- Platform Release 6.5
- Privacera Platform Release 6.5
- Enhancements and updates in Privacera Access Management 6.5 release
- Enhancements and updates in Privacera Discovery 6.5 release
- Enhancements and updates in Privacera Encryption 6.5 release
- Deprecation of older version of PolicySync
- Upgrade Prerequisites
- Supported versions of third-party systems
- Documentation changelog
- Known Issues 6.5
- Platform - Supported Versions of Third-Party Systems
- Platform Support Policy and End-of-Support Dates
- Privacera Platform Release 6.5
- Privacera Platform Installation
- About Privacera Manager (PM)
- Install overview
- Prerequisites
- Installation
- Default services configuration
- Component services configurations
- Access Management
- Data Server
- UserSync
- Privacera Plugin
- Databricks
- Spark standalone
- Spark on EKS
- Portal SSO with PingFederate
- Trino Open Source
- Dremio
- AWS EMR
- AWS EMR with Native Apache Ranger
- GCP Dataproc
- Starburst Enterprise
- Privacera services (Data Assets)
- Audit Fluentd
- Grafana
- Ranger Tagsync
- Discovery
- Encryption & Masking
- Privacera Encryption Gateway (PEG) and Cryptography with Ranger KMS
- AWS S3 bucket encryption
- Ranger KMS
- AuthZ / AuthN
- Security
- Access Management
- Reference - Custom Properties
- Validation
- Additional Privacera Manager configurations
- Upgrade Privacera Manager
- Troubleshooting
- How to validate installation
- Possible Errors and Solutions in Privacera Manager
- Unable to Connect to Docker
- Terminate Installation
- 6.5 Platform Installation fails with invalid apiVersion
- Ansible Kubernetes Module does not load
- Unable to connect to Kubernetes Cluster
- Common Errors/Warnings in YAML Config Files
- Delete old unused Privacera Docker images
- Unable to debug error for an Ansible task
- Unable to upgrade from 4.x to 5.x or 6.x due to Zookeeper snapshot issue
- Storage issue in Privacera UserSync & PolicySync
- Permission Denied Errors in PM Docker Installation
- Unable to initialize the Discovery Kubernetes pod
- Portal service
- Grafana service
- Audit server
- Audit Fluentd
- Privacera Plugin
- How-to
- Appendix
- AWS topics
- AWS CLI
- AWS IAM
- Configure S3 for real-time scanning
- Install Docker and Docker compose (AWS-Linux-RHEL)
- AWS S3 MinIO quick setup
- Cross account IAM role for Databricks
- Integrate Privacera services in separate VPC
- Securely access S3 buckets ssing IAM roles
- Multiple AWS account support in Dataserver using Databricks
- Multiple AWS S3 IAM role support in Dataserver
- Azure topics
- GCP topics
- Kubernetes
- Microsoft SQL topics
- Snowflake configuration for PolicySync
- Create Azure resources
- Databricks
- Spark Plug-in
- Azure key vault
- Add custom properties
- Migrate Ranger KMS master key
- IAM policy for AWS controller
- Customize topic and table names
- Configure SSL for Privacera
- Configure Real-time scan across projects in GCP
- Upload custom SSL certificates
- Deployment size
- Service-level system properties
- PrestoSQL standalone installation
- AWS topics
- Privacera Platform User Guide
- Introduction to Privacera Platform
- Settings
- Data inventory
- Token generator
- System configuration
- Diagnostics
- Notifications
- How-to
- Privacera Discovery User Guide
- What is Discovery?
- Discovery Dashboard
- Scan Techniques
- Processing order of scan techniques
- Add and scan resources in a data source
- Start or cancel a scan
- Tags
- Dictionaries
- Patterns
- Scan status
- Data zone movement
- Models
- Disallowed Tags policy
- Rules
- Types of rules
- Example rules and classifications
- Create a structured rule
- Create an unstructured rule
- Create a rule mapping
- Export rules and mappings
- Import rules and mappings
- Post-processing in real-time and offline scans
- Enable post-processing
- Example of post-processing rules on tags
- List of structured rules
- Supported scan file formats
- Data Source Scanning
- Data Inventory
- TagSync using Apache Ranger
- Compliance Workflow
- Data zones and workflow policies
- Workflow Policies
- Alerts Dashboard
- Data Zone Dashboard
- Data zone movement
- Workflow policy use case example
- Discovery Health Check
- Reports
- How-to
- Privacera Encryption Guide
- Overview of Privacera Encryption
- Install Privacera Encryption
- Encryption Key Management
- Schemes
- Encryption with PEG REST API
- Privacera Encryption REST API
- PEG API endpoint
- PEG REST API encryption endpoints
- PEG REST API authentication methods on Privacera Platform
- Common PEG REST API fields
- Construct the datalist for the /protect endpoint
- Deconstruct the response from the /unprotect endpoint
- Example data transformation with the /unprotect endpoint and presentation scheme
- Example PEG API endpoints
- /authenticate
- /protect with encryption scheme
- /protect with masking scheme
- /protect with both encryption and masking schemes
- /unprotect without presentation scheme
- /unprotect with presentation scheme
- /unprotect with masking scheme
- REST API response partial success on bulk operations
- Audit details for PEG REST API accesses
- Make encryption API calls on behalf of another user
- Troubleshoot REST API Issues on Privacera Platform
- Privacera Encryption REST API
- Encryption with Databricks, Hive, Streamsets, Trino
- Databricks UDFs for encryption and masking on PrivaceraPlatform
- Hive UDFs for encryption on Privacera Platform
- StreamSets Data Collector (SDC) and Privacera Encryption on Privacera Platform
- Trino UDFs for encryption and masking on Privacera Platform
- Privacera Access Management User Guide
- Privacera Access Management
- How Polices are evaluated
- Resource policies
- Policies overview
- Creating Resource Based Policies
- Configure Policy with Attribute-Based Access Control
- Configuring Policy with Conditional Masking
- Tag Policies
- Entitlement
- Service Explorer
- Users, groups, and roles
- Permissions
- Reports
- Audit
- Security Zone
- Access Control using APIs
- AWS User Guide
- Overview of Privacera on AWS
- Configure policies for AWS services
- Using Athena with data access server
- Using DynamoDB with data access server
- Databricks access manager policy
- Accessing Kinesis with data access server
- Accessing Firehose with Data Access Server
- EMR user guide
- AWS S3 bucket encryption
- Getting started with Minio
- Plugins
- How to Get Support
- Coordinated Vulnerability Disclosure (CVD) Program of Privacera
- Shared Security Model
- Privacera Platform documentation changelog
General process
Add a new data source - System
From the Privacera main menu, scroll down to Settings and click Data Source Registration.
From the Data Source Registration page, click + Add System.
Enter System Name in the Name field. (Required).
Enter a brief description in the Description field. (Optional)
Click Save.
Your new entry appears upon page refresh.
Add data source - Resources
Select the settings icon in a data source detail box to add resources to your system. Resources can be applications, tables, or filesystems.
Select an application from the drop-down menu.
Enter a Name, an optional Description, and an Application Code in the Application Detail dialog box.
Set the status toggle to Enable.
Click Save.
You can optionally test your data source connection at this point by selecting Test Connection.
Select the Application Properties tab. You can import exsting application properties from a file using the Import Properties option. Open a browser window, select a JSON file, and click Add.
In the Add New Properties section, add the following properties for Dataserver. Add one property per line.
SSL: If SSL is enabled for Dataserver, use the following properties.
explorer_proxy_enable=true explorer_proxy_host=dataserver explorer_proxy_port=8282 explorer_proxy_protocol=https explorer_protocol=http
Non-SSL: If SSL is not enabled for Dataserver, use the following properties.
explorer_proxy_enable=true explorer_proxy_host=dataserver explorer_proxy_port=8181 explorer_proxy_protocol=http explorer_protocol=http
Click Test Connection.
Click Next.
A success banner displays upon a successful addition.
Note
To minimize the inflow of audits to Privacera, there is an option to add inclusion filter support for CDH (HDFS and Hive).
Enable an application
Click Edit.
Set the status to Enable.
Click Save.
AWS S3 application
The following steps shows you how to add an AWS S3 application. You can allows users to access multiple S3 accounts using AssumeRole.
Create an AWS S3 application on the Privacera Platform Portal.
Click Setting > + Add Application.
Select AWS S3 Application.
Enter the Application Name and Application Code.
Select the Application Properties tab. You can import existing application properties from a file using the Import Properties option. Browse and select the JSON file and click Add.
Under Add New Properties, add the following for Dataserver. Add one property per line.
SSL: If SSL is enabled for Dataserver, use the following properties.
explorer_proxy_enable=true explorer_proxy_host=dataserver explorer_proxy_port=8282 explorer_proxy_protocol=https explorer_protocol=http
Non-SSL: If SSL is not enabled for Dataserver, use the following properties.
explorer_proxy_enable=true explorer_proxy_host=dataserver explorer_proxy_port=8181 explorer_proxy_protocol=http explorer_protocol=http
Click Test Connection.
Click Next.
When the AWS S3 application is added successfully a success banner is displayed.
Create one more AWS S3 application following the above steps, and add the following custom property:
explorer_assume_role_arn=arn:aws:iam::${111111111111}:role/${s3_assume_role}
Tip
To minimize the in-flow of audits to Privacera audits, there is an option to add inclusion filter support for CDH (HDFS and Hive).
Azure ADLS
The following steps shows you how to add an Azure ADLS:
Click Setting > + Add Application.
Select Azure ADLS.
Enter the Application Name and Application Code.
Select the Application Properties tab. You can import existing application properties from a file using the Import Properties option. Browse and select the JSON file and click Add.
Under Add New Properties, add the following for Dataserver. Add one property per line.
SSL: If SSL is enabled for Dataserver, use the following properties.
explorer_proxy_enable=true explorer_proxy_host=dataserver explorer_proxy_port=8282 explorer_proxy_protocol=https explorer_protocol=http storage_type=blob
Non-SSL: If SSL is not enabled for Dataserver, use the following properties.
explorer_proxy_enable=true explorer_proxy_host=dataserver explorer_proxy_port=8181 explorer_proxy_protocol=http explorer_protocol=http storage_type=blob
Click Test Connection.
Click Next.
When the AWS S3 application is added successfully a success banner is displayed.
Google Cloud Storage (GCS)
A) Using Credential File
A credential type is a JSON file downloaded from the GCP that allows you to access the GCP service account from outside. Attaching this credential file will give access to the resources in the environment which can be used to run Discovery scans on GCP resources, such GCS or GBQ.
There are two ways to incorporate the credential file.
Local File Path: Provide the path of the local file system to where the credential file is saved, and the system will read and copy internally to configuration location.
File: Upload the credential file using a browser, and the system will copy internally to configuration location.
To add a GCS data source with credential file type, do the following:
Under GCP, add a new Data Source, then select Google Cloud Storage.
Enter the following:
Name: A name is provided by default. if required, enter a preferred name.
Description: Enter a suitable description
Application Code: An application code is an unique identifier for a data source. A code is provided by default. if required, enter a preferred code. No two data sources can have the same application code.
In the Application Properties section, add the following properties:
Credential Type: Select Google Credentials Local File Path from the drop-down list.
Google Credentials Local File Path:
/tmpGoogle Project Id:
${PROJECT_ID}Default Datasource for RealTime Scan - This value is set to false by default. Set this value to true if you have more than one data source. In such scenarios, it is recommended that you identify one data source as the default data source which will be used for real-time scanning.
Scroll down to the bottom of the screen, and under Add new properties enter the following properties:
SSL: If SSL is enabled for Dataserver, use the following properties.
explorer_proxy_enable=true explorer_proxy_host=dataserver explorer_proxy_port=8282 explorer_proxy_protocol=https explorer_protocol=http
Non-SSL: If SSL is not enabled for Dataserver, use the following properties.
explorer_proxy_enable=true explorer_proxy_host=dataserver explorer_proxy_port=8181 explorer_proxy_protocol=http explorer_protocol=http
Click Save.
B) Using Project ID
A project ID is a unique ID assigned to a GCP project. The project ID is required in order to interact with resources in the project. Using this project ID, you can access the resources defined in the project and run Discovery scans on those resources.
To add a GCS data source with project ID, do the following:
Under GCP, add a new Data Source, then select Google Cloud Storage.
Enter the following:
Name: A name is provided by default. if required, enter a preferred name.
Description: Enter a suitable description
Application Code: An application code is an unique identifier for a data source. A code is provided by default. if required, enter a preferred code. No two data sources can have the same application code.
In the Application Properties section, add the following properties:
Credential Type: Select Google Credentials Local File Path from the drop-down list.
Google Credentials Local File Path:
/tmpGoogle Project Id:
${PROJECT_ID}Privacera Configuration Bucket:
gcs. Use the same bucket name you added in GCP Configuration.Default Datasource for RealTime Scan - This value is set to false by default. Set this value to true if you have more than one data source. In such scenarios, it is recommended that you identify one data source as the default data source which will be used for real-time scanning.
Click Save.
If you want to scan multiple resources, or resources from a different project, see Cross-project Setup.
Google BigQuery (GBQ)
From the Privacera main menu, open Settings, and click Data Source Registration.
Add a System with the name GBQ.
Click the Setting icon of your added system, and click + Add Application.
Choose Google BigQuery as the application.
Enter the following:
Name
Description
Application Code
Enable Status (Optional).
Click Save.
Enter the Google Project Id (Required).
Default Datasource for RealTime Scan - This value is set to "false" by default. Set this value to "true" when adding the data source for a default project.
Click Next, then click Save.
Google Pub-Sub
From the Privacera main menu, select Settings, and click Data Source Registration.
Under your GCP system, +Add New Data Source, select Google Cloud Storage.
From the Add Data Source dialogue box, select/enter the following properties:
Google Project Id:
${PROJECT_ID}(Required)scan.result.topic:
${Scan_Topic_Name}(Required)
Use the same topic name you created as part of the prerequisite steps.
scan.result.project.id:
${Specify_ID_of_Cross_Project}
If you do not specify a project ID, the system will consider applying a default project ID.
Click Test Connection to verify the above configuration.
Click Save.