Skip to content

SCIM Property List

SCIM Connector Info

Property Description Example
SCIM_CONNECTOR Name of the connector. OKTA
SCIM_ENABLED Enabled status of connector. (true/false) true
SCIM_SERVICETYPE Type of service/connector. scim
SCIM_DATASOURCE_NAME Unique datasource name, used for identifying source of data and configuring priority list. (Optional) scim
SCIM_URL The SCIM endpoint URL https://domian.scimservice.com/api/scim/v2
SCIM_AUTH_TYPE Authentication type for SCIM service (bearer/basic). bearer
ADMIN_USER_BEARER_TOKEN Bearer token A8b2c84d-895a-4fea-82dc-401397b8e50c
SCIM_AUTH_USERNAME Username if SCIM_AUTH_TYPE is "basic" admin
SCIM_AUTH_PASSWORD Password if SCIM_AUTH_TYPE is "basic" password
SCIM_SEARCH_USER_GROUPONLY Syncs users who are members of synced groups. false
SCIM_SYNC_INTERVAL Frequency of usersync pulls and audit records in seconds. Default value is 3600, minimum value is 300. 3600
SCIM_SEARCH_DETECT_DELETED_USERS_GROUPS Detects deleted users and groups. (true/false) true

SCIM Manage/Ignore List of Users/Groups

Property Description Example
SCIM_MANAGE_USER_LIST List of users to manage from sync results. If this list is defined, all users not on this list will be ignored.
SCIM_IGNORE_USER_LIST List of users to ignore from sync results.
SCIM_MANAGE_GROUP_LIST List of groups to manage from sync results. If this list is defined, all groups not on this list will be ignored.
SCIM_IGNORE_GROUP_LIST List of groups to ignore from sync results.

SCIM Service Principal

Property Description Example
SCIM_SERVICEPRINCIPAL_ENABLED Enables sync of service principal as a user. false
SCIM_SERVICEPRINCIPAL_USERNAME Username attribute of the service principal. applicationId
SCIM_SERVICEPRINCIPAL_FLAG_ATTRIBUTE_KEY Attribute key to identify service principal. databricks_service_principal

SCIM User/Group Attributes

Property Description Example
SCIM_ATTRIBUTE_USERNAME Attribute from user entry that would be treated as user name. userName
SCIM_ATTRIBUTE_FIRSTNAME Attribute from user entry that would be treated as firstname. name.givenName
SCIM_ATTRIBUTE_LASTNAME Attribute from user entry that would be treated as lastname. name.familyName
SCIM_ATTRIBUTE_EMAIL Attribute from user entry that would be treated as email address. emails[primary-true].value
SCIM_ATTRIBUTE_GROUPS Attribute of user’s group list. groups
SCIM_ATTRIBUTE_GROUPNAME Attribute of a group’s name. displayName
SCIM_ATTRIBUTE_GROUP_MEMBERS Attribute of a group’s members. members

SCIM User/Group Attribute Modifications

Property Description Example
SCIM_ATTRIBUTE_USERNAME_VALUE_EXTRACTFROMEMAIL Extract the user’s username from an email address. (e.g. username@domain.com -> username) The default is false. false
SCIM_ATTRIBUTE_USERNAME_VALUE_PREFIX Prefix to prepend to username. The default is blank.
SCIM_ATTRIBUTE_USERNAME_VALUE_POSTFIX Postfix to append to the username. The default is blank.
SCIM_ATTRIBUTE_USERNAME_VALUE_TOLOWER Convert the user’s username to lowercase. The default is false. false
SCIM_ATTRIBUTE_USERNAME_VALUE_TOUPPER Convert the user’s username to uppercase. The default is false. false
SCIM_ATTRIBUTE_USERNAME_VALUE_REGEX Attribute to replace username to matching regex. The default is blank.
SCIM_ATTRIBUTE_GROUPNAME_VALUE_EXTRACTFROMEMAIL Extract the group’s name from an email address (e.g. groupname@domain.com -> groupname). The default is false. false
SCIM_ATTRIBUTE_GROUPNAME_VALUE_PREFIX Prefix to prepend to the group’s name. The default is blank.
SCIM_ATTRIBUTE_GROUPNAME_VALUE_POSTFIX Postfix to append to the group’s name. The default is blank.
SCIM_ATTRIBUTE_GROUPNAME_VALUE_TOLOWER Convert the group’s name to lowercase. The default is false. false
SCIM_ATTRIBUTE_GROUPNAME_VALUE_TOUPPER Convert the group’s name to uppercase. The default is false. false
SCIM_ATTRIBUTE_GROUPNAME_VALUE_REGEX Attribute to replace group name to matching regex. The default is blank.

UserSync system properties on Privacera Self-Managed and Data Plane

UserSync property Description Property Default
PRIVACERA_USERSYNC_RANGER_URL Address of Ranger instance. ranger.url http://ranger:6080
PRIVACERA_USERSYNC_RANGER_USERNAME Username of Ranger user. ranger.username admin
PRIVACERA_USERSYNC_RANGER_PASSWORD Password of Ranger user. ranger.password admin
PRIVACERA_USERSYNC_CONTEXT_CLASS Implementation class used for USContext. Storage of synced Users and Groups. usersync.context.class com.privacera.usersync.context.USContextRocksDBOptions: com.privacera.usersync.context.USContextRocksDB com.privacera.usersync.context.USContextMemory
PRIVACERA_USERSYNC_CONTEXT_DATASOURCE_PRIORITY_LIST Priority list of configured datasources. Sources nearest the beginning of the list will be used over sources later in the list. usersync.context.datasource.priority.list
PRIVACERA_USERSYNC_DETECT_CACHE_DIFFERENCES_ENABLED To enable the cache synchronization. While UserSync reads data from an IdP, for performance, the incoming user data is kept in cache and periodically compared to user data already synced to the Privacera portal. From cache, UserSync pushes user data from the IdP that has been reconciled with the Privacera portal to the connected applications. usersync.detect.DifferencesBetweenCacheAndRangerForUserAndGroup.enabled true
PRIVACERA_USERSYNC_DETECT_CACHE_INTERVAL_SECONDS Frequency of cache synchronization in seconds. usersync.detect.DifferencesBetweenCacheAndRangerForUserAndGroup.intervalInSeconds 43200
PRIVACERA_USERSYNC_LOADER_BULK_ENABLED Load users to Portal in batches. usersync.user.loader.bulk.enabled true
PRIVACERA_USERSYNC_LOADER_BULK_BATCHSIZE Size of batches to load Users into Portal. usersync.user.loader.bulk.batchsize 100
PRIVACERA_USERSYNC_UPDATE_GROUP_MEMBERSHIPS_BATCH_ENABLE Load group memberships to Portal in batches. usersync.user.loader.update.group.memberships.batch.enable false
PRIVACERA_USERSYNC_UPDATE_GROUP_MEMBERSHIPS_BATCHSIZE Size of batches to load Group memberships into Portal. usersync.user.loader.update.group.memberships.batchsize 1000
PRIVACERA_USERSYNC_STARTUP_PERFORM_OPERATIONS_ENABLED Scan for and perform any pending operations in cache (User/Group objects) at service start-up. usersync.startup.performoperations.enabled true
PRIVACERA_USERSYNC_LOADER_PROCESS_THREAD_MIN Minimum threads for processing user/group updates (<=0 will use a cached thread pool). usersync.user.loader.process.thread.min 1
PRIVACERA_USERSYNC_LOADER_PROCESS_THREAD_MAX Maximum threads for processing user/group updates (if min is <= 0, this has no effect). usersync.user.loader.process.thread.max 1
PRIVACERA_USERSYNC_LOADER_PROCESS_THREAD_KEEPALIVE_SECONDS Keep alive time for threads processing user/group updates. usersync.user.loader.process.thread.keepalive.seconds 30
PRIVACERA_USERSYNC_SECRETS_FILE JCEKS KeyStore File Paths privacera.usersync.keystore.files
PRIVACERA_USERSYNC_SECRETS_KEYSTORE_PASSWORDS JCEKS KeyStore Files Passwords privacera.usersync.keystore.passwords
PRIVACERA_USERSYNC_SECRETS_KEYPREFIX Secure keys alias prefix privacera.usersync.secure.key.prefix jceks
PRIVACERA_USERSYNC_AUTH_SSL_TRUSTSTORE_FILE SSL Truststore path ssl.truststore
PRIVACERA_USERSYNC_AUTH_SSL_TRUSTSTORE_PASSWORD SSL Truststore password ssl.truststore.password
PRIVACERA_USERSYNC_RANGER_INIT_RETRY_INTERVAL_IN_MILLIS Delay in milliseconds between retry attempts for initializing Ranger user loader. usersync.user.loader.ranger.init.retryinterval.ms 30000
PRIVACERA_USERSYNC_RANGER_INIT_RETRY_LIMIT Maximum retry attempts for initializing Ranger user loader. (<0 indicates unlimited retries) usersync.user.loader.ranger.init.retrylimit -1
PRIVACERA_USERSYNC_RANGER_REQUEST_RETRY_INTERVAL_IN_MILLIS Delay in milliseconds between retry attempts for requests to Ranger ranger.request.retryinterval.ms 10000
PRIVACERA_USERSYNC_RANGER_REQUEST_RETRY_LIMIT Maximum retry attempts for requests to Ranger ranger.request.retrylimit 3
PRIVACERA_USERSYNC_UPDATE_GROUP_MEMBERSHIPS_BULK_ENABLED Enable bulk update of group memberships to Ranger usersync.user.loader.update.group.memberships.bulk.enabled true
PRIVACERA_USERSYNC_CONTEXT_OPEN_MAX_RETRY Maximum retry attempts to open RocksDB cache usersync.context.rocksdb.open.max.retry 5
PRIVACERA_USERSYNC_CONTEXT_OPEN_DESTROY_ON_FAIL Enable automatic destroy of RocksDB cache if unable to open (corrupted). Cache will be rebuilt. usersync.context.rocksdb.open.destroyonfail true
PRIVACERA_USERSYNC_API_SECURITY_USER_NAME If configured, Usersync REST APIs are available with basic auth. usersync.api.security.user.name
PRIVACERA_USERSYNC_API_SECURITY_USER_PASSWORD If configured, Usersync REST APIs are available with basic auth. usersync.api.security.user.password
PRIVACERA_USERSYNC_LOADER_ASSIGN_ROLE_PRIORITY_LIST Priority list of roles if a user has multiple roles mapped. Highest priority role will be applied to the user. usersync.user.loader.assign.role.priority.list ROLE_SYS_ADMIN,ROLE_ADMIN_AUDITOR
PRIVACERA_USERSYNC_LOADER_ASSIGN_SYS_ADMIN_ROLE_GROUP_LIST Provide a list of group names, whose members will be assigned the admin role. usersync.user.loader.assign.role.ROLE_SYS_ADMIN.group.list
PRIVACERA_USERSYNC_LOADER_ASSIGN_SYS_ADMIN_ROLE_USER_LIST Provide a list of user names, who will be assigned the admin role. usersync.user.loader.assign.role.ROLE_SYS_ADMIN.user.list
PRIVACERA_USERSYNC_LOADER_ASSIGN_AUDITOR_ROLE_GROUP_LIST Provide a list of group names, whose members will be assigned the auditor role. usersync.user.loader.assign.role.ROLE_ADMIN_AUDITOR.group.list
PRIVACERA_USERSYNC_LOADER_ASSIGN_AUDITOR_ROLE_USER_LIST Provide a list of user names, who will be assigned the auditor role. usersync.user.loader.assign.role.ROLE_ADMIN_AUDITOR.user.list

Comments