Skip to content

Deployment and Principal Name Format (On-Premises vs Azure)

This section describes PolicySync properties that align Privacera portal users and groups with how Microsoft SQL Server resolves external versus local (service) principals for on-premises SQL Server and Azure SQL deployments.

PolicySync can transform the user and group names stored in the Privacera portal into the formats that Microsoft SQL Server expects — for example, DOMAIN\username for on-premises deployments or username@yourtenant.com for Azure SQL. This page explains how SQL Server resolves external and local principals, which PolicySync properties control name transformation, and how to configure those properties for your deployment.

When ranger.policysync.connector.0.domain.prefix and ranger.policysync.connector.0.user.email.domain are both empty, no name transformation runs and policies apply using portal names exactly as entered.

Principal Name Formats in SQL Server

On-Premises Microsoft SQL Server

Principal Type Users Groups
External (For Example, Active Directory–Linked) DOMAIN\username DOMAIN\groupname
Local (MSSQL Service / SQL-Authenticated Style Names in the Portal) username groupname

Replace DOMAIN with your Windows domain (for example, privpriv\username).

Azure SQL Database and Azure Synapse Analytics

Principal Type Users Groups
External (For Example, Azure AD) username@yourtenant.com DOMAIN\groupname
Local (Azure SQL Service / Managed Identities and Similar in the Portal) username@yourtenant.com groupname

Note

External groups in Azure use a domain-style prefix (DOMAIN\groupname), while external users use the email format (user@domain.com). Local groups appear without a domain prefix.

PolicySync Properties

Connector Index

Property names use ranger.policysync.connector.0.*, where 0 is the PolicySync connector index. Replace 0 with your MSSQL connector’s index if it is not the first connector instance.

Property Description
ranger.policysync.connector.0.deployment on-prem — on-premises SQL Server behavior for name transformation. azure — Azure SQL behavior for name transformation.
ranger.policysync.connector.0.domain.prefix Windows-style domain prefix used for external groups (and related transformations), including a trailing backslash (logical value such as priv\). In Java .properties custom properties (PrivaceraCloud), escape each backslash: use priv\\ so the loaded value is priv\. A single trailing \ is unsafe because \ starts escapes and can act as line continuation.
ranger.policysync.connector.0.user.email.domain For on-prem, email suffix used when building external user names in the form username@domain (for example privacera.comusername@privacera.com). Do not include @ in this value. For azure, keep this property blank (do not set it to a value such as privacera.com).

Default Behavior

If you rely on defaults equivalent to:

Properties
1
2
3
ranger.policysync.connector.0.deployment=azure
ranger.policysync.connector.0.domain.prefix=
ranger.policysync.connector.0.user.email.domain=

then with empty domain.prefix and empty user.email.domain, PolicySync does not transform user or group strings; policies match exactly the names stored in the portal.

Adjust deployment and the optional fields when you need portal names to map to the external / local formats in the tables above. For Azure SQL, set user.email.domain to blank even when you set domain.prefix.

Configuration Examples

Replace Placeholders

Replace example domains, prefixes, and email domains with your organization’s values.

On-Premises SQL Server

Use on-prem and set both optional properties when you want PolicySync to apply on-premises-style transformations:

Properties
1
2
3
ranger.policysync.connector.0.deployment=on-prem
ranger.policysync.connector.0.domain.prefix=priv\\
ranger.policysync.connector.0.user.email.domain=privacera.com
  • domain.prefix — your domain prefix for external-style DOMAIN\ names (logical example priv\; in .properties write priv\\).
  • user.email.domain — for on-premises only: suffix for external user names in email format when that transformation applies (example: privacera.com). For Azure SQL, leave blank.

If domain.prefix and user.email.domain are both left blank, no transformation is applied and policy evaluation uses plain portal user and group names.

Azure SQL

Use azure for Azure SQL Database / Azure Synapse. Keep ranger.policysync.connector.0.user.email.domain blank (empty). Set domain.prefix only when you need group-style domain prefixes; omit it or leave it empty when you do not.

Properties
1
2
3
ranger.policysync.connector.0.deployment=azure
ranger.policysync.connector.0.domain.prefix=priv\\
ranger.policysync.connector.0.user.email.domain=

If domain.prefix and user.email.domain are both blank, no transformation runs; policies use portal user and group names as-is.

Configuration

  1. SSH to the instance where Privacera Manager is installed.

  2. Open the connector variables file:

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/mssql/instance1/vars.connector.mssql.yml

  3. Add or update only the properties you need. Example for on-premises SQL Server with no name transformation (empty prefix and email domain):

    YAML
    1
2
3
    CONNECTOR_MSSQL_DEPLOYMENT: "on-prem"
CONNECTOR_MSSQL_DOMAIN_PREFIX: ""
CONNECTOR_MSSQL_USER_EMAIL_DOMAIN: ""

    For azure, set CONNECTOR_MSSQL_DEPLOYMENT to "azure" and keep CONNECTOR_MSSQL_USER_EMAIL_DOMAIN "" (blank). Set CONNECTOR_MSSQL_DOMAIN_PREFIX when you need a domain prefix for groups—for example "priv\\" (domain prefix with trailing backslash; escape backslashes in YAML double-quoted strings)—or "" when you do not. For on-premises, you can set CONNECTOR_MSSQL_USER_EMAIL_DOMAIN (for example "privacera.com", no @) together with a non-empty prefix when you need that transformation.

  4. Run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - (Optional) Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on. This step is not required if you are updating only connector properties.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

  1. In the PrivaceraCloud portal, go to SettingsApplications.

  2. On Connected Applications, select MSSQL and open the application for edit.

  3. Go to Access ManagementADVANCED.

  4. Under Add New Custom Properties, add the PolicySync properties you need. Examples (adjust values; omit lines you do not use):

    On-Premises SQL Server (optional email domain for user-name transformation):

    Properties
    1
2
3
    ranger.policysync.connector.0.deployment=on-prem
ranger.policysync.connector.0.domain.prefix=priv\\
ranger.policysync.connector.0.user.email.domain=privacera.com

    Azure SQL — keep user.email.domain blank:

    Properties
    1
2
3
    ranger.policysync.connector.0.deployment=azure
ranger.policysync.connector.0.domain.prefix=priv\\
ranger.policysync.connector.0.user.email.domain=

  5. Click SAVE to apply the changes.