Skip to main content

Privacera Documentation

Scheme policies

Through the use of scheme policies, data access administrators can restrict data users or groups in their use of specific encryption or presentation schemes.

Access Management > Scheme Policies is part of the Privacera Encryption service and is enabled when the Privacera Encryption Gateway (PEG) service is added and configured. Its layout, organization, and functions are analogous to Resource policies.

A scheme service is a set of scheme oriented access and usage policies. The privacera_peg scheme service contained in the PEG service group is automatically created when the PEG service is enabled.

The privacera_peg service contains a set of scheme policies, which are the means to scope use of encryption and presentation schemes to individual or groups of data users.

Click privacera_peg to access and manage a list of existing scheme policies and to add and define new policies.

As with Resource Policies, each scheme policy has a Name, Description, associated Labels and access (usage) control rules grouped by setting Allow and Deny conditions and exceptions to Allow and Deny. The difference is that the target of control for Scheme policies are Encryption Schemes and Presentation Schemes rather than data resources.

Plan for scheme policies

Before creating scheme policies, consider the following:

  • Ensure that you have created the users, groups, or roles whose access to the PEG API endpoints you want to control.

  • Decide on a useful name for the scheme policy and a useful description of it.

  • Decide if you want the scheme policy to be in effect for only a certain validity time period.

  • Decide how you want to provide access:

    • Give access to all roles or groups but deny access to specific other roles, groups, or users.

    • Deny access to all roles or groups but give access to specific other roles, groups, or users.

  • Decide if you want to use admin delegation for the specific users so that a service user can make PEG REST API endpoints on their behalf.