- PrivaceraCloud Release 7.4
- Enhancements and updates in PrivaceraCloud release 7.4
- Known Issues in PrivaceraCloud 7.4
- PrivaceraCloud User Guide
- Overview of PrivaceraCloud
- Connect applications with the setup wizard
- Connect applications
- About applications
- Connect Azure Data Lake Storage Gen 2 (ADLS) to PrivaceraCloud
- Connect Amazon Textract to PrivaceraCloud
- Athena
- Privacera Discovery with Cassandra
- Connect Databricks to PrivaceraCloud
- Databricks SQL
- Databricks SQL Overview and Configuration
- Planning and general process
- Prerequisites
- Databricks SQL with Privacera Hive
- Connect Databricks SQL application
- Grant Databricks SQL permissions to PrivaceraCloud users
- Define a resource policy
- Test the policy
- Databricks SQL PolicySync fields
- Configuring column-level access control
- View-based masking functions and row-level filtering
- Create an endpoint in Databricks SQL
- Databricks SQL Fields
- Databricks SQL Hive Service Definition
- Databricks SQL Masking Functions
- Databricks SQL Encryption
- Use a custom policy repository with Databricks
- Connect Databricks SQL to Hive policy repository on PrivaceraCloud
- Databricks SQL Overview and Configuration
- Connect Databricks Unity Catalog to PrivaceraCloud
- Connect S3 to PrivaceraCloud
- Prerequisites in AWS console
- Connect S3 application to PrivaceraCloud
- Enable Privacera Access Management for S3
- Enable Data Discovery for S3
- S3 AWS Commands - Ranger Permission Mapping
- S3
- AWS Access with IAM
- Access AWS S3 buckets from multiple AWS accounts
- Add UserInfo in S3 Requests sent via Dataserver
- Control access to S3 buckets with AWS Lambda function on PrivaceraCloud
- Dremio Plugin
- DynamoDB
- Connect Elastic MapReduce from Amazon application to PrivaceraCloud
- Connect EMR application
- EMR Spark access control types
- PrivaceraCloud configuration
- AWS IAM roles using CloudFormation setup
- Create a security configuration
- Create EMR cluster
- How to configure multiple JSON Web Tokens (JWTs) for EMR
- EMR Native Ranger Integration with PrivaceraCloud
- Connect EMRFS S3 to PrivaceraCloud
- Files
- GBQ
- Google Cloud Storage
- Connect Glue to PrivaceraCloud
- Google BigQuery for PolicySync
- Connect Kinesis to PrivaceraCloud
- Connect Lambda to PrivaceraCloud
- Microsoft SQL Server
- MySQL for Discovery
- Open Source Apache Spark
- Oracle for Discovery
- PostgreSQL
- Connect Power BI to PrivaceraCloud
- Presto
- Redshift
- Snowflake
- Starburst Enterprise with PrivaceraCloud
- Starburst Enterprise Presto
- Trino
- Connect users
- Data access Users, Groups, and Roles
- UserSync
- Portal user LDAP/AD
- Datasource
- Okta Setup for SAML-SSO
- Azure AD setup
- SCIM Server User-Provisioning
- User Management
- Identity
- Access Manager
- Access Manager
- Resource Policies
- Tag Policies
- Scheme Policies
- Service Explorer
- Reports
- Audit
- About data access users, groups, and roles resource policies
- Security zones
- Discovery
- Classifications via random sampling
- Privacera Discovery scan targets
- Propagate Privacera Discovery Tags to Ranger
- Enable offline scanning on Azure Data Lake Storage Gen 2 (ADLS)
- Enable Real-time Scanning of S3 Buckets
- Enable Real-time Scanning on Azure Data Lake Storage Gen 2 (ADLS)
- Enable Discovery Realtime Scanning Using IAM Role
- Encryption
- Overview of Privacera Encryption
- Encryption schemes
- Presentation schemes
- Masking schemes
- Create scheme policies
- Privacera-supplied encryption schemes for the Privacera API
- Privacera-supplied encryption schemes for the Bouncy Castle API
- API date input formats
- Deprecated encryption formats, algorithms, and scopes
- Privacera Encryption REST API
- PEG API endpoint
- PEG REST API encryption endpoints
- Prerequisites
- Common PEG REST API fields
- Construct the datalist for the /protect endpoint
- Deconstruct the response from the /unprotect endpoint
- Example data transformation with the /unprotect endpoint and presentation scheme
- Example PEG API endpoints
- Make encryption API calls on behalf of another user
- Privacera Encryption UDF for masking in Databricks on PrivaceraCloud
- Privacera Encryption UDFs for Trino on PrivaceraCloud
- Syntax of Privacera Encryption UDFs for Trino
- Prerequisites for installing Privacera Crypto plug-in for Trino
- Download and install Privacera Crypto jar
- Set variables in Trino etc/crypto.properties
- Restart Trino to register the Privacera encryption and masking UDFs for Trino
- Example queries to verify Privacera-supplied UDFs
- Privacera Encryption UDF for masking in Trino on PrivaceraCloud
- Encryption UDFs for Apache Spark on PrivaceraCloud
- Launch Pad
- Settings
- Dashboard
- Usage statistics
- Operational status of PrivaceraCloud and RSS feed
- How to Get Support
- Coordinated Vulnerability Disclosure (CVD) Program of Privacera
- Shared Security Model
- PrivaceraCloud Previews
- Preview: File Explorer for S3
- Preview: File Explorer for Azure
- Preview: File Explorer for GCS
- Preview: Scan Generic Records with NER Model
- Preview: Scan Electronic Health Records with NER Model
- Preview: OneLogin setup for SAML-SSO
- Preview: Azure Active Directory SCIM Server UserSync
- Preview: OneLogin UserSync
- Preview: PingFederate UserSync
- Quickstart for Databricks Unity Catalog on PrivaceraCloud
- What do I need to do in my Databricks Workspace?
- Where is the sample dataset in my Databricks Workspace?
- What should I do in the PrivaceraCloud web portal?
- Access use-case - How do I give a user access to a table or restrict from running a SQL select query?
- Access use-case - How do I restrict a user from seeing contents of a column in the result of a SQL select query?
- Column masking use-case - How do I restrict a user from seeing contents of a column by masking the values in the result of a SQL select query?
- Access use-case - How do I disallow a user from seeing certain rows of a table?
- PrivaceraCloud documentation changelog
SCIM Server User-Provisioning
Note
Contact Privacera Support to request enabling this feature.
PrivaceraCloud can be configured to use the System for Cross-Domain Identity Management (SCIM) 2.0 protocol.
This allows external management and synchronization of your PrivaceraCloud data access users and groups.
After you connect your Identity Provider to your PrivaceraCloud account via SCIM, data user attributes and group memberships are managed in the Identity Provider, not in PrivaceraCloud.
Note
Data access users, groups, and roles can still be added in PrivaceraCloud, but users, groups, or roles created in PrivaceraCloud are not synchronized back to the Identity Provider.
SCIM server user provisioning does not apply to portal users (those who login to the portal).
Enable SCIM Server in PrivaceraCloud
In your PrivaceraCloud account, navigate to Settings > Datasource
Choose UserSync.
Enter a name to identify the connector. Click Next.
Copy the Endpoint URL.
Enter a value for Username and Password. Save all three values: Endpoint URL, Username, and Password values as they will be used by your SCIM Client or Okta SCIM Client.
Click Next.
Users or groups specified in Inclusions are added to filters. Specify any user or group Exclusions and click Next.
Base User Attributes maps identity attributes in the SCIM payloads to Privacera data access user attributes.
On the right the source fields for PrivaceraCloud users.
These value can be available from your Okta or other identity provider.
Okta Identity Provider Integration
For Okta SCIM client operations supported by PrivaceraCloud, see Supported Okta SCIM Client Operations.
Prerequisites
Obtain user provisioning functionality for your Okta account. For details, see Okta Lifecycle Management.
Resolve group name conflicts before syncing to your PrivaceraCloud account. Rename groups that have the same name in your identity provider and in your PrivaceraCloud account.
Recommendation: Before integrating your production users and groups, create a test account and group in Okta, such as privacera-test-users
, and use those test values to confirm integration. When you are satisfied with the results, repeat the process using live production users and groups.
Integration Steps
Step 1. Enable SCIM API Integration in Okta
Be sure you have the Endpoint URL and the username and password you specified from Enable SCIM Server in PrivaceraCloud.
Log in to Okta and add the PrivaceraCloud application.
From the application, click the Provisioning tab.
Click Configure API integration.
Select Enable API integration.
Enter the Endpoint URL that was generated for you, and the Username/Password you provided in your PrivaceraCloud account in Enable SCIM Server in PrivaceraCloud.
Click Test API Credentials. If the test passes, click Save.
Under Settings, click To App.
Click Edit and select Enable for required options.
Use this step to map user attributes or leave them with default settings.
Click Save to apply the integration settings.
Step 2: Activate application features
From the application, click the Provisioning tab.
Click Edit.
Click the Enable checkbox for Create Users and Update User Attributes.
Click Save
Step 3. Verify Email Addresses
User provisioning in Okta relies on an email address to identify a user in PrivaceraCloud and consequently create or update a Privacera Cloud account. If the email address attribute for a user is inconsistent between the SAML SSO setting and the SCIM user provisioning setting in Okta, the user might end up with duplicate PrivaceraCloud accounts.
To avoid duplicate accounts, verify the email address attribute that maps to a user account is correct and used for both SAML SSO and SCIM user provisioning:
From the User provisioning tab in Okta, note the field that maps to the Primary email attribute. The default is email,.
Click the Sign on tab. From the Credentials details section, look for the Application username format setting. Okta passes this field from a user's account as the SSO email address when creating or linking an account.
If Application username format specifies an old value (for example, the old email address is
user1OLD@example.com
for the specified attribute) but you have another attribute that stores the same user's email addressuser1NEW@example.com
, the user might end up with duplicate accounts. Troubleshoot as follows: - Before you complete this step, ask the user to log in with their PrivaceraCloud account at least once. - If the user still ends up with duplicate accounts, contact PrivaceraCloud support with the user's email addresses.Make sure the Application username format is set to the same attribute specified as Primary email in the previous step.
Make sure that Update application username is set to Create and update. Click Save to apply your changes.
Click Update Now to push the change faster than the Okta automatic update.
Step 4. Push Groups
Privacera recommends using the group synchronization feature to automatically manage user privileges and licenses from your directory, instead of manually managing these from the organization.
This section describes how to configure group-based management.
Pushing a group to your PrivaceraCloud account pushes only the detail about a group, not details about users who are part of a group.
In Okta, click the Push Groups tab and then By name.
Select the group name, and click Save.
Review to make sure all required groups have been pushed.
Step 5. Assign Users to the PrivaceraCloud Application in Okta
In Okta, click the Assignments tab of the PrivaceraCloud application.
Click Assign, then Groups. Select the group to assign.
In the displayed dialog, these default values are used only if the user profile does not have them. All fields are optional.
When you are done with this step, click Save and Go Back.
In PrivaceraCloud, to verify that users and groups are synced, navigate to Access Manager > Users Groups and Roles.
Step 6. Write a Policy for Provisioned Users or Groups
Create a data access policy for the provisioned users or groups through PrivaceraCloud to finalize the integration verification.
From your PrivaceraCloud Account, navigate to Access Management > Resource Policies.
Select an application to write a policy over, such as Privacera Hive.
Click Add Policy and enter the details as shown below.
Verify the policy is in effect in your downstream application.
Supported Okta SCIM Client Operations
User Operations
The Privacera SCIM Server supports the following operations:
Operation | Notes |
---|---|
Create new user | A data access user is created in PrivaceraCloud Access Management -> Users. This account cannot be edited directly in PrivaceraCloud. |
Link an existing user | If a user already exists in your PrivaceraCloud Account, it is automatically linked to the user in Okta. This account can no longer be edited directly in PrivaceraCloud. |
Update user details | In PrivaceraCloud, you can update the display name and email address user attributes from your identity provider. By default, a user's first and last names are combined to create the Display name. If Any display name entered in PrivaceraCloud overwrites the first and last name combination. |
Deactivate user | Deactivate is also sometimes called "soft delete". Deactivation has the following effects:
Important: the Privacera administrator must manually remove the deactivated user from all user-based policies. If your policies are based on groups (not specific users), no changes to policies are needed, because the user has been removed from the groups. You need to manually change a policy only if the user is explicitly named in it. |
Delete user | Delete the user manually in PrivaceraCloud. |
Group Operations
Groups created manually and by default (for example, public) in your PrivaceraCloud account cannot be managed via SCIM.
You can only manage groups synced from Okta via SCIM.
Operation | Notes | Troubleshooting |
---|---|---|
Create group | The group is created as an read-only external group in PrivaceraCloud. | |
Update group membership | PrivaceraCloud external data access users in your PrivaceraCloud account are modified to support the group membership changes reflected in this SCIM operation. | If a synced group is empty, when pushing a group, make sure that the synchronized group does not have the same name as a default or manually created group in PrivaceraCloud. |
Push group | An error will result if the group name already exists in your PrivaceraCloud account. For example, the group named "public" might conflict. | In your identity provider, rename the conflicting group with a name different from the PrivaceraCloud built-in group name and attempt to re-sync. |
Delete group | Manually delete the user account in PrivaceraCloud. Not implemented via SCIM |
Okta SCIM Server - Configure custom user attributes
These steps will configure the Usersync connector to accept additional user attribute(s).
In the PrivaceraCloud portal, navigate to Settings -> Datasources -> Usersync connector.
In the “Custom User Attributes” section, add the custom attribute(s).
Save the configuration,
In Okta you will need to add application profile attributes and mappings.
Login to Okta. Navigate to Applications.
Select your PrivaceraCloud application.
Then select "Provisioning (To App)".
In the "Local Attribute Mappings" section, click "Go to Profile Editor".
Click Add Attribute.
Table 30. Attribute examples:Data type
string
Display name
Title
Variable name
title
External name
title
External namespace
urn:ietf:params:scim:schemas:core:2.0:User
Description
User Title
Enum
Attribute length
Attribute required
Scope
User Personal
Click Mappings.
Select "Okta User to PrivaceraCloud". For example:
user.title
title
For additional information, see the Okta documentation.
SCIM Server API
SCIM 2.0 clients can also connect directly with the Privacera SCIM Server via the REST API.
Follow the steps in Enable SCIM Server in PrivaceraCloud to obtain the direct URL, username, and password.
Use Basic Authentication (base64 encoded username and password) to authenticate each API request.
See SCIM 2.0 Specification for specific protocol and call schemas.
Supported SCIM REST API Requests
PrivaceraCloud supports the following requests:
GET - /Users - Params - startIndex - count - filter (Supports single filter for ‘eq’ operator on the following attributes: userName, givenName, firstName, active) GET - /Users/{userId} POST - /Users - Params - user (SCIM User JSON) PUT - /Users/{userId} - Params - user (SCIM User JSON) GET - /Groups - Params - startIndex - count - filter (Supports single filter for ‘eq’ operator on the following attributes: displayName) GET - /Groups/{groupId} POST - /Groups - Params - group (SCIM Group JSON) PATCH - /Groups/{groupId} - Params - operations (SCIM Operation list) Supported Operations: op: replace path:members value:[{value: userId} … ] op: remove path: members[value eq “userId”] op: add path: members value: [{value:userId} … ]