- Platform Release 6.5
- Privacera Platform Release 6.5
- Enhancements and updates in Privacera Access Management 6.5 release
- Enhancements and updates in Privacera Discovery 6.5 release
- Enhancements and updates in Privacera Encryption 6.5 release
- Deprecation of older version of PolicySync
- Upgrade Prerequisites
- Supported versions of third-party systems
- Documentation changelog
- Known Issues 6.5
- Platform - Supported Versions of Third-Party Systems
- Platform Support Policy and End-of-Support Dates
- Privacera Platform Release 6.5
- Privacera Platform Installation
- About Privacera Manager (PM)
- Install overview
- Prerequisites
- Installation
- Default services configuration
- Component services configurations
- Access Management
- Data Server
- UserSync
- Privacera Plugin
- Databricks
- Spark standalone
- Spark on EKS
- Portal SSO with PingFederate
- Trino Open Source
- Dremio
- AWS EMR
- AWS EMR with Native Apache Ranger
- GCP Dataproc
- Starburst Enterprise
- Privacera services (Data Assets)
- Audit Fluentd
- Grafana
- Ranger Tagsync
- Discovery
- Encryption & Masking
- Privacera Encryption Gateway (PEG) and Cryptography with Ranger KMS
- AWS S3 bucket encryption
- Ranger KMS
- AuthZ / AuthN
- Security
- Access Management
- Reference - Custom Properties
- Validation
- Additional Privacera Manager configurations
- Upgrade Privacera Manager
- Troubleshooting
- How to validate installation
- Possible Errors and Solutions in Privacera Manager
- Unable to Connect to Docker
- Terminate Installation
- 6.5 Platform Installation fails with invalid apiVersion
- Ansible Kubernetes Module does not load
- Unable to connect to Kubernetes Cluster
- Common Errors/Warnings in YAML Config Files
- Delete old unused Privacera Docker images
- Unable to debug error for an Ansible task
- Unable to upgrade from 4.x to 5.x or 6.x due to Zookeeper snapshot issue
- Storage issue in Privacera UserSync & PolicySync
- Permission Denied Errors in PM Docker Installation
- Unable to initialize the Discovery Kubernetes pod
- Portal service
- Grafana service
- Audit server
- Audit Fluentd
- Privacera Plugin
- How-to
- Appendix
- AWS topics
- AWS CLI
- AWS IAM
- Configure S3 for real-time scanning
- Install Docker and Docker compose (AWS-Linux-RHEL)
- AWS S3 MinIO quick setup
- Cross account IAM role for Databricks
- Integrate Privacera services in separate VPC
- Securely access S3 buckets ssing IAM roles
- Multiple AWS account support in Dataserver using Databricks
- Multiple AWS S3 IAM role support in Dataserver
- Azure topics
- GCP topics
- Kubernetes
- Microsoft SQL topics
- Snowflake configuration for PolicySync
- Create Azure resources
- Databricks
- Spark Plug-in
- Azure key vault
- Add custom properties
- Migrate Ranger KMS master key
- IAM policy for AWS controller
- Customize topic and table names
- Configure SSL for Privacera
- Configure Real-time scan across projects in GCP
- Upload custom SSL certificates
- Deployment size
- Service-level system properties
- PrestoSQL standalone installation
- AWS topics
- Privacera Platform User Guide
- Introduction to Privacera Platform
- Settings
- Data inventory
- Token generator
- System configuration
- Diagnostics
- Notifications
- How-to
- Privacera Discovery User Guide
- What is Discovery?
- Discovery Dashboard
- Scan Techniques
- Processing order of scan techniques
- Add and scan resources in a data source
- Start or cancel a scan
- Tags
- Dictionaries
- Patterns
- Scan status
- Data zone movement
- Models
- Disallowed Tags policy
- Rules
- Types of rules
- Example rules and classifications
- Create a structured rule
- Create an unstructured rule
- Create a rule mapping
- Export rules and mappings
- Import rules and mappings
- Post-processing in real-time and offline scans
- Enable post-processing
- Example of post-processing rules on tags
- List of structured rules
- Supported scan file formats
- Data Source Scanning
- Data Inventory
- TagSync using Apache Ranger
- Compliance Workflow
- Data zones and workflow policies
- Workflow Policies
- Alerts Dashboard
- Data Zone Dashboard
- Data zone movement
- Workflow policy use case example
- Discovery Health Check
- Reports
- How-to
- Privacera Encryption Guide
- Overview of Privacera Encryption
- Install Privacera Encryption
- Encryption Key Management
- Schemes
- Encryption with PEG REST API
- Privacera Encryption REST API
- PEG API endpoint
- PEG REST API encryption endpoints
- PEG REST API authentication methods on Privacera Platform
- Common PEG REST API fields
- Construct the datalist for the /protect endpoint
- Deconstruct the response from the /unprotect endpoint
- Example data transformation with the /unprotect endpoint and presentation scheme
- Example PEG API endpoints
- /authenticate
- /protect with encryption scheme
- /protect with masking scheme
- /protect with both encryption and masking schemes
- /unprotect without presentation scheme
- /unprotect with presentation scheme
- /unprotect with masking scheme
- REST API response partial success on bulk operations
- Audit details for PEG REST API accesses
- Make encryption API calls on behalf of another user
- Troubleshoot REST API Issues on Privacera Platform
- Privacera Encryption REST API
- Encryption with Databricks, Hive, Streamsets, Trino
- Databricks UDFs for encryption and masking on PrivaceraPlatform
- Hive UDFs for encryption on Privacera Platform
- StreamSets Data Collector (SDC) and Privacera Encryption on Privacera Platform
- Trino UDFs for encryption and masking on Privacera Platform
- Privacera Access Management User Guide
- Privacera Access Management
- How Polices are evaluated
- Resource policies
- Policies overview
- Creating Resource Based Policies
- Configure Policy with Attribute-Based Access Control
- Configuring Policy with Conditional Masking
- Tag Policies
- Entitlement
- Service Explorer
- Users, groups, and roles
- Permissions
- Reports
- Audit
- Security Zone
- Access Control using APIs
- AWS User Guide
- Overview of Privacera on AWS
- Configure policies for AWS services
- Using Athena with data access server
- Using DynamoDB with data access server
- Databricks access manager policy
- Accessing Kinesis with data access server
- Accessing Firehose with Data Access Server
- EMR user guide
- AWS S3 bucket encryption
- Getting started with Minio
- Plugins
- How to Get Support
- Coordinated Vulnerability Disclosure (CVD) Program of Privacera
- Shared Security Model
- Privacera Platform documentation changelog
Privacera UserSync
Privacera Data Access User Synchronization
Learn how you can synchronize users and groups from different connectors.
LDAP
Run the following command to enable Privacera UserSync:
cd ~/privacera/privacera-manager cp config/sample-vars/vars.privacera-usersync.yml config/custom-vars/
Enable the LDAP connector:
cd ~/privacera/privacera-manager cp config/sample-vars/vars.privacera-usersync.ldap.yml config/custom-vars/ vi config/custom-vars/vars.privacera-usersync.ldap.yml
Edit the following properties:
Property
Description
Example
A) LDAP Connector Info
LDAP_CONNECTOR
Name of the connector.
adLDAP_ENABLED
Enabled status of connector:
trueorfalsetrueLDAP_SERVICE_TYPE
Set a service type:
ldaporadadLDAP_DATASOURCE_NAME
Name of the datasource:
ldaporadadLDAP_URL
URL of source LDAP.
ldap://example.us:389LDAP_BIND_DN
Property is used to connect to LDAP and then query for users and groups.
CN=Example User,OU=sales,DC=ad,DC=sales,DC=us
LDAP_BIND_PASSWORD
LDAP bind password for the bind DN specified above.
LDAP_AUTH_TYPE
Authentication type, the default is
simplesimpleLDAP_REFERRAL
Set the LDAP context referral:
ignoreorfollow.Default value is
follow.followLDAP_SYNC_INTERVAL
Frequency of usersync pulls and audit records in seconds. Default value is 3600, minimum value is 300.
3600
B) Enable SSL for LDAP Server
Note
Support Chain SSL - Preview Functionality
Previously Privacera services were only using one SSL certificate of LDAP server even if a chain of certificates was available. Now as a Preview functionality, all the certificates which are available in the chain certificate are imported it into the truststore. This is added for Privacera usersync, Ranger usersync and portal SSL certificates.
PRIVACERA_USERSYNC_SYNC_LDAP_SSL_ENABLED
Set this property to enable/disable SSL for Privacera Usersync.
truePRIVACERA_USERSYNC_SYNC_LDAP_SSL_PM_GEN_TS
Set this property if you want Privacera Manager to generate a truststore for your SSL-enabled LDAP server.
truePRIVACERA_USERSYNC_AUTH_SSL_ENABLED
Set this property if the other Privacera services are not SSL enabled and you are using SSL-enabled LDAP server.
trueC) LDAP Search
LDAP_SEARCH_GROUP_FIRST
Property to enable to search for groups first, before searching for users.
trueLDAP_SEARCH_BASE
Search base for users and groups.
DC=ad,DC=sales,DC=us
LDAP_SEARCH_USER_BASE
Search base for users.
ou=example,dc=ad,dc=sales,dc=us
LDAP_SEARCH_USER_SCOPE
Set the value for search scope for the users:
base,oneorsub.Default value is
sub.sub
LDAP_SEARCH_USER_FILTER
Optional additional filter constraining the users selected for syncing.
LDAP_SEARCH_USER_GROUPONLY
Boolean to only load users in groups.
falseLDAP_ATTRIBUTE_ONLY
Sync only the attributes of users already synced from other services.
falseLDAP_SEARCH_INCREMENTAL_ENABLED
Enable incremental search. Syncing changes only since last search.
falseLDAP_PAGED_RESULTS_ENABLED
Enable paged results control for LDAP Searches. Default is
true.trueLDAP_PAGED_CONTROL_CRITICAL
Set paged results control criticality to CRITICAL. Default is
true.trueLDAP_SEARCH_GROUP_BASE
Search base for groups.
ou=example,dc=ad,dc=sales,dc=us
LDAP_SEARCH_GROUP_SCOPE
Set the value for search scope for the groups:
base,oneorsub.Default value is
sub.subLDAP_SEARCH_GROUP_FILTER
Optional additional filter constraining the groups selected for syncing.
LDAP_SEARCH_CYCLES_BETWEEN_DELETED_DETECTION
Numeric number of cycles between deleted searches. Default value is
6.6LDAP_SEARCH_DETECT_DELETED_USERS_GROUPS
Enables both user and group deleted searches. Default is
false.falseLDAP_SEARCH_DETECT_DELETED_USERS
Override setting for user deleted search. Default value is
LDAP_SEARCH_DETECT_DELETED_USERS_GROUPS.LDAP_SEARCH_DETECT_DELETED_USERS_GROUPSLDAP_SEARCH_DETECT_DELETED_GROUPS
Override setting for group deleted search. Default value is
LDAP_SEARCH_DETECT_DELETED_USERS_GROUPS.LDAP_SEARCH_DETECT_DELETED_USERS_GROUPSD) LDAP Manage/Ignore List of Users/Groups
LDAP_MANAGE_USER_LIST
List of users to manage from sync results. If this list is defined, all users not on this list will be ignored.
LDAP_IGNORE_USER_LIST
List of users to ignore from sync results.
LDAP_MANAGE_GROUP_LIST
List of groups to manage from sync results. If this list is defined, all groups not on this list will be ignored.
LDAP_IGNORE_GROUP_LIST
List of groups to ignore from sync results.
E) LDAP Object Users/Groups Class
LDAP_OBJECT_USER_CLASS
Objectclass to identify user entries.
userLDAP_OBJECT_GROUP_CLASS
Objectclass to identify group entries.
groupF) LDAP User/Group Attributes
LDAP_ATTRIBUTE_USERNAME
Attribute from user entry that would be treated as user name.
SAMAccountNameLDAP_ATTRIBUTE_FIRSTNAME
Attribute of a user’s first name. The default is
givenName.givenNameLDAP_ATTRIBUTE_LASTNAME
Attribute of a user’s last name.
LDAP_ATTRIBUTE_EMAIL
Attribute from user entry that would be treated as email address.
mailLDAP_ATTRIBUTE_GROUPNAMES
List of attributes from group entry that would be treated as group name.
LDAP_ATTRIBUTE_GROUPNAME
Attribute from group entry that would be treated as group name.
nameLDAP_ATTRIBUTE_GROUP_MEMBER
Attribute from group entry that is list of members.
memberG) Username/Group name Attribute Modification
LDAP_ATTRIBUTE_USERNAME_VALUE_EXTRACTFROMEMAIL
Extract username from an email address. (e.g. username@domain.com -> username) Default is false.
falseLDAP_ATTRIBUTE_USERNAME_VALUE_PREFIX
Prefix to prepend to the username. Default is blank.
LDAP_ATTRIBUTE_USERNAME_VALUE_POSTFIX
Postfix to append pend to the username. Default is blank.
LDAP_ATTRIBUTE_USERNAME_VALUE_TOLOWER
Convert the username to lowercase. Default is false.
falseLDAP_ATTRIBUTE_USERNAME_VALUE_TOUPPER
Convert the username to uppercase. Default is false.
falseLDAP_ATTRIBUTE_USERNAME_VALUE_REGEX
Attribute to replace username to matching regex. Default is blank.
LDAP_ATTRIBUTE_GROUPNAME_VALUE_EXTRACTFROMEMAIL
Extract the group name from an email address. Default is false.
falseLDAP_ATTRIBUTE_GROUPNAME_VALUE_PREFIX
Prefix to prepend to the group's name. Default is blank.
LDAP_ATTRIBUTE_GROUPNAME_VALUE_POSTFIX
Postfix to append pend to the group's name. Default is blank.
LDAP_ATTRIBUTE_GROUPNAME_VALUE_TOLOWER
Convert the name to group's name to lower case. Default is false.
falseLDAP_ATTRIBUTE_GROUPNAME_VALUE_TOUPPER
Convert the group's name to uppercase. Default is false.
falseLDAP_ATTRIBUTE_GROUPNAME_VALUE_REGEX
Attribute to replace the group's name to matching regex. Default is blank.
H) Group Attribute Configuration
LDAP_GROUP_ATTRIBUTE_LIST
The list of attribute keys to get from synced groups.
LDAP_GROUP_ATTRIBUTE_VALUE_PREFIX
Append prefix to values of group attributes such as group name.
LDAP_GROUP_ATTRIBUTE_KEY_PREFIX
Append prefix to key of group attributes such as group name.
LDAP_GROUP_LEVELS
Configure Privacera usersync with AD/LDAP nested group membership.
Run the following command:
cd ~/privacera/privacera-manager ./privacera-manager.sh update
LDAP/AD deleted entity detection
When enabled, LDAP/AD deleted entity detection will perform a soft delete of users or groups in Privacera Portal. A soft delete removes all memberships of the group/user and marks them as “hidden”. Hidden users will not appear in auto completion when modifying access policies. References to users/groups in policies will remain, until manually removed or the user/group is fully deleted from Privacera Portal. Hidden users can be fully deleted by using the Privacera Portal UI or REST APIs.
Properties:
Boolean:
usersync.connector.0.search.deleted.group.enabled(default:false)Boolean:
usersync.connector.0.search.deleted.user.enabled(default:false)Numeric:
usersync.connector.#.search.deleted.cycles(default:6)
Privacera Manager Variables:
In the LDAP connector properties table above, see under User Search (section C).
Azure Active Directory (AAD)
Run the following command to enable Privacera UserSync:
cd ~/privacera/privacera-manager cp config/sample-vars/vars.privacera-usersync.yml config/custom-vars/
Enable the AAD connector:
cd ~/privacera/privacera-manager cp config/sample-vars/vars.privacera-usersync.azuread.yml config/custom-vars/ vi config/custom-vars/vars.privacera-usersync.azuread.yml
Edit the following properties:
Property
Description
Example
A) AAD Basic Info
AZURE_AD_CONNECTOR
Name of the connector.
AAD1AZURE_AD_ENABLED
Enabled status of connector. (true/false)
trueAZURE_AD_SERVICE_TYPE
Service Type
AZURE_AD_DATASOURCE_NAME
Name of the datasource.
AZURE_AD_ATTRIBUTE_ONLY
Sync only the attributes of users already synced from other services.
falseAZURE_AD_SYNC_INTERVAL
Frequency of usersync pulls and audit records in seconds. Default value is 3600, minimum value is 300.
3600
B) Azure AAD Info: (Get the following information from Azure Portal)
AZURE_AD_TENANT_ID
Azure Active Directory Id (Tenant ID)
1a2b3c4d-azyd-4755-9638-e12xa34p56le
AZURE_AD_CLIENT_ID
Azure Active Directory application client ID which will be used for accessing Microsoft Graph API.
11111111-1111-1111-1111-111111111111
AZURE_AD_CLIENT_SECRET
Azure Active Directory application client secret which will be used for accessing Microsoft Graph API.
AZURE_AD_USERNAME
Azure Account username which will be used for getting access token to be used on behalf of Azure AD application.
AZURE_AD_PASSWORD
Azure Account password which will be used for getting access token to be used on behalf of Azure AD application.
C) AAD Manage/Ignore List of Users/Groups
AZURE_AD_MANAGER_USER_LIST
List of users to manage from sync results. If this list is defined, all users not on this list will be ignored.
AZURE_AD_IGNORE_USER_LIST
List of users to ignore from sync results.
AZURE_AD_MANAGE_GROUP_LIST
List of groups to manage from sync results. If this list is defined, all groups not on this list will be ignored.
AZURE_AD_IGNORE_GROUP_LIST
List of groups to ignore from sync results.
D) AAD Search
AZURE_AD_SEARCH_SCOPE
Azure AD Application Access Scope
AZURE_AD_SEARCH_USER_GROUPONLY
Boolean to only load users in groups.
falseAZURE_AD_SEARCH_INCREMENTAL_ENABLED
Enable incremental search. Syncing only changes since last search.
falseAZURE_AD_SEARCH_DETECT_DELETED_USERS_GROUPS
Enables both user and group deleted searches. Default is
false.falseAZURE_AD_SEARCH_DETECT_DELETED_USERS
Override setting for user deleted search. Default value is
AZURE_AD_SEARCH_DETECT_DELETED_USERS_GROUPS.AZURE_AD_SEARCH_DETECT_DELETED_USERS_GROUPSAZURE_AD_SEARCH_DETECT_DELETED_GROUPS
Override setting for group deleted search. Default value is
AZURE_AD_SEARCH_DETECT_DELETED_USERS_GROUPS.AZURE_AD_SEARCH_DETECT_DELETED_USERS_GROUPSE) Azure Service Principal
Note
If Sync Service Principals as Users is enabled, AAD does not require that
displayNameof a Service Principal be a unique value. In this case a different attribute (such asappId) should be used as the Service Principal Username.AZURE_AD_SERVICEPRINCIPAL_ENABLED
Sync Azure service principal to ranger user entity.
falseAZURE_AD_SERVICEPRINCIPAL_USERNAME
Properties to specify from which key to get values of username in case service principal is mapped to Ranger user entity.
displayNameF) AAD User/Group Attributes
AZURE_AD_ATTRIBUTE_USERNAME
Attribute of a user’s name (default: userPrincipalName)
AZURE_AD_ATTRIBUTE_FIRSTNAME
Attribute of a user’s first name (default: givenName)
AZURE_AD_ATTRIBUTE_LASTNAME
Attribute of a user’s last name (default: surname)
AZURE_AD_ATTRIBUTE_EMAIL
Attribute from user entry that would be treated as email address.
AZURE_AD_ATTRIBUTE_GROUPNAME
Attribute from group entry that would be treated as group name.
AZURE_AD_SERVICEPRINCIPAL_USERNAME
Attribute of service principal name.
G) Username/Group name Attribute Modification
AZURE_AD_ATTRIBUTE_USERNAME_VALUE_EXTRACTFROMEMAIL
Extract username from an email address. (e.g. username@domain.com -> username) Default is false.
falseAZURE_AD_ATTRIBUTE_USERNAME_VALUE_PREFIX
Prefix to prepend to the username. Default is blank.
AZURE_AD_ATTRIBUTE_USERNAME_VALUE_POSTFIX
Postfix to append pend to the username. Default is blank.
AZURE_AD_ATTRIBUTE_USERNAME_VALUE_TOLOWER
Convert the username to lowercase. Default is false.
falseAZURE_AD_ATTRIBUTE_USERNAME_VALUE_TOUPPER
Convert the username to uppercase. Default is false.
falseAZURE_AD_ATTRIBUTE_USERNAME_VALUE_REGEX
Attribute to replace username to matching regex. Default is blank.
AZURE_AD_ATTRIBUTE_GROUPNAME_VALUE_EXTRACTFROMEMAIL
Extract the group name from an email address. Default is false.
falseAZURE_AD_ATTRIBUTE_GROUPNAME_VALUE_PREFIX
Prefix to prepend to the group's name. Default is blank.
AZURE_AD_ATTRIBUTE_GROUPNAME_VALUE_POSTFIX
Postfix to append pend to the group's name. Default is blank.
AZURE_AD_ATTRIBUTE_GROUPNAME_VALUE_TOLOWER
Convert the name to group's name to lower case. Default is false.
falseAZURE_AD_ATTRIBUTE_GROUPNAME_VALUE_TOUPPER
Convert the group's name to uppercase. Default is false.
falseAZURE_AD_ATTRIBUTE_GROUPNAME_VALUE_REGEX
Attribute to replace the group's name to matching regex. Default is blank.
H) Group Attribute Configuration
AZURE_AD_GROUP_ATTRIBUTE_LIST
The list of attribute keys to get from synced groups.
AZURE_AD_GROUP_ATTRIBUTE_VALUE_PREFIX
Append prefix to values of group attributes such as group name.
AZURE_AD_GROUP_ATTRIBUTE_KEY_PREFIX
Append prefix to key of group attributes such as group name.
I) Filter Properties
AZURE_AD_FILTER_USER_LIST
Filter the AAD user list, supported for non-incremental search. When incremental search is enabled delta search does not support filter properties.
abc.def@privacera.comAZURE_AD_FILTER_SERVICEPRINCIPAL_LIST
Filter the AAD service principal list, supported for non-incremental search. When incremental search is enabled delta search does not support filter properties.
abc-testappAZURE_AD_FILTER_GROUP_LIST
Filter the AAD group list, supported for non-incremental search. When incremental search is enabled delta search does not support filter properties.
PRIVACERA-AB-GROUP-00J) Domain Properties
AZURE_AD_MANAGE_DOMAIN_LIST
Only users in manage domain list will be synced.
Privacera.USAZURE_AD_IGNORE_DOMAIN_LIST
Users in ignore domain list will not be synced.
Privacera.USAZURE_AD_DOMAIN_ATTRIBUTE
Specify the attribute from which you want to compare user domain, email or username are supported. Default is email.
usernameRun the following command:
cd ~/privacera/privacera-manager ./privacera-manager.sh update
Azure Active Directory (AAD) deleted entity detection
When enabled, AAD deleted entity detection will perform a soft delete of users or groups in Privacera Portal. A soft delete removes all memberships of the group/user and marks them as “hidden”. Hidden users will not appear in auto completion when modifying access policies. References to users/groups in policies will remain, until manually removed or the user/group is fully deleted from Privacera Portal. Hidden users can be fully deleted by using the Privacera Portal UI or REST APIs.
Properties:
Boolean:
usersync.connector.3.search.deleted.group.enabled(default:false)Boolean:
usersync.connector.3.search.deleted.user.enabled(default:false)
Privacera Manager Variables:
In the AAD connector properties table above, see under AAD Search (section D).
SCIM
Run the following command to enable Privacera UserSync:
cd ~/privacera/privacera-manager cp config/sample-vars/vars.privacera-usersync.yml config/custom-vars/
Enable the SCIM connector:
cd ~/privacera/privacera-manager cp config/sample-vars/vars.privacera-usersync.scim.yml config/custom-vars/ vi config/custom-vars/vars.privacera-usersync.scim.yml
Edit the following properties:
Property
Description
Example
A) SCIM Connector Info
SCIM_CONNECTOR
Name of connector.
DB1SCIM_ENABLED
Enabled status of connector. (true/false)
trueSCIM_SERVICETYPE
Service Type
scimSCIM_DATASOURCE_NAME
Name of the datasource.
databricks1SCIM_URL
Connector URL
ADMIN_USER_BEARER_TOKEN
Bearer token
SCIM_SYNC_INTERVAL
Frequency of usersync pulls and audit records in seconds. Default value is 3600, minimum value is 300.
3600
B) SCIM Manage/Ignore List of Users/Groups
SCIM_MANAGE_USER_LIST
List of users to manage from sync results. If this list is defined, all users not on this list will be ignored
SCIM_IGNORE_USER_LIST
List of users to ignore from sync results.
SCIM_MANAGE_GROUP_LIST
List of groups to manage from sync results. If this list is defined, all groups not on this list will be ignored.
SCIM_IGNORE_GROUP_LIST
List of groups to ignore from sync results.
C) SCIM User/Group Attributes
SCIM_ATTRIBUTE_USERNAME
Attribute from user entry that would be treated as user name.
userNameSCIM_ATTRIBUTE_FIRSTNAME
Attribute from user entry that would be treated as firstname.
name.givenNameSCIM_ATTRIBUTE_LASTNAME
Attribute from user entry that would be treated as lastname.
name.familyNameSCIM_ATTRIBUTE_EMAIL
Attribute from user entry that would be treated as email address.
emails[primary-true].valueSCIM_ATTRIBUTE_ONLY
Sync only the attributes of users already synced from other services. (true/false)
falseSCIM_ATTRIBUTE_GROUPS
Attribute of user’s group list.
groupsSCIM_ATTRIBUTE_GROUPNAME
Attribute from group entry that would be treated as group name.
displayNameSCIM_ATTRIBUTE_GROUP_MEMBER
Attribute from group entry that is list of members.
membersD) SCIM Server Username Attribute Modifications
SCIM_ATTRIBUTE_USERNAME_VALUE_EXTRACTFROMEMAIL
Extract the user’s username from an email address. (e.g. username@domain.com -> username) The default is false.
falseSCIM_ATTRIBUTE_USERNAME_VALUE_PREFIX
Prefix to prepend to username. The default is blank.
SCIM_ATTRIBUTE_USERNAME_VALUE_POSTFIX
Postfix to append to the username. The default is blank.
SCIM_ATTRIBUTE_USERNAME_VALUE_TOLOWER
Convert the user’s username to lowercase. The default is false.
falseSCIM_ATTRIBUTE_USERNAME_VALUE_TOUPPER
Convert the user’s username to uppercase. The default is false.
falseSCIM_ATTRIBUTE_USERNAME_VALUE_REGEX
Attribute to replace username to matching regex. The default is blank.
E) SCIM Server Group Name Attribute Modifications
SCIM_ATTRIBUTE_GROUPNAME_VALUE_EXTRACTFROMEMAIL
Extract the group’s name from an email address (e.g. groupname@domain.com -> groupname). The default is false.
falseSCIM_ATTRIBUTE_GROUPNAME_VALUE_PREFIX
Prefix to prepend to the group's name. The default is blank.
SCIM_ATTRIBUTE_GROUPNAME_VALUE_POSTFIX
Postfix to append to the group's name. The default is blank.
SCIM_ATTRIBUTE_GROUPNAME_VALUE_TOLOWER
Convert group's name to lowercase. The default is false.
falseSCIM_ATTRIBUTE_GROUPNAME_VALUE_TOUPPER
Convert the group's name to uppercase. The default is false.
falseSCIM_ATTRIBUTE_GROUPNAME_VALUE_REGEX
Attribute to replace group's name to matching regex. The default is blank.
F) Group Attribute Configuration
SCIM_GROUP_ATTRIBUTE_LIST
The list of attribute keys to get from synced groups.
SCIM_GROUP_ATTRIBUTE_VALUE_PREFIX
Append prefix to values of group attributes such as group name.
SCIM_GROUP_ATTRIBUTE_KEY_PREFIX
Append prefix to key of group attributes such as group name.
Run the following command:
cd ~/privacera/privacera-manager ./privacera-manager.sh update
SCIM Server
Note
SCIM Server exposes privacera-usersync service externally on a Public/Internet-facing LB.
Run the following command to enable Privacera UserSync:
cd ~/privacera/privacera-manager cp config/sample-vars/vars.privacera-usersync.yml config/custom-vars/
Enable the SCIM Server connector:
cd ~/privacera/privacera-manager cp config/sample-vars/vars.privacera-usersync.scimserver.yml config/custom-vars/ vi config/custom-vars/vars.privacera-usersync.scimserver.yml
Edit the following properties:
Property
Description
Example
A) SCIM Server Connector Info
SCIM_SERVER_CONNECTOR
Identifying name of this connector.
DB1SCIM_SERVER_ENABLED
Enabled status of connector. (true/false)
trueSCIM_SERVER_SERVICETYPE
Type of service/connector.
scimserverSCIM_SERVER_DATASOURCE_NAME
Unique datasource name. Used for identifying source of data and configuring priority list. (Optional)
databricks1SCIM_SERVER_ATTRIBUTE_ONLY
Sync only the attributes of users already synced from other services. (true/false)
SCIM_SERVER_BEARER_TOKEN
Bearer token for auth to SCIM API. When set, SCIM requests with this token will be allowed access.
SCIM_SERVER_USERNAME
Basic auth username, when set SCIM requests with this username will be allowed access. (Password also required)
SCIM_SERVER_PASSWORD
Basic auth password, when set SCIM requests with this password will be allowed access. (Username also required)
SCIM_SERVER_SYNC_INTERVAL
Frequency of usersync audit records in seconds. Default value is 3600, minimum value is 300.
3600
B) SCIM Server Manage/Ignore List of Users/Groups
SCIM_SERVER_MANAGE_USER_LIST
List of users to manage from sync results. If this list is defined, all users not on this list will be ignored.
SCIM_SERVER_IGNORE_USER_LIST
List of users to ignore from sync results.
SCIM_SERVER_MANAGE_GROUP_LIST
List of groups to manage from sync results. If this list is defined, all groups not on this list will be ignored.
SCIM_SERVER_IGNORE_GROUP_LIST
List of groups to ignore from sync results.
C) SCIM Server Attributes
SCIM_SERVER_ATTRIBUTE_USERNAME
Attribute of a user's name.
userNameSCIM_SERVER_ATTRIBUTE_FIRSTNAME
Attribute of a user's first name.
name.givenNameSCIM_SERVER_ATTRIBUTE_LASTNAME
Attribute of a user's last/family name.
name.familyNameSCIM_SERVER_ATTRIBUTE_EMAIL
Attribute of a user’s email.
emails[primary-true].valueSCIM_SERVER_ATTRIBUTE_GROUPS
Attribute of a user’s group list.
groupsSCIM_SERVER_ATTRIBUTE_GROUPNAME
Attribute of a group's name.
displayNameSCIM_SERVER_ATTRIBUTE_GROUP_MEMBER
Attribute from group entry that is the list of members.
membersD) SCIM Server Username Attribute Modifications
SCIM_SERVER_ATTRIBUTE_USERNAME_VALUE_EXTRACTFROMEMAIL
Extract the user’s username from an email address. (e.g. username@domain.com -> username) The default is false.
falseSCIM_SERVER_ATTRIBUTE_USERNAME_VALUE_PREFIX
Prefix to prepend to username. The default is blank.
SCIM_SERVER_ATTRIBUTE_USERNAME_VALUE_POSTFIX
Postfix to append to the username. The default is blank.
SCIM_SERVER_ATTRIBUTE_USERNAME_VALUE_TOLOWER
Convert the user’s username to lowercase. The default is false.
falseSCIM_SERVER_ATTRIBUTE_USERNAME_VALUE_TOUPPER
Convert the user’s username to uppercase. The default is false.
falseSCIM_SERVER_ATTRIBUTE_USERNAME_VALUE_REGEX
Attribute to replace username to matching regex. The default is blank.
E) SCIM Server Group Name Attribute Modifications
SCIM_SERVER_ATTRIBUTE_GROUPNAME_VALUE_EXTRACTFROMEMAIL
Extract the group’s name from an email address (e.g. groupname@domain.com -> groupname). The default is false.
falseSCIM_SERVER_ATTRIBUTE_GROUPNAME_VALUE_PREFIX
Prefix to prepend to the group's name. The default is blank.
SCIM_SERVER_ATTRIBUTE_GROUPNAME_VALUE_POSTFIX
Postfix to append to the group's name. The default is blank.
SCIM_SERVER_ATTRIBUTE_GROUPNAME_VALUE_TOLOWER
Convert group's name to lowercase. The default is false.
falseSCIM_SERVER_ATTRIBUTE_GROUPNAME_VALUE_TOUPPER
Convert the group's name to uppercase. The default is false.
falseSCIM_SERVER_ATTRIBUTE_GROUPNAME_VALUE_REGEX
Attribute to replace group's name to matching regex. The default is blank.
F) Group Attribute Configuration
SCIM_SERVER_GROUP_ATTRIBUTE_LIST
The list of attribute keys to get from synced groups.
SCIM_SERVER_GROUP_ATTRIBUTE_VALUE_PREFIX
Append prefix to values of group attributes such as group name.
SCIM_SERVER_GROUP_ATTRIBUTE_KEY_PREFIX
Append prefix to key of group attributes such as group name.
If NGINX Ingress is Enabled, and NGINX controller is running on Internal LB, ensure to disable the ingress for Usersync so that it can pick a Public/Internet facing LB by adding the below variable:
vi config/custom-vars/vars.kubernetes.nginx-ingress.yml PRIVACERA_USERSYNC_K8S_NGINX_INGRESS_ENABLE: “false”
Run the following command:
cd ~/privacera/privacera-manager ./privacera-manager.sh update
OKTA
Run the following command to enable Privacera UserSync:
cd ~/privacera/privacera-manager cp config/sample-vars/vars.privacera-usersync.yml config/custom-vars/
Enable the OKTA connector:
cd ~/privacera/privacera-manager cp config/sample-vars/vars.privacera-usersync.okta.yml config/custom-vars/ vi config/custom-vars/vars.privacera-usersync.okta.yml
Edit the following properties:
Property
Description
Example
A) OKTA Connector Info
OKTA_CONNECTOR
Name of the connector.
OKTAOKTA_ENABLED
Enabled status of connector. (true/false)
trueOKTA_SERVICETYPE
Type of service/connector.
oktaOKTA_DATASOURCE_NAME
Unique datasource name, used for identifying source of data and configuring priority list. (Optional)
OKTA_SERVICE_URL
Connector URL
https://{myOktaDomain}.okta.comOKTA_API_TOKEN
API token
A8b2c84d-895a-4fea-82dc-401397b8e50cOKTA_SYNC_INTERVAL
Frequency of usersync pulls and audit records in seconds. Default value is 3600, minimum value is 300.
3600
B) OKTA Manage/Ignore List of Users/Groups
OKTA_USER_LIST
List of users to manage from sync results. If this list is defined, all users not on this list will be ignored.
OKTA_IGNORE_USER_LIST
List of users to ignore from sync results.
OKTA_USER_LIST_STATUS
List of users to manage with status as equal to:
STAGED,PROVISIONED,ACTIVE,RECOVERY,PASSWORD_EXPIRED,LOCKED_OUTorDEPROVISIONED. If this list is defined, all users not on this list will be ignored.ACTIVE,STAGEDOKTA_USER_LIST_LOGIN
List of users to manage with user login name (can contain ). If this list is defined, all users not on this list will be ignored.
sw;mon,sanOKTA_USER_LIST_PROFILE_FIRSTNAME
List of users to manage with user first name (can contain ). If this list is defined, all users not on this list will be ignored.
sw;mon,sanOKTA_USER_LIST_PROFILE_LASTNAME
List of users to manage with user last name (can contain ). If this list is defined, all users not on this list will be ignored.
sw;mon,sanOKTA_LIST_PROFILE_EMAIL
List of users to manage with user email (can contain ). If this list is defined, all users not on this list will be ignored.
sw;mon,sanOKTA_LIST_TYPE
List of groups to manage with group type. If this list is defined, all groups not on this list will be ignored.
APP_GROUP,BUILT_IN,OKTA_GROUPOKTA_GROUP_LIST
List of groups to manage from sync results. If this list is defined, all groups not on this list will be ignored.
OKTA_IGNORE_GROUP_LIST
List of groups to ignore from sync results.
OKTA_GROUP_LIST_SOURCE_ID
List of groups to manage with group source id. If this list is defined, all groups not on this list will be ignored.
0oa2v0el0gP90aqjJ0g7,0oa2v0el0gP90aqjJ0g8,0oa2v0el0gP90aqjJ0g0OKTA_GROUP_LIST_PROFILE_NAME
List of groups to manage with group name. If this list is defined, all groups not on this list will be ignored.
group1,testGroup,testGroup2C) OKTA Search
OKTA_SEARCH_USER_GROUPONLY
Boolean to only load users in groups.
falseOKTA_SEARCH_INCREMENTAL_ENABLED
Boolean to enable incremental search, syncing only changes since last search.
falseD) OKTA User/Group Attributes
OKTA_ATTRIBUTE_USERNAME
Attribute from user entry that would be treated as user name.
loginOKTA_ATTRIBUTE_FIRSTNAME
Attribute from user entry that would be treated as firstname.
firstNameOKTA_ATTRIBUTE_LASTNAME
Attribute from user entry that would be treated as lastname.
lastNameOKTA_ATTRIBUTE_EMAIL
Attribute from user entry that would be treated as email address.
emailOKTA_ATTRIBUTE_GROUPS
Attribute of user’s group list.
groupsOKTA_ATTRIBUTE_GROUPNAME
Attribute of a group’s name.
nameOKTA_ATTRIBUTE_ONLY
Sync only the attributes of users already synced from other services. (true/false)
falseE) OKTA Username Attribute Modifications
OKTA_ATTRIBUTE_USERNAME_VALUE_EXTRACTFROMEMAIL
Extract the user’s username from an email address. (e.g. username@domain.com -> username) The default is false.
falseOKTA_ATTRIBUTE_USERNAME_VALUE_PREFIX
Prefix to prepend to username. The default is blank.
OKTA_ATTRIBUTE_USERNAME_VALUE_POSTFIX
Postfix to append to the username. The default is blank.
OKTA_ATTRIBUTE_USERNAME_VALUE_TOLOWER
Convert the user’s username to lowercase. The default is false.
falseOKTA_ATTRIBUTE_USERNAME_VALUE_TOUPPER
Convert the user’s username to uppercase. The default is false.
falseOKTA_ATTRIBUTE_USERNAME_VALUE_REGEX
Attribute to replace username to matching regex. The default is blank.
F) OKTA Group Name Attribute Modifications
OKTA_ATTRIBUTE_GROUPNAME_VALUE_EXTRACTFROMEMAIL
Extract the group’s name from an email address (e.g. groupname@domain.com -> groupname). The default is false.
falseOKTA_ATTRIBUTE_GROUPNAME_VALUE_PREFIX
Prefix to prepend to the group's name. The default is blank.
OKTA_ATTRIBUTE_GROUPNAME_VALUE_POSTFIX
Postfix to append to the group's name. The default is blank.
OKTA_ATTRIBUTE_GROUPNAME_VALUE_TOLOWER
Convert group's name to lowercase. The default is false.
falseOKTA_ATTRIBUTE_GROUPNAME_VALUE_TOUPPER
Convert the group's name to uppercase. The default is false.
falseOKTA_ATTRIBUTE_GROUPNAME_VALUE_REGEX
Attribute to replace group's name to matching regex. The default is blank.
Run the following command:
cd ~/privacera/privacera-manager ./privacera-manager.sh update