Ranger policy - logical AND between domain groups

arturbrandys2 — Tue, 10 Oct 2023 13:55:31 GMT

Hello.

Is there a way in ranger policies to add permissions for users that are only in both of domain group1 and domain group2 (logical AND between groups). Because there is always a logical OR between users and groups in ranger policies??

Re: Ranger policy - logical AND between domain groups

MattWho — Tue, 10 Oct 2023 19:15:45 GMT

@arturbrandys2

Policies are defined by the end services utilizing Ranger. Ranger also does not make authorization decisions. Each service runs a client that downloads the latest policy definitions json from Ranger for its specific service. The end service then uses those policy definitions to handle authorizations for the service.

Ranger does not offer a method to define an "and" relationship between multiple groups. Even if this was possible, the end services would need to also be modified to handle that association when making access decisions based on the downloaded json.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

question Ranger policy - logical AND between domain groups in Support Questions

Ranger policy - logical AND between domain groups

Re: Ranger policy - logical AND between domain groups