Skip to main content

Privacera Documentation

Redshift and Redshift Spectrum connector for PolicySync

This topic details how to configure PolicySync for Redshift and .

Generalized approach for implementing PolicySync

Use this generalized approach for implementing PolicySync.

  1. Understand how PolicySync works and how it is configured. See PolicySync design and configuration on Privacera Platform.PolicySync design and configuration on Privacera Platform

  2. Decide which PolicySync topology best suits your needs:

  3. Create the required, basic PolicySync configuration. See PolicySync design and configuration on Privacera PlatformPolicySync design and configuration on Privacera Platform

  4. Examine the BASIC and ADVANCED properties, decide which features you want to implement, and set the necessary values in the YAML property file.

Connector name: redshift

When you create the connector as detailed in PolicySync design and configuration on Privacera Platform, use the following reserved word for the name of the connector:PolicySync design and configuration on Privacera Platform

redshift

In formal syntax shown in PolicySync design and configuration on Privacera Platform replace <ConnectorName> with the above and in the example in PolicySync design and configuration on Privacera Platform, replace postgres with the above.PolicySync design and configuration on Privacera PlatformPolicySync design and configuration on Privacera Platform

Redshift Spectrum configuration and security considerations

Redshift Spectrum configuration is similar to Redshift configuration.

Privacera supports access control for Redshift Spectrum only on the following:

  • Create Database

  • Usage Schema

Prerequisites

The following prerequisites must be met to use Redshift Spectrum :

  1. You will require an Amazon Redshift cluster and a SQL client connected to the cluster.

  2. The AWS Region in which the Amazon Redshift cluster and Amazon S3 bucket are located must be the same.

Set-up in AWS for Redshift Spectrum

Redshift Spectrum supports the creation of external tables in a Redshift cluster. To configure external tables in Redshift Spectrum, see the following AWS documentation:

Important security considerations for external tables and schemas

Caution

Be advised that row-level filter and column masking via secure views on EXTERNAL SCHEMA gives a user direct access to the EXTERNAL TABLE. If a user queries the original external table, row-level filter and column masking are not applied.

Redshift does not natively support access control lists (ACLs) on EXTERNAL TABLES. To restrict access to the data. You must set USAGE schema permission on an associated EXTERNAL SCHEMA.

On an EXTERNAL TABLE, Privacera supports row-level filter and column masking to a limited extent. Privacera cannot manage external tables. By default, Privacera manages permissions for external schemas only at the schema level.

  • Because Redshift views inside external schemas cannot be created, instead of creating a table, Privacera creates a secure view with the name of the schema with a default postfix _secure. For example, if the original view is named CUSTOMER, Privacera creates a secure view named CUSTOMER_secure. 

  • To GRANT access to the secure view, Privacera must grant USAGE permission to the source schema because the secure view schema is separated from the EXTERNAL SCHEMA. As a result, permission is granted to the original source table.

  • Only SELECT permission to the EXTERNAL TABLE is supported. DataAdmin permission is ineffective because USAGE permission to EXTERNAL SCHEMA allows direct access to EXTERNAL TABLE.

Enable EXTERNAL SCHEMA in Privacera

Note

Because of security concerns for EXTERNAL SCHEMA, Privacera does not recommend enabling row-level filter and column masking. Be sure you understand the Important security considerations for external tables and schemas.

Property

Description

Default Value

Example

CONNECTOR_REDSHIFT_ENABLE_EXTERNAL_SCHEMA_SUPPORT

Set this property to true to enable row-level filter and column masking policies on secure views after reading the limitations.

false

true/false

The values of the following properties must be left blank:

CONNECTOR_REDSHIFT_SECURE_VIEW_NAME_PREFIX: ""
CONNECTOR_REDSHIFT_SECURE_VIEW_NAME_POSTFIX: ""

The values of the following properties must be set:

CONNECTOR_REDSHIFT_SECURE_VIEW_SCHEMA_NAME_PREFIX: ""
CONNECTOR_REDSHIFT_SECURE_VIEW_SCHEMA_NAME_POSTFIX: "_secure"