Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Combining tag based and resource based policies

Combining tag based and resource based policies

New Contributor

What is the best way to give access to a group of tables and at the same time exclude some users from the masking policy for the PII tag for these tables?

Let's say I have policies:

1. "Access to tables xyz" (resource based)

2. "Mask PII data" (tag based)

3. Give access to PII data in xyz

To reach the above I have to have a separate "Mask PII data xyz" policy where I can exclude this group of users, but I cannot do that as I cannot combine the resources with the tag. Or is there a way?

I could reach this by having a tag for the xyz and then combine the two in the tag based policy, but that is not always wanted.

Thanks.

Regards,

David

2 REPLIES 2

Re: Combining tag based and resource based policies

To define the right set of policies its important to understand how ranger policy engine evaluates the policies.

Once the list of tags for the requested resource are found, Apache Ranger policy engine will evaluate the tag-based-policies applicable for the tags.

1. If a policy for one of these tag results in deny, the access will be denied.

2. If none of the tags are denied and if a policy allows for one of the tags, the access will be allowed.

3. If there is no result for any tag or if there are no tags for the resource, the policy engine will evaluate the resource-based policies to make the authorization decision.

For masking,

To exclude specific users/groups from column-masking, create a policy-item for specific users/groups with ‘Unmasked’ as the masking option and ensure that the policy-item is the first one to appear in the list for the users/groups.

I hope this helps.

Re: Combining tag based and resource based policies

New Contributor

Yes that's true but that excludes it for the full policy, so all columns are unmasked for that user/group. There is no way from what I understand to unmask it only for a specific set of tables. Unless these tables are consistently tagged.

Don't have an account?
Coming from Hortonworks? Activate your account here