Preloaded resource-based services and policies
Apache Ranger includes preloaded resource-based services and policies.
The preloaded resource-based services appear on the Service Manager page for resource-based policies, and are prefixed with "cm_", with the exception of Hadoop SQL, which applies to multiple SQL stack components (Hive, Impala, and Hue).
To view the policies for each preloaded service, click the service name. To view policy details, click the applicable edit icon or policy ID number.

- all - entity-type, entity-classification, entity, entity-business-metadata
This is a default policy of type "entity" that gives access to all entities and their business metadata attributes for the following users and groups, with the specified permissions:
- admin, dpprofiler, beacon – Update Business Metadata
- rangertagsync, rangerlookup – Read entity
- public group – Read entity
- all - entity-type, entity-classification, entity
This is a default policy of type "entity" that gives access to all entities and their classifications for the following users and groups, with the specified permissions:
- admin, dpprofiler, beacon – Read, Create, Update, Delete entity & Add, Update, Remove classification
- rangertagsync, rangerlookup – Read entity
- public group – Read entity
- all - entity-type, entity-classification, entity, entity-label
This is a default policy of type "entity" that gives access to all entities and classifications and their labels for the following users and groups, with the specified permissions:
- admin, dpprofiler, beacon – Add, Remove label
- rangertagsync, rangerlookup – Read entity
- public group – Read entity
- all - relationship-type, end-one-entity-type, end-one-entity-classification, end-one-entity, end-two-entity-type, end-two-entity-classification, end-two-entity
This is a default policy of type "relationship" that gives access to all to all Entity-Relationships between End1-Entity-Type, End1-Entity-Classification, End1-Entity-ID and End2-Entity-Type, End2-Entity-Classification, End2-Entity-ID for the following users and groups, with the specified permissions:
- admin, dpprofiler, beacon – Add, Update, and Remove relationship
- public group – Add, Update, and Remove relationship
- all - atlas-service
This is a default policy of type "atlas-service" that gives access to all atlas-services [export, import, purge, server] for the following users, with the specified permissions:
- admin, dpprofiler, beacon – Admin Export and Admin Import
- all - type-category, type
This is a default policy of type "type-category" that gives access to all type categories [ENUM, ENTITY, CLASSIFICATION, RELATIOSHIP, STRUCT] and type names for the following users, with the specified permissions:
- admin, dpprofiler, beacon – Create, Update, and Delete type
- Allow users to manage favorite searches
This is a default policy of type "entity-type" that gives access to
resources which are internal types for favorite search. This policy provides Read, Create, Update, and Delete Entity permissions to validated users who create a favorite search.
- all - table, column-family, column
Provides access to all HBase tables, column-families, and columns to the following users, with the specified permissions:
- hbase, rangerlookup – Read, Write, Create, Admin
Provides access to all HBase column-families and columns in the atlas_janus and ATLAS_ENTITY_AUDIT_EVENTS HBase tables, to the following user, with the specified permissions:
- atlas – Read, Write, Create, Admin
- all - path
Provides access to all HDFS resource paths to the following users, with the specified permissions:
- hdfs, rangerlookup – Read, Write, Execute
- kms-audit-path
Provides access to the
resource path to the following user, with the specified permissions:- keyadmin – Read, Write, Execute
- all - topic
Provides access to all topics to the following users, with the specified permissions:
- kafka, rangerlookup, streamsmsgmgr, streamsrepmgr – Publish, Consume, Configure, Describe, Create, Delete, Describe Configs, Alter Configs
- all - cluster
Provides access to all clusters to the following users, with the specified permissions:
- kafka, rangerlookup, streamsmsgmgr, streamsrepmgr – Configure, Describe, Create, Kafka Admin, Idempotent Write, Describe Configs, Alter Configs
- all - transactionalid
Provides transactionalid access to the following users, with the specified permissions:
- kafka, rangerlookup, streamsmsgmgr, streamsrepmgr – Publish, Describe
- all - delegationtoken
Provides delegationtoken access to the following users, with the specified permissions:
- kafka, rangerlookup, streamsmsgmgr, streamsrepmgr – Describe
Provides ATLAS_HOOK topic access to the following users, with the specified permissions:
- hbase, hive, impala, mlgov – Publish
- atlas – Create, Configure, and Consume
Provides ATLAS_ENTITIES topic access to the following users, with the specified permissions:
- atlas – Create, Configure, and Publish
- rangertagsync – Consume
Provides ATLAS_SPARK_HOOK topic access to the following user, with the specified permissions:
- atlas – Create, Configure, and Consume
- all - topology, service
Provides access to all Knox topologies and services to the following users, with the specified permissions:
- admin, rangerlookup – Allow
- all - nifi-resource
Provides access to all NiFi resource identifiers to the following user, with the specified permissions:
- rangerlookup – Read, Write
- all - collection
Provides access to all Solr collections to the following users, with the specified permissions:
- solr, rangerlookup, ranger, atlas – Query, Update, Others, Solr Admin
Provides access to the RANGER_AUDITS_COLLECTION Solr collection to the following users, with the specified permissions:
- atlas, hbase, hdfs, hive, impala, kafka, knox, nifi, ranger, storm, yarn – Query, Update, Others
- ranger – Query, Update, Others, Solr Admin
- all - queue
Provides access to all YARN queues to the following users, with the specified permissions:
- yarn, rangerlookup – submit-app, admin-queue
Hadoop SQL
- all - global
Provides global access to the following users, with the specified permission:
- hive, beacon, dpprofiler, hue, admin, impala, rangerlookup – Temporary UDF Admin
- all - database, table, column
Provides access to all databases, tables, and columns to the following users, with the specified permissions:
- hive, rangerlookup, impala – Select, Update, Create, Drop, Alter, Index, Lock, All, Read, Write, ReplAdmin, Service Admin, Temporary UDF Admin, Refresh
- {OWNER} – All
- all - database, table
Provides access to all databases and tables to the following users, with the specified permissions:
- hive, rangerlookup, impala – Select, Update, Create, Drop, Alter, Index, Lock, All, Read, Write, ReplAdmin, Service Admin, Temporary UDF Admin, Refresh
- {OWNER} – All
- all - storage-type, storage-url
Ranger introduces new resources “storage-type” and “storage-url” in HadoopSQL Service and supports only one permission “RW Storage ”. When a user creates / alters a table, they will be authorized against this resource policy. Users granted “RW Storage” permission on the resource representing the storage-type + storage-url, can create/alter the table in the respective storage. Provides ccess to all databases to the following users, with the RW Storage permission only:
- hive, rangerlookup, impala, beacon, dpprofiler, hue, admin
- all - database
Provides access to all databases to the following users, with the specified permissions:
- hive, rangerlookup, impala – Select, Update, Create, Drop, Alter, Index, Lock, All, Read, Write, ReplAdmin, Service Admin, Temporary UDF Admin, Refresh
- {OWNER} – All
Also provides access to all databases to the following group, with the specified permissions:
- public – Create
- all - hiveservice
Provides hiveservice access to the following users, with the specified permissions:
- hive, rangerlookup, impala – Select, Update, Create, Drop, Alter, Index, Lock, All, Read, Write, ReplAdmin, Service Admin, Temporary UDF Admin, Refresh
- all - database, udf
Provides database and udf access to the following users, with the specified permissions:
- hive, rangerlookup, impala – Select, Update, Create, Drop, Alter, Index, Lock, All, Read, Write, ReplAdmin, Service Admin, Temporary UDF Admin, Refresh
- {OWNER} – All
- all - url
Provides url access to the following users, with the specified permissions:
- hive, rangerlookup, impala – Select, Update, Create, Drop, Alter, Index, Lock, All, Read, Write, ReplAdmin, Service Admin, Temporary UDF Admin, Refresh
- default database tables columns
Provides access to all tables and columns in the default database to the following user, with the specified permissions:
- impala – Create
Also provides access to all tables and columns in the default database to the following group, with the specified permissions:
- public – Create
- information_schema database tables columns
Provides access to all tables and columns in the information_schema database to the following user, with the specified permissions:
- impala – Select
Also provides access to all tables and columns in the information_schema database to the following group, with the specified permissions:
- public – Select