- Platform Release 6.5
- Privacera Platform Release 6.5
- Enhancements and updates in Privacera Access Management 6.5 release
- Enhancements and updates in Privacera Discovery 6.5 release
- Enhancements and updates in Privacera Encryption 6.5 release
- Deprecation of older version of PolicySync
- Upgrade Prerequisites
- Supported versions of third-party systems
- Documentation changelog
- Known Issues 6.5
- Platform - Supported Versions of Third-Party Systems
- Platform Support Policy and End-of-Support Dates
- Privacera Platform Release 6.5
- Privacera Platform Installation
- About Privacera Manager (PM)
- Install overview
- Prerequisites
- Installation
- Default services configuration
- Component services configurations
- Access Management
- Data Server
- UserSync
- Privacera Plugin
- Databricks
- Spark standalone
- Spark on EKS
- Portal SSO with PingFederate
- Trino Open Source
- Dremio
- AWS EMR
- AWS EMR with Native Apache Ranger
- GCP Dataproc
- Starburst Enterprise
- Privacera services (Data Assets)
- Audit Fluentd
- Grafana
- Ranger Tagsync
- Discovery
- Encryption & Masking
- Privacera Encryption Gateway (PEG) and Cryptography with Ranger KMS
- AWS S3 bucket encryption
- Ranger KMS
- AuthZ / AuthN
- Security
- Access Management
- Reference - Custom Properties
- Validation
- Additional Privacera Manager configurations
- Upgrade Privacera Manager
- Troubleshooting
- How to validate installation
- Possible Errors and Solutions in Privacera Manager
- Unable to Connect to Docker
- Terminate Installation
- 6.5 Platform Installation fails with invalid apiVersion
- Ansible Kubernetes Module does not load
- Unable to connect to Kubernetes Cluster
- Common Errors/Warnings in YAML Config Files
- Delete old unused Privacera Docker images
- Unable to debug error for an Ansible task
- Unable to upgrade from 4.x to 5.x or 6.x due to Zookeeper snapshot issue
- Storage issue in Privacera UserSync & PolicySync
- Permission Denied Errors in PM Docker Installation
- Unable to initialize the Discovery Kubernetes pod
- Portal service
- Grafana service
- Audit server
- Audit Fluentd
- Privacera Plugin
- How-to
- Appendix
- AWS topics
- AWS CLI
- AWS IAM
- Configure S3 for real-time scanning
- Install Docker and Docker compose (AWS-Linux-RHEL)
- AWS S3 MinIO quick setup
- Cross account IAM role for Databricks
- Integrate Privacera services in separate VPC
- Securely access S3 buckets ssing IAM roles
- Multiple AWS account support in Dataserver using Databricks
- Multiple AWS S3 IAM role support in Dataserver
- Azure topics
- GCP topics
- Kubernetes
- Microsoft SQL topics
- Snowflake configuration for PolicySync
- Create Azure resources
- Databricks
- Spark Plug-in
- Azure key vault
- Add custom properties
- Migrate Ranger KMS master key
- IAM policy for AWS controller
- Customize topic and table names
- Configure SSL for Privacera
- Configure Real-time scan across projects in GCP
- Upload custom SSL certificates
- Deployment size
- Service-level system properties
- PrestoSQL standalone installation
- AWS topics
- Privacera Platform User Guide
- Introduction to Privacera Platform
- Settings
- Data inventory
- Token generator
- System configuration
- Diagnostics
- Notifications
- How-to
- Privacera Discovery User Guide
- What is Discovery?
- Discovery Dashboard
- Scan Techniques
- Processing order of scan techniques
- Add and scan resources in a data source
- Start or cancel a scan
- Tags
- Dictionaries
- Patterns
- Scan status
- Data zone movement
- Models
- Disallowed Tags policy
- Rules
- Types of rules
- Example rules and classifications
- Create a structured rule
- Create an unstructured rule
- Create a rule mapping
- Export rules and mappings
- Import rules and mappings
- Post-processing in real-time and offline scans
- Enable post-processing
- Example of post-processing rules on tags
- List of structured rules
- Supported scan file formats
- Data Source Scanning
- Data Inventory
- TagSync using Apache Ranger
- Compliance Workflow
- Data zones and workflow policies
- Workflow Policies
- Alerts Dashboard
- Data Zone Dashboard
- Data zone movement
- Workflow policy use case example
- Discovery Health Check
- Reports
- How-to
- Privacera Encryption Guide
- Overview of Privacera Encryption
- Install Privacera Encryption
- Encryption Key Management
- Schemes
- Encryption with PEG REST API
- Privacera Encryption REST API
- PEG API endpoint
- PEG REST API encryption endpoints
- PEG REST API authentication methods on Privacera Platform
- Common PEG REST API fields
- Construct the datalist for the /protect endpoint
- Deconstruct the response from the /unprotect endpoint
- Example data transformation with the /unprotect endpoint and presentation scheme
- Example PEG API endpoints
- /authenticate
- /protect with encryption scheme
- /protect with masking scheme
- /protect with both encryption and masking schemes
- /unprotect without presentation scheme
- /unprotect with presentation scheme
- /unprotect with masking scheme
- REST API response partial success on bulk operations
- Audit details for PEG REST API accesses
- Make encryption API calls on behalf of another user
- Troubleshoot REST API Issues on Privacera Platform
- Privacera Encryption REST API
- Encryption with Databricks, Hive, Streamsets, Trino
- Databricks UDFs for encryption and masking on PrivaceraPlatform
- Hive UDFs for encryption on Privacera Platform
- StreamSets Data Collector (SDC) and Privacera Encryption on Privacera Platform
- Trino UDFs for encryption and masking on Privacera Platform
- Privacera Access Management User Guide
- Privacera Access Management
- How Polices are evaluated
- Resource policies
- Policies overview
- Creating Resource Based Policies
- Configure Policy with Attribute-Based Access Control
- Configuring Policy with Conditional Masking
- Tag Policies
- Entitlement
- Service Explorer
- Users, groups, and roles
- Permissions
- Reports
- Audit
- Security Zone
- Access Control using APIs
- AWS User Guide
- Overview of Privacera on AWS
- Configure policies for AWS services
- Using Athena with data access server
- Using DynamoDB with data access server
- Databricks access manager policy
- Accessing Kinesis with data access server
- Accessing Firehose with Data Access Server
- EMR user guide
- AWS S3 bucket encryption
- Getting started with Minio
- Plugins
- How to Get Support
- Coordinated Vulnerability Disclosure (CVD) Program of Privacera
- Shared Security Model
- Privacera Platform documentation changelog
Data zones and workflow policies
Data zones are distinct areas in a data lake that serve specific and well-defined purposes.
Data owners and data governors can create data zones based on domains, business functional ownership, or other logical groupings. Some examples of data zones:
A data zone to manage customer data under the guardianship of a customer data steward.
A data zone to manage finance data assets under the guardianship of a data administrator from the finance organization.
Data zones simplify data access management and relieve IT of the burden of managing policies for the entire enterprise. The administrative function for a data zone can be delegated to specific data owners who have the proper permissions/roles to administer the zone. Administrators can apply selective workflow policies to their data zones.
Planning a data zone
Before you create a data zone, you should:
Identify the data owners and data governors for the data zone. Make sure these people have been added to Privacera as users.
Identify the resources, data sources and applications that should be included in the data zone.
Decide on a useful name and explanatory description for the data zone
Study the types of data zone policies to determine the kinds of policies you want to enforce in the data zone.
Create a data zone
To create a data zone, follow these steps:
From the navigation menu, select Compliance Workflow > Data Zones.
In the Data Zones page, click +.
The Add Data Zone dialog is displayed.
In the Data Zone Name field, enter a name for the data zone.
In the Description field, enter a description (optional).
Click Save.
The data zone is created.
About the Data Zones page
The Data Zones page displays information about your data zones. This information is displayed in five different tabs:
Resources: This tab allows you to add files and folders for scanning so that you can apply policy to them. You can filter the list of resources using the search bar. The Resources tab displays the following information:
Application: The name of an application.
Resource: The name of a resource.
Re-evaluate: Allows you to re-validate resource files. Before selecting Re-evaluate , the resource file must already be scanned. This option is only available in the Right to Privacy policy and Expunge policies because these policies do not work with real-time and offline scans.
Actions: Allows you to edit or delete a resource.
Delegated Admin: A delegated admin has permission to scan data zone resources. By default, the delegated admin is privacera. Click the edit icon to change the delegated admin name.
Owners: A list of owners. You can filter the list using the search bar. The Owners tab displays the following information:
Owner: The name of the owner.
Description: The description of the owner.
Actions: Allows you to edit or delete an owner.
Policies: A list of policies. You can filter the policy list using the search bar. The Policies tab displays the following information:
Policy: The name of the policy.
Type: The type of policy. See Data Zone Workflow Policy Fields
Conditions: The conditions pertaining to the policy.
Alert Level: The alert levels: High, Medium, or Low.
Actions: The actions related to policy.
Enabled: The status of policy: Enabled or Disabled.
Settings: This allows you to edit the policy as well as you can delete the policy on clicking on respective icon under Settings column.
Tags: This tab displays the tags associated with the data zone. You can modify the tags by clicking the Edit.
Add resources
You can add two types of resources to a data zone:
Files
Database table names
To add resources to an existing data zone, do the following:
From the navigation menu, select Compliance Workflow > Data Zones.
Select a data zone from the Data Zones menu and click ADD RESOURCE.
The Add Resource dialog is displayed.
Select an application from the Application dropdown menu (required).
In the Resource field, enter a resource name.
Note
You can add * wildcard entries for the table name.
Click Save.
The File Format resource is added.
Note
Similarly, you can add the Table format resource. i.e. DB Name and Table Name.
Click Save to create the Resource.
Configure data zone policies
Data zone policies are configured to monitor resources in a particular data zone or data lake. Alerts can be raised based on restricted users, user groups, subnets, subnet-range, tags, and restricted zones.
See Data Zone Workflow Policy Fields
To create a policy for data zone, follow these steps:
From the navigation menu, select Compliance Workflow > Data Zones.
In the Data Zones page, select the data zone and click the Policies tab.
Click Add Policy.
The Add Policy dialog is displayed.
In the Name field, enter a name for the policy (required).
Select an alert level from the Alert Level dropdown menu.
Select a policy type from the Type dropdown menu (required).
Note
This will change the Source label as needed. By default, Disallowed Movement policy is selected.
Enter a description into the Description field.
Using the Status toggle, set the status of the policy. By default, it is set to Enable.
Select the required Application.
Click Save.
The policy is created.
Create tags for data zones
To create a tag for data zone, do the following:
From the navigation menu, select Compliance Workflow > Data Zones.
In the Data Zones page, select an existing data zone and click the Tags tab.
Click Edit and select the Tag(s).
Select the tag(s) from the Tags dropdown menu.
Click Save.
The tags are created.
Edit data zones
To edit an existing data zone, follow these steps:
From the navigation menu, select Compliance Workflow > Data Zones.
In the Data Zones page, select the data zone to edit and click Edit.
The Edit Data Zone dialog is displayed.
In the Data Zone Name field, enter a name for the data zone (required).
In the Description field, enter description of the data zone.
Click Save.
The data zone is updated.
Delete data zones
To delete a data zone, follow these steps:
From the navigation menu, select Compliance Workflow > Data Zones.
On the Data Zones page, select the created data zone and click Delete.
The Confirm Delete dialog displays.
Click Delete.
The data zone is deleted.
Disable data zones
To disable a data zone, do the following:
From the navigation menu, select Compliance Workflow > Data Zones.
On the Data Zones page, select the created data zone disable it using the Status toggle.
The data zone is disabled.
Enable data zones
To enable a data zone, do the following:
From the navigation menu, select Compliance Workflow > Data Zones.
On the Data Zones page, select the created data zone and enable it using the Status toggle.
The data zone is enabled.
Import data zones
To import a data zone, follow these steps:
From the navigation menu, select Compliance Workflow > Data Zones.
In the Data Zones page, click the Import icon.
The Import Data Zone dialog is displayed.
Browse and select the JSON file you want to import.
Note
Only JSON format is allowed.
Click Import.
The data zone is imported.
Export data zones
To export a data zone, follow these steps:
From the navigation menu, select Compliance Workflow > Data Zones.
On the Data Zones page, click the Export icon.
Select the Data Zone(s) you want to export and click Export.
The Export Data Zone dialog displays.
Select either JSON or CSV as the export format.
Click Export.
The data zone is downloaded to your computer.
You can filter the data zone list using the Search Data Zone option. Also, the refresh feature allows you to view the updated datazone list.
Compliance Workflow Policies
Privacera has the following types of Compliance Workflow policies:
Note
If you want to use encryption for Compliance Workflow policies (i.e., De-Identification, Right to Privacy, and Workflow Encryption), you have to add the privacera_service_discovery user. See Add Discovery User for Encryption Service.
Note
The following Compliance Workflow policies are not supported on the GCP platform:
Workflow Policy
De-identification Policy
Right to Privacy Policy
Expunge Policy
Workflow Expunge Policy
Supported file formats by policy type
The following table shows the supported file formats for each policy type.
Policies | csv | avro | parquet | json | orc |
|---|---|---|---|---|---|
Workflow with Encryption | Yes | Yes | Yes | Yes | Yes |
Workflow without Encryption | Yes | Yes | Yes | Yes | Yes |
Workflow Expunge | - | - | - | Yes | - |
De-identification | Yes | Yes | Yes | Yes | Yes |
RTP | Yes | Yes | Yes | Yes | - |
Expunge | Yes | Yes | Yes | Yes | - |