I have two sets of tags: one for location (US or international) , one for privacy (PII or not).
How can I enforce both sets for tag based policies in Ranger ? Say I create a policy to allow access to "US" tag for user 1, and to "International" for user 2.
I know I can combine the tag sets (e.g. "US PII", "US", "International PII", "International"). But this is not scalable. If the number of locations grows, and other sets of tags are added (regulatory, classifications, etc), it will be impossible to maintain the combinations. I need a logical AND in policy evaluation (e.g. if location tag matches AND privacy matches then allow), whereas currently it looks like the Ranger evaluation flow does an OR (e.g. if any location tag matches or privacy tag matches then allow).
Any ideas ?
Deny policies take precedence over allow policies. So, in your scenario above, User 1 should not have access to data tagged as both, "International" and "PII".
Take a look at the flow chart below on the sequence of policy evaluation.