Row and column access control (RCAC)

Ranger security support for Db2® Big SQL includes masking and row-level filter policies in the Hadoop SQL and Db2 Big SQL plugins.

Policies on native Db2 objects should be defined in the Db2 Big SQL plugin. Policies on Hadoop tables should be defined in the Hadoop SQL (Hive) plugin.


  • RCAC policies cannot be defined on the same table in both Db2 and Ranger. If this occurs, an error is returned when the table is queried (SQLSTATE 42525).
  • Policies that are defined on views or table aliases are not applied to SQL statements. RCAC policies in Ranger should only be defined on tables and nicknames. To protect the data in a view, define mask or row-level filter policies on the tables that are referenced in the view definition.
  • Wildcard matching on database names or table names is not supported in row-level filter policies.