What is the best way to give access to a group of tables and at the same time exclude some users from the masking policy for the PII tag for these tables?
Let's say I have policies:
1. "Access to tables xyz" (resource based)
2. "Mask PII data" (tag based)
3. Give access to PII data in xyz
To reach the above I have to have a separate "Mask PII data xyz" policy where I can exclude this group of users, but I cannot do that as I cannot combine the resources with the tag. Or is there a way?
I could reach this by having a tag for the xyz and then combine the two in the tag based policy, but that is not always wanted.
To define the right set of policies its important to understand how ranger policy engine evaluates the policies.
Once the list of tags for the requested resource are found, Apache Ranger policy engine will evaluate the tag-based-policies applicable for the tags.
1. If a policy for one of these tag results in deny, the access will be denied.
2. If none of the tags are denied and if a policy allows for one of the tags, the access will be allowed.
3. If there is no result for any tag or if there are no tags for the resource, the policy engine will evaluate the resource-based policies to make the authorization decision.
To exclude specific users/groups from column-masking, create a policy-item for specific users/groups with ‘Unmasked’ as the masking option and ensure that the policy-item is the first one to appear in the list for the users/groups.
I hope this helps.
Yes that's true but that excludes it for the full policy, so all columns are unmasked for that user/group. There is no way from what I understand to unmask it only for a specific set of tables. Unless these tables are consistently tagged.