> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nx1cloud.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Ranger best practices

> Best practices for managing access control with Apache Ranger.

The Ranger best practices page describes several efficient ways to use Ranger.

## Creating effective policies

The following best practices help you create efficient policies:

* **Start with groups, not users**: Always create policies for groups rather than individual
  users. When a user changes roles, update their group membership rather than modifying
  dozens of policies.
* **Use naming conventions**: Establish and enforce naming standards for policies, services,
  and roles. This makes finding and managing policies much easier as the system grows.
* **Resource specification**: Determine which objects a policy applies to and use
  wildcards strategically, especially with sensitive data.

  For example, `database=finance, table=*, column=*` grants access to all columns of
  all tables in the finance database.
* **User or group selection**: When adding multiple users or groups to a policy, understand
  the following logic:
  * Users or groups within a policy are OR'd together, meaning any match between the
    two grants access.
  * Multiple policies with different resources are independently evaluated.
* **Permission selection**: Grant minimum necessary permissions, for example:
  * Grant only `SELECT` for read-only access, not `ALL`.
  * Grant `INSERT` for data loading processes, not `DROP` or `ALTER`.
* **Policy conditions**: Add conditions to restrict access further, for example:
  * **IP range**: `192.168.1.0/24` limits access to the corporate network.
  * **Time**: `9:00-17:00` restricts access to business hours.
  * **Custom conditions**: Access data only if the user's department matches the data owner.
* **Policy priority**: When policies conflict, Ranger uses a priority order. For example:
  * In deny policies, priority 1 always wins.
  * Among allow policies, the higher priority number wins.
  * If no matching policy exists, then Ranger denies access by default.

## Advanced policy patterns

The following best practices help you implement advanced policy patterns efficiently:

* **Tag-based policies**: Instead of creating policies for each table, do the following:
  * Tag tables in the metadata system with classifications such as PII, SENSITIVE, or PUBLIC.
  * Create Ranger policies based on tag tables so that new tables automatically inherit
    the policies associated with those tags.
* **Policy templates**: For repetitive policy patterns, create a template policy.
  When applying it to new resources, adjust only the resource path and specific users.
* **Time-limited access**: For contractors or temporary projects, create policies with
  specific validity periods. Ranger can automatically disable policies after the end date.
* **Break-glass access**: Create disabled "emergency access" policies that can be quickly
  enabled during incidents when normal access channels fail.

## Policy testing and validation

The following best practices help you detect issues early and verify that policies
are behaving as intended:

* **Test before production**: Create development and staging Ranger instances that mirror
  production. Test new policies in these environments before deploying to production.
* **Policy simulator**: Before deploying policies, use Ranger's policy evaluation tools
  to test how Ranger handles specific access requests. If you input a user, resource,
  and operation, you can see which policies apply and what the decision would be.
* **Audit log review**: After deploying new policies, monitor audit logs for unexpected
  denials. If Ranger blocks legitimate users, adjust the policies accordingly.
* **User feedback loop**: Establish a process for users to request access when denied.
  This creates a feedback mechanism to identify missing or incorrect policies.

## Policy migration and promotion

The following best practices help you migrate Ranger policies between environments and
manage policy changes safely:

* **Environment promotion**: When promoting policies from a development environment to
  production ensure the following:
  * Export policies from a development Ranger instance in JSON format.
  * Review and adjust the policies for production environment differences.
  * Import the policies into production during the maintenance window.
  * Monitor the policies for issues and prepare to rollback.
* **Version control**: Store policy exports in Git or a similar version control system.
  This provides change history, enables code review of policy changes, and facilitates
  disaster recovery.

## Ongoing maintenance

The following best practices help you keep policies accurate, up to date, and aligned
with your organization's requirements over time:

* **Document policies**: Use the policy description field to explain why a policy exists,
  who requested it, and any special considerations. This helps future administrators understand
  policy intent.
* **Regular audits**: Periodically review policies to identify and remove obsolete permissions,
  identify overly permissive policies, and ensure policies align with the current organizational
  structure.

## Additional resources

* To get an overview of Ranger, refer to the [Ranger in NexusOne](./ranger-in-nx1) page.
* To learn practical ways to use Ranger in the NexusOne environment, refer to the
  [Ranger hands-on examples](./ranger-hands-on-examples) page.
* For more details about Ranger, refer to the
  [Ranger](https://spark.apache.org/docs/latest/api/python/reference/pyspark.sql/index.html) official documentation.
* For more details about Spark in NexusOne, refer to [Spark in NexusOne](/platform-components/apache-spark)
  page.
* For more details about Trino in NexusOne, refer to [Trino in NexusOne](/platform-components/trino)
  page.
