_SCHEMA_NAME_POSTFIX

By default view-based tr filter and masking related secure views have the same schema name as the table schema name. If you want to change the secure view schema name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view schema name will be in this format : {prefix}{view_schema_name}{postfix} For {view_schema_name} refer to variable POSTGRES_SECURE_VIEW_SCHEMA_NAME.

ADVANCED

CONNECTOR_POSTGRES_SECURE_VIEW_DATABASE_NAME_POSTFIX

By default view-based tr filter and masking related secure views have the same database name as the table database name. If you want to change the secure view database name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view database name will be in this format : {prefix}{view_database_name}{postfix} For {view_schema_name} refer to variable POSTGRES_SECURE_VIEW_DATABASE_NAME.

BASIC

CONNECTOR_POSTGRES_GRANT_UPDATES

This property controls whether actual grant/revoke and create/update/delete queries for user/group/role should be run on postgres.

true

true, false

CONNECTOR_POSTGRES_GRANT_UPDATES_MAX_RETRY_ATTEMPTS

This property is used to set max retry attemps to be made for granting or revoking the access in case if any failure due to database connection errors.

2

ADVANCED

CONNECTOR_POSTGRES_ENABLE_DATA_ADMIN

This propery is used to enable data admin feature, with data admin feature enabled you can create all the policies on table/native view and by default repspective grants will be made on secure view of table or native view. This secure view will have tr filter and masking capability as well. In case if you need permission on table then you can select the permission you want plus dataadmin in the policy, in this case that permissions will be granted on both, the table/native view and its secure view as well.

true

true, false

Access audits management

BASIC

CONNECTOR_POSTGRES_AUDIT_ENABLE

This property is used to enable access audit fetching from postgres.

false

false, true

ADVANCED

CONNECTOR_POSTGRES_AUDIT_EXCLUDED_USERS

This property is used to set the list of users whose access audits we want to ignore. It takes list of comma separated users.

BASIC

CONNECTOR_POSTGRES_AUDIT_SOURCE

This property is used to set the mode through which we should be loading access audits, this depends on the your Postgres server deployment.

If you are using AWS RDS Postgres then you need to set this value to sqs.

If you are using GCP Postgres then you need to set this to gcp_pgaudit.

If you are using Azure Postgres then you need to set this to azure_audit.

sqs

sqs/gcp_pgaudit

ADVANCED

CONNECTOR_POSTGRES_AUDIT_ENABLE_RESOURCE_FILTER

This property is used to filter access audit by managed resources (database,schema list) NOTE: Policysync is using sql parser to extract resourceName to decide if it's manage or not and there is chance sql query pareser can break in case of complex query and it will end up without logging that audit.

FALSE

true, false

BASIC-CONDITIONAL

CONNECTOR_POSTGRES_AWS_ACCESS_KEY

This property is used to set the aws access key which will be used to created iam client in order to access sqs queue to get access audits. This should be used only if your deployment machine don't have IAM role associated with it with required permissions

BASIC-CONDITIONAL

CONNECTOR_POSTGRES_AWS_SECRET_KEY

This property is used to set the aws secret access key which will be used to created iam client in order to access sqs queue to get access audits. This should be used only if your deployment machine don't have IAM role associated with it with required permissions

BASIC-CONDITIONAL

CONNECTOR_POSTGRES_AWS_REGION

This property is used to set the aws region in which sqs queue resides in.

us-east-1

BASIC-CONDITIONAL

CONNECTOR_POSTGRES_AWS_SQS_QUEUE_NAME

This property is used to set aws sqs queue name from which we need to get access audits.

BASIC-CONDITIONAL

CONNECTOR_POSTGRES_GCP_AUDIT_SOURCE_INSTANCE_ID

This property is used to set the instance id of gcp cloudsql postgres server which will be used to get the access audits. This instance id value needs to be in the format project_id:db_instance_id. For example, demo-project:postgres-demo-server

BASIC-CONDITIONAL

CONNECTOR_POSTGRES_AZURE_CLIENT_ID

This property is used to build client credential in order to run kusto query

BASIC-CONDITIONAL

CONNECTOR_POSTGRES_AZURE_TENANT_ID

This property is used to build client credential in order to run kusto query

BASIC-CONDITIONAL

CONNECTOR_POSTGRES_AZURE_CLIENT_SECRET_VALUE

This property is used to build client credential in order to run kusto query

BASIC-CONDITIONAL

CONNECTOR_POSTGRES_AZURE_WORKSPACE_ID

This property is used to specify workspace where kusto query needs to be executed