Skip to main content

Privacera Documentation

Table of Contents

Redshift and Redshift Spectrum connector properties for PolicySync on Privacera Platform

These Redshift and Redshift Spectrum connector properties can be set for PolicySync in Privacera Platform.

The properties are grouped by general function, such as JDBC connection properties, properties for user, group, and role management, and other functions.

The properties are also categorized as BASIC or ADVANCED:

  • BASIC pertains to the most fundamental aspects of the connector, such as authentication.

  • ADVANCED indicates additional features beyond the BASICs, such as row-filtering or group member handling.

Start by setting the BASIC properties and then examine the ADVANCED properties to determine which of these features you might want to enable.

For a general process to migrate values from old YAML files to the new YAML files, see Migration to PolicySync v2 on Privacera Platform 7.2.

Category

Property name

Description

Default Value

Allowable values

JDBC configuration properties

BASIC

CONNECTOR_REDSHIFT_JDBC_URL

This property is used to set jdbc jdbc url which can be used to connect to Redshift server. JDBC URL should follow below convention: jdbc:redshift://<REDSHIFT_SERVER_HOST>:<REDSHIFT_SERVER_PORT>. For example: jdbc:redshift://dev-redshift.xxxxxxxxxxxx.us-east-1.redshift.amazonaws.com:5439.

BASIC

CONNECTOR_REDSHIFT_JDBC_USERNAME

This property is used to set jdbc Username to be used to make connection to Redshift.

BASIC

CONNECTOR_REDSHIFT_JDBC_PASSWORD

This property is used to set jdbc username password to be used to make connection to Redshift.

BASIC

CONNECTOR_REDSHIFT_JDBC_DB

This property is used to set jdbc database to be used to make initial connection to Redshift.

BASIC

CONNECTOR_REDSHIFT_DEFAULT_USER_PASSWORD

This property is used to set password which will be used for every new user creation by PolicySync.

BASIC

CONNECTOR_REDSHIFT_OWNER_ROLE

This property is used to set ownership for all the resources managed by PolicySync. The specified role will become owner for all managed resources and will have full control on those resources. We support changing owners of database, schema, tables and views. Note :- If owner role is kept as blank, then ownership will not change and users who creates table/view or any other object he will be owner of those objects and PolicySync won't be able to do access control on that object

Resources management

BASIC

CONNECTOR_REDSHIFT_MANAGE_DATABASE_LIST

This property is used to set comma separated database names which access control should be managed by PolicySync. If you want to manage all databases then you can skip specifying this property. This supports wildcards as well. The ignore database list has precedence over manage database list. For example: testdb1,testdb2,sales_db*. In V1, if you want to manage all databases you have to set this property to blank, this is property behaviour change from V1 to V2.

Note

Values for this property are case-sensitive.

ADVANCED

CONNECTOR_REDSHIFT_MANAGE_SCHEMA_LIST

This property is used to set comma separated schema Fqdn which access control should be managed by PolicySync. If you want to manage all schemas then you can skip specifying this property. This supports wildcards as well. The ignore schema list has precedence over manage schema list. For example: testdb1.schema1,testdb2.schema2,sales_db*.sales*. In V1, if you want to manage all schemas you have to set this property to blank, this is property behaviour change from V1 to V2.

Note

Values for this property are case-sensitive.

ADVANCED

CONNECTOR_REDSHIFT_MANAGE_TABLE_LIST

This property is used to set comma separated table/view Fqdn which access control should be managed by PolicySync. If you want to manage all tables/views then you can skip specifying this property. This supports wildcards as well. The ignore table list has precedence over manage table list. For example: testdb1.schema1.table1,testdb2.schema2.view2,sales_db*.sales*.*. In V1, if you want to manage all tables/views you have to set this property to blank, this is property behaviour change from V1 to V2.

Note

Values for this property are case-sensitive.

ADVANCED

CONNECTOR_REDSHIFT_IGNORE_DATABASE_LIST

This property is used to set comma separated database names which access control you don't want to be managed by PolicySync. If you don't want to ignore any database then you can skip specifying this property. This supports wildcards as well. This has precedence over manage database list. For example: testdb1,testdb2,sales_db*.

Note

Values for this property are case-sensitive.

ADVANCED

CONNECTOR_REDSHIFT_IGNORE_SCHEMA_LIST

This property is used to set comma separated schema fqdn which access control you don't want to be managed by PolicySync. If you don't want to ignore any schema then you can skip specifying this property. This supports wildcards as well. This has precedence over manage schema list. For example: testdb1.schema1,testdb2.schema2,sales_db*.sales*.

Note

Values for this property are case-sensitive.

Users/Groups/Roles management

ADVANCED

CONNECTOR_REDSHIFT_USER_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in a user name and replaces them with the characters specified in property. If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*_%\\[\\]!\\-\\/\\\\{}]

ADVANCED

CONNECTOR_REDSHIFT_USER_NAME_REPLACE_TO_STRING

The value specified in this property is used to replace the characters found by the regex specified user name regex property. If kept blank, no find and replace operation is performed.

_

ADVANCED

CONNECTOR_REDSHIFT_GROUP_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in a group name and replaces them with the characters specified in property. If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*_%\\[\\]!\\-\\/\\\\{}]

ADVANCED

CONNECTOR_REDSHIFT_GROUP_NAME_REPLACE_TO_STRING

The value specified in this property is used to replace the characters found by the regex specified group name regex property. If kept blank, no find and replace operation is performed.

_

ADVANCED

CONNECTOR_REDSHIFT_ROLE_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in a role name and replaces them with the characters specified in property. If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.^*_%\\[\\]!\\-\\/\\\\{}]

ADVANCED

CONNECTOR_REDSHIFT_ROLE_NAME_REPLACE_TO_STRING

The value specified in this property is used to replace the characters found by the regex specified role name regex property. If kept blank, no find and replace operation is performed.

_

ADVANCED

CONNECTOR_REDSHIFT_USER_NAME_PERSIST_CASE_SENSITIVITY

After loading user from Ranger API's all are converted into lowercase, but in some cases, you would need to have the users in the same case as they are in Ranger. When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger.

false

ADVANCED

CONNECTOR_REDSHIFT_GROUP_NAME_PERSIST_CASE_SENSITIVITY

After loading group from Ranger API's all are converted into lowercase, but in some cases, you would need to have the groups in the same case as they are in Ranger. When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger.

false

ADVANCED

CONNECTOR_REDSHIFT_ROLE_NAME_PERSIST_CASE_SENSITIVITY

After loading role from Ranger API's all are converted into lowercase, but in some cases, you would need to have the roles in the same case as they are in Ranger. When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger.

false

ADVANCED

CONNECTOR_REDSHIFT_ENABLE_CASE_SENSITIVE_IDENTIFIER

By default the Redshift converts all the resources to lower case, to persist the case we have a property to set on each and every connection. If you follow the same please set this value as true.

false

ADVANCED

CONNECTOR_REDSHIFT_ENABLE_CASE_SENSITIVE_IDENTIFIER_QUERY

If CONNECTOR_REDSHIFT_ENABLE_CASE_SENSITIVE_IDENTIFIER is set to true the query will be fired at first in each and every connection.

SET enable_case_sensitive_identifier=true;

ADVANCED

CONNECTOR_REDSHIFT_CREATE_USER

This property controls whether we should create user in Redshift for users fetched from ranger.

true

ADVANCED

CONNECTOR_REDSHIFT_CREATE_USER_ROLE

This property controls whether we should create role over the end user in Redshift for users fetched from ranger.

true

ADVANCED

CONNECTOR_REDSHIFT_MANAGE_USERS

This property controls whether PolicySync should manage the membership between user and user role.

true

ADVANCED

CONNECTOR_REDSHIFT_MANAGE_GROUPS

This property controls whether we should create role in Redshift for groups fetched from ranger.

true

ADVANCED

CONNECTOR_REDSHIFT_MANAGE_GROUP_MEMBERS

This property controls whether we should update the members of groups in Redshift for groups fetched from ranger.

true

ADVANCED

CONNECTOR_REDSHIFT_MANAGE_ROLES

This property controls whether we should create role in Redshift for roles fetched from ranger.

true

ADVANCED

CONNECTOR_REDSHIFT_MANAGE_ROLE_MEMBERS

This property controls whether we should update the members of roles in Redshift for roles fetched from ranger.

true

ADVANCED

CONNECTOR_REDSHIFT_MANAGE_USER_LIST

This property is used to set comma separated user names which access control should be managed by PolicySync. If you want to manage all users then you can skip specifying this property. This supports wildcards as well. The ignore users list has precedence over manage users list. For example: user1,user2,dev_user*. In V1, if you want to manage all users you have to set this property to blank, this is property behaviour change from V1 to V2."

ADVANCED

CONNECTOR_REDSHIFT_MANAGE_GROUP_LIST

This property is used to set comma separated group names which access control should be managed by PolicySync. If you want to manage all group then you can skip specifying this property. This supports wildcards as well. The ignore group list has precedence over manage group list. For example: group1,group2,dev_group* In V1, if you want to manage all group you have to set this property to blank, this is property behaviour change from V1 to V2.

ADVANCED

CONNECTOR_REDSHIFT_MANAGE_ROLE_LIST

This property is used to set comma separated role names which access control should be managed by PolicySync. If you want to manage all role then you can skip specifying this property. This supports wildcards as well. The ignore role list has precedence over manage role list. For example: role1,role2,dev_role* In V1, if you want to manage all roles you have to set this property to blank, this is property behaviour change from V1 to V2.

ADVANCED

CONNECTOR_REDSHIFT_IGNORE_USER_LIST

This property is used to set comma separated user names which access control you don't want to be managed by PolicySync. If you don't want to ignore any users then you can skip specifying this property. This supports wildcards as well. This has precedence over manage users list. For example: user1,user2,dev_user*

ADVANCED

CONNECTOR_REDSHIFT_IGNORE_GROUP_LIST

This property is used to set comma separated group names which access control you don't want to be managed by PolicySync. If you don't want to ignore any groups then you can skip specifying this property. This supports wildcards as well. This has precedence over manage groups list. For example: group1,group2,dev_group*.

ADVANCED

CONNECTOR_REDSHIFT_IGNORE_ROLE_LIST

This property is used to set comma separated role names which access control you don't want to be managed by PolicySync. If you don't want to ignore any roles then you can skip specifying this property. This supports wildcards as well. This has precedence over manage roles list. For example: role1,role2,dev_role*.

ADVANCED

CONNECTOR_REDSHIFT_USER_ROLE_PREFIX

This property is used to set a prefix for role which we will be creating in Redshift for user from ranger. For example if you have user named john in ranger and you have defined prefix as test_user_ then the role which we create for john in Redshift will have name test_user_john.

priv_user_

ADVANCED

CONNECTOR_REDSHIFT_GROUP_ROLE_PREFIX

This property is used to set a prefix for role which we will be creating in Redshift for group from ranger. For example if you have group named dev in ranger and you have defined prefix as test_group_ then the role which we create for dev in Redshift will have name test_group_dev.

priv_group_

ADVANCED

CONNECTOR_REDSHIFT_ROLE_ROLE_PREFIX

This property is used to set a prefix for role which we will be creating in Redshift for role from ranger. For example if you have role named finance in ranger and you have defined prefix as test_role_ then the role which we create for finance in Redshift will have name test_role_finance.

priv_role_

ADVANCED

CONNECTOR_REDSHIFT_USE_NATIVE_PUBLIC_GROUP

Set this property to true, if you want PolicySync to use Redshift native public group for access grants whenever there is policy created referring to public group inside it.

true

ADVANCED

CONNECTOR_REDSHIFT_MANAGE_USER_FILTERBY_GROUP

Set this property to true, if you want to manage only the users who belongs the the groups defined in manage groups list property.

false

ADVANCED

CONNECTOR_REDSHIFT_MANAGE_USER_FILTERBY_ROLE

Set this property to true, if you want to manage only the users who belongs the the roles defined in manage roles list property.

false

Access control management

ADVANCED

CONNECTOR_REDSHIFT_ENABLE_VIEW_BASED_MASKING

Set this property to true, if you want to enable secure view based masking in postgres PolicySync.

Note

Redshift don't support native masking yet, thus recommended to use view based masking.

true

ADVANCED

CONNECTOR_REDSHIFT_ENABLE_VIEW_BASED_ROW_FILTER

Set this property to true, if you want to enable secure view based tr filter in Redshift PolicySync.

Note

Redshift support native tr filters, but due to its some limitations we recommended to use view based tr filter.

true

ADVANCED

CONNECTOR_REDSHIFT_SECURE_VIEW_CREATE_FOR_ALL

Set this property to true, if you want to create secure view for all tables as well all view which were created by end users. This will create secure view for resource regardless whether there any masking/tr filter policy exists in ranger.

true

ADVANCED

CONNECTOR_REDSHIFT_MASKED_NUMBER_VALUE

This property is used to specify the default masking value for numeric columns

0

ADVANCED

CONNECTOR_REDSHIFT_MASKED_TEXT_VALUE

This property is used to specify the default masking value for text/string columns

<MASKED>'

ADVANCED

CONNECTOR_REDSHIFT_SECURE_VIEW_NAME_PREFIX

By default view-based tr filter and masking related secure views have the same name as the table name with postfixed by _secure. If you want to change the secure view name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view name will be in this format : {prefix}{table_name}{postfix}.

ADVANCED

CONNECTOR_REDSHIFT_SECURE_VIEW_NAME_POSTFIX

By default view-based tr filter and masking related secure views have the same name as the table name with postfixed by _secure. If you want to change the secure view name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view name will be in this format : {prefix}{table_name}{postfix}.

_secure

ADVANCED

CONNECTOR_REDSHIFT_SECURE_VIEW_SCHEMA_NAME_PREFIX

By default view-based tr filter and masking related secure views have the same schema name as the table schema name. If you want to change the secure view schema name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view schema name will be in this format : {prefix}{view_schema_name}{postfix}.

ADVANCED

CONNECTOR_REDSHIFT_SECURE_VIEW_SCHEMA_NAME_POSTFIX

By default view-based tr filter and masking related secure views have the same schema name as the table schema name. If you want to change the secure view schema name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view schema name will be in this format : {prefix}{view_schema_name}{postfix}.

BASIC

CONNECTOR_REDSHIFT_GRANT_UPDATES

This property controls whether actual grant/revoke and create/update/delete queries for user/group/role should be run on Redshift.

false

ADVANCED

CONNECTOR_REDSHIFT_ENABLE_DATA_ADMIN

This property is used to enable data admin feature, with data admin feature enabled you can create all the policies on table/native view and by default respective grants will be maid on secure view of table table or native view. And this secure view will have tr filter and masking capability as well. In case if you need permission on table then you can select the permission you want plus dataadmin in the policy, In this case that permissions will be granted on both, the table/native view and its secure view as well.

true

Access audits management

BASIC

CONNECTOR_REDSHIFT_AUDIT_ENABLE

This property is used to enable access audit fetching from Redshift.

false

ADVANCED

CONNECTOR_REDSHIFT_AUDIT_EXCLUDED_USERS

This property is used to set the list of users whose access audits we want to ignore. It takes list of comma separated users.

ADVANCED

CONNECTOR_REDSHIFT_AUDIT_INITIAL_PULL_MINUTES

When the audits are enabled for the first time, the value will decide the number of minutes we need to pull the access audits from the database, default value is 30 mins.

30