Skip to main content

Privacera Platform

Settings

:

Data source registration

General process
Add a new data source - System

  1. From the Privacera main menu, scroll down to Settings and click Data Source Registration.

  2. From the Data Source Registration page, click + Add System.

  3. Enter System Name in the Name field. (Required).

  4. Enter a brief description in the Description field. (Optional)

  5. Click Save.

    Your new entry appears upon page refresh.

Add data source - Resources

  1. Select the settings icon in a data source detail box to add resources to your system. Resources can be applications, tables, or filesystems.

  2. Select an application from the drop-down menu.

  3. Enter a Name, an optional Description, and an Application Code in the Application Detail dialog box.

  4. Set the status toggle to Enable.

  5. Click Save.

    You can optionally test your data source connection at this point by selecting Test Connection.

  6. Select the Application Properties tab. You can import exsting application properties from a file using the Import Properties option. Open a browser window, select a JSON file, and click Add.

  7. In the Add New Properties section, add the following properties for Dataserver. Add one property per line.

    SSL: If SSL is enabled for Dataserver, use the following properties.

    explorer_proxy_enable=true 
explorer_proxy_host=dataserver 
explorer_proxy_port=8282 
explorer_proxy_protocol=https 
explorer_protocol=http

    Non-SSL: If SSL is not enabled for Dataserver, use the following properties.

    explorer_proxy_enable=true 
explorer_proxy_host=dataserver 
explorer_proxy_port=8181 
explorer_proxy_protocol=http 
explorer_protocol=http

  8. Click Test Connection.

  9. Click Next.

    A success banner displays upon a successful addition.

    Note

    To minimize the inflow of audits to Privacera, there is an option to add inclusion filter support for CDH (HDFS and Hive).

Enable an application

  1. Click Edit.

  2. Set the status to Enable.

  3. Click Save.

AWS S3 application

The following steps shows you how to add an AWS S3 application. You can allows users to access multiple S3 accounts using AssumeRole.

  1. Create an AWS S3 application on the Privacera Platform Portal.

    1. Click Setting > + Add Application.

    2. Select AWS S3 Application.

    3. Enter the Application Name and Application Code.

    4. Select the Application Properties tab. You can import existing application properties from a file using the Import Properties option. Browse and select the JSON file and click Add.

    5. Under Add New Properties, add the following for Dataserver. Add one property per line.

      SSL: If SSL is enabled for Dataserver, use the following properties.

      explorer_proxy_enable=true 
explorer_proxy_host=dataserver 
explorer_proxy_port=8282 
explorer_proxy_protocol=https 
explorer_protocol=http

      Non-SSL: If SSL is not enabled for Dataserver, use the following properties.

      explorer_proxy_enable=true 
explorer_proxy_host=dataserver 
explorer_proxy_port=8181 
explorer_proxy_protocol=http 
explorer_protocol=http

    6. Click Test Connection.

    7. Click Next.

      When the AWS S3 application is added successfully a success banner is displayed.

  2. Create one more AWS S3 application following the above steps, and add the following custom property:

    explorer_assume_role_arn=arn:aws:iam::${111111111111}:role/${s3_assume_role}

Tip

To minimize the in-flow of audits to Privacera audits, there is an option to add inclusion filter support for CDH (HDFS and Hive).

Azure ADLS

The following steps shows you how to add an Azure ADLS:

  1. Click Setting > + Add Application.

  2. Select Azure ADLS.

  3. Enter the Application Name and Application Code.

  4. Select the Application Properties tab. You can import existing application properties from a file using the Import Properties option. Browse and select the JSON file and click Add.

  5. Under Add New Properties, add the following for Dataserver. Add one property per line.

    SSL: If SSL is enabled for Dataserver, use the following properties.

    explorer_proxy_enable=true 
explorer_proxy_host=dataserver 
explorer_proxy_port=8282 
explorer_proxy_protocol=https 
explorer_protocol=http storage_type=blob

    Non-SSL: If SSL is not enabled for Dataserver, use the following properties.

    explorer_proxy_enable=true 
explorer_proxy_host=dataserver 
explorer_proxy_port=8181 
explorer_proxy_protocol=http 
explorer_protocol=http storage_type=blob

  6. Click Test Connection.

  7. Click Next.

    When the AWS S3 application is added successfully a success banner is displayed.

Google Cloud Storage (GCS)

A) Using Credential File

A credential type is a JSON file downloaded from the GCP that allows you to access the GCP service account from outside. Attaching this credential file will give access to the resources in the environment which can be used to run Discovery scans on GCP resources, such GCS or GBQ.

There are two ways to incorporate the credential file.

  • Local File Path: Provide the path of the local file system to where the credential file is saved, and the system will read and copy internally to configuration location.

  • File: Upload the credential file using a browser, and the system will copy internally to configuration location.

To add a GCS data source with credential file type, do the following:

  1. Under GCP, add a new Data Source, then select Google Cloud Storage.

  2. Enter the following:

    • Name: A name is provided by default. if required, enter a preferred name.

    • Description: Enter a suitable description

    • Application Code: An application code is an unique identifier for a data source. A code is provided by default. if required, enter a preferred code. No two data sources can have the same application code.

  3. In the Application Properties section, add the following properties:

    • Credential Type: Select Google Credentials Local File Path from the drop-down list.

    • Google Credentials Local File Path: /tmp

    • Google Project Id: ${PROJECT_ID}

    • Default Datasource for RealTime Scan - This value is set to false by default. Set this value to true if you have more than one data source. In such scenarios, it is recommended that you identify one data source as the default data source which will be used for real-time scanning.

  4. Scroll down to the bottom of the screen, and under Add new properties enter the following properties:

    SSL: If SSL is enabled for Dataserver, use the following properties.

    explorer_proxy_enable=true 
explorer_proxy_host=dataserver 
explorer_proxy_port=8282 
explorer_proxy_protocol=https 
explorer_protocol=http

    Non-SSL: If SSL is not enabled for Dataserver, use the following properties.

    explorer_proxy_enable=true 
explorer_proxy_host=dataserver 
explorer_proxy_port=8181 
explorer_proxy_protocol=http 
explorer_protocol=http

  5. Click Save.

B) Using Project ID

A project ID is a unique ID assigned to a GCP project. The project ID is required in order to interact with resources in the project. Using this project ID, you can access the resources defined in the project and run Discovery scans on those resources.

To add a GCS data source with project ID, do the following:

  1. Under GCP, add a new Data Source, then select Google Cloud Storage.

  2. Enter the following:

    • Name: A name is provided by default. if required, enter a preferred name.

    • Description: Enter a suitable description

    • Application Code: An application code is an unique identifier for a data source. A code is provided by default. if required, enter a preferred code. No two data sources can have the same application code.

  3. In the Application Properties section, add the following properties:

    • Credential Type: Select Google Credentials Local File Path from the drop-down list.

    • Google Credentials Local File Path: /tmp

    • Google Project Id: ${PROJECT_ID}

    • Privacera Configuration Bucket: gcs. Use the same bucket name you added in GCP Configuration.

    • Default Datasource for RealTime Scan - This value is set to false by default. Set this value to true if you have more than one data source. In such scenarios, it is recommended that you identify one data source as the default data source which will be used for real-time scanning.

  4. Click Save.

If you want to scan multiple resources, or resources from a different project, see Cross-project Setup.

Google BigQuery (GBQ)

  1. From the Privacera main menu, open Settings, and click Data Source Registration.

  2. Add a System with the name GBQ.

  3. Click the Setting icon of your added system, and click + Add Application.

  4. Choose Google BigQuery as the application.

  5. Enter the following:

    • Name

    • Description

    • Application Code

  6. Enable Status (Optional).

  7. Click Save.

  8. Enter the Google Project Id (Required).

  9. Default Datasource for RealTime Scan - This value is set to "false" by default. Set this value to "true" when adding the data source for a default project.

  10. Click Next, then click Save.

Google Pub-Sub

  1. From the Privacera main menu, select Settings, and click Data Source Registration.

  2. Under your GCP system, +Add New Data Source, select Google Cloud Storage.

  3. From the Add Data Source dialogue box, select/enter the following properties:

    • Google Project Id: ${PROJECT_ID} (Required)

    • scan.result.topic: ${Scan_Topic_Name} (Required)

    Use the same topic name you created as part of the prerequisite steps.

    • scan.result.project.id: ${Specify_ID_of_Cross_Project}

    If you do not specify a project ID, the system will consider applying a default project ID.

  4. Click Test Connection to verify the above configuration.

  5. Click Save.

Databricks Spark SQL data source
Databricks Spark SQL data source in Privacera
Prerequisites

Have the following details ready to enter into the data source definition in Privacera:

  • A username and password in the target system that has read/write permission.

  • The name of the JDBC driver you need.

  • A JDBC connection string to communicate with the target data source.

Add Databricks Spark SQL data source in Privacera

To add Databricks Spark SQL data source in Privacera Platform:

  1. Navigate to: Settings > Data Source Registration.

  2. Optionally click Add System or modify an existing data source.

  3. Enter a useful name for this data source and a useful description.

  4. Click Save.

  5. Locate the new data source system name and from the wrench icon on the right, select Add Data Source.

  6. In the Add Data Source dialog, on the Choose tab, select Databricks Spark SQL.

  7. On the Configure tab:

  8. Enter a required Application Name of your choice.

  9. Enter a required Application Code of your choice. This is an identifier for your own use.

  10. If you have prepared a properties file in JSON format, click Import Properties and load the file.

  11. Scroll to find the following properties and enter the values you prepared:

    1. jdbc.username

      Enter the Email ID used to login to the Databricks account console.

    2. jdbc.password

      On Databricks account console:

      a. Navigate to Settings -> User Settings -> Access Tokens.

      b. Click Generate New Token.

      c. Use the Token as password.

    3. jdbc.url

      On Databricks account console:

      a. Click Compute and select the Cluster.

      b. Navigate to Advance Options and click JDBC/ODBC tab.

      c. Copy the URL from the JBDC URL section and update as shown in the following example:

      Original URL:
jdbc:spark://<yourHostname>:443/default;transportMode=http;ssl=1;httpPath=sql/protocolv1/o/6824215520793722/0406-064613-sweet542;**AuthMech=3;UID=token;PWD=<personal-access-token>**

New URL:
jdbc:hive2://<yourHostname>:443/default;transportMode=http;ssl=true;httpPath=sql/protocolv1/o/6824215520793722/0406-064613-sweet542;

  12. Accept the default values for all other properties or modify them if needed.

  13. At the bottom left, to verify the properties, click Test Connection.

    Note

    Your Databricks cluster should be up and running before clicking Test Connection.

  14. At the bottom right, click Next to save the data source or Back to return to the Choose tab.

Connect JDBC-based systems for Privacera Discovery

The following systems can be connected to Privacera Discovery as data sources via Java Database Connectivity (JDBC):

  • Amazon Aurora

  • Microsoft SQL Server

  • MySQL

  • Oracle

  • Postgres

  • PrestoSQL

    Note

    Starburst PrestoSQL versions are supported through version 350-e.

  • Redshift

  • Snowflake

  • Spark SQL

  • Synapse

  • Trino

  • Starburst

The general process is as follows:

  1. Create or identify a service user in the target system with read/write privileges.

  2. Determine the JDBC connection string to the data and database name in that target.

  3. Define these details as properties in the Privacera Platform.

Prerequisites

Have the following details ready to enter into the data source definition in Privacera:

  • A username and password in the target system that has read/write permission.

  • The name of the JDBC driver you need.

  • A JDBC connection string to communicate with the target data source.

Required properties in Privacera

Values for the following properties are described in Required Name of JDBC Driver per Target System, Username and Password, and Required JDBC Connection String.

Note

The format of the jdbc.url value varies by target system. Not all systems require databaseName.

jdbc.driver.class=<jdbc_driver_name>
jdbc.username=<user_with_readwrite_permission>
jdbc.password=<login_credentials_of_identified_user>
jdbc.url=jdbc:<protocol>://<hostname>:<port>;databaseName=<database_name>
Required name of JDBC Driver per target system

Depending on the target system, for the jdbc.driver.class definition you enter in the Privacera properties, use one of the JDBC drivers shown below.

  • Amazon Aurora: org.mariadb.jdbc.Driver

  • Microsoft SQL Server: com.microsoft.sqlserver.jdbc.SQLServerDriver

  • MySQL: com.mysql.jdbc.Driver

  • Oracle: oracle.jdbc.driver.OracleDriver

  • Postgres: org.postgresql.Driver

  • PrestoSQL: org.apache.hive.jdbc.HiveDriver

  • Redshift: com.amazon.redshift.jdbc.Driver

  • Snowflake: net.snowflake.client.jdbc.SnowflakeDriver

  • Spark SQL (Databricks): org.apache.hive.jdbc.HiveDriver

  • Synapse: com.microsoft.sqlserver.jdbc.SQLServerDriver

  • Trino: io.trino.jdbc.TrinoDriver

  • Starburst: io.trino.jdbc.TrinoDriver

Username and password

Identify the name of a user who must have read/write permission in your data source and the login credentials for that user. These values are needed for jdbc.username and jdbc.password properties in Privacera.

Required JDBC connection string

The jdbc.url value you enter in the Privacera properties must be one of the following, where <domainName>, <port>, and other variables are for your specific environment:

  • Amazon Aurora: jdbc:mysql://<domainName>:<port>/<dbname>

  • Microsoft SQL Server: jdbc:sqlserver://<domainName>:<port>;databaseName=<db_name>

  • MySQL: jdbc:mysql://<domainName>:<port>/<dbname>

  • Oracle: jdbc:oracle:thin:@//<domainName>:<port>/<dbname>.localdomain

  • Postgres: jdbc:postgresql://<domainName>:<port>/<dbname>

  • PrestoSQL: jdbc:presto://<domainName>:<port>/<catalog_name>

  • Redshift: jdbc:redshift://<domainName>:<port>/<dbname>

  • Snowflake: jdbc:snowflake://<domainName>:<port>/?warehouse=<name_of_policysync_warehouse>

  • Spark SQL (Databricks): jdbc:hive2://<domainName>:<port>/default;transportMode=http;ssl=true;httpPath=sql/protocolv1/o/0/xxxx-xxxxxx-xxxxxxxx;AuthMech=3;

  • Synapse: jdbc:sqlserver://<domainName>:<port>;databaseName=<dbname>

  • Trino: jdbc:trino://<host>:<port>/<catalog>

  • Starburst: jdbc:trino://<host>:<port>/<catalog>

    Note

    The following three databases can be added as catalog on Trino and Starburst server: MySQL, Oracle, PostgreSQL

Add JDBC-Based data source in Privacera

These are the setup and steps to add a JDBC-based data source.

Setup

Have the details listed in the planning sections above ready to enter into the data source definition in Privacera

Steps

To add a JDBC-based data source in Privacera Platform:

  1. Navigate to: Settings > Data Source Registration.

  2. Optionally click Add System or modify an existing data source.

  3. Enter a useful name for this data source and a useful description.

  4. Click Save.

  5. Locate the new data source system name and from the wrench icon on the right, select Add Data Source.

  6. In the Add Data Source dialog, on the Choose tab, select JDBC APPLICATION.

  7. On the Configure tab:

  8. Enter a required Application Name of your choice.

  9. Enter a required Application Code of your choice. This is an identifier for your own use.

  10. If you have prepared a properties file in JSON format, click Import Properties and load the file.

  11. Scroll to find the following properties and enter the values you prepared:

    • jdbc.username

    • jdbc.password

    • jdbc.driver.class

    • jdbc.url

  12. Accept the default values for all other properties or modify them if needed.

  13. At the bottom left, to verify the properties, click Test Connection.

  14. At the bottom right, click Next to save the data source or Back to return to the Choose tab.

User Management

User Management is used for high-level authentication and user’s roles. Only ROLE_SYS_ADMIN has rights to view, edit, and create in User Management. The users created from portal are NATIVE user type and the users from LDAP and external auth are EXTERNAL user type.

Role Name

Permission Granted

ROLE_SYSADMIN

All permissions.

ROLE_ADMIN

All permissions except User Management module.

ROLE_DISCOVERY_ALL

All permissions to Discovery module.

ROLE_DISCOVERY_READ

Read-only permission to Discovery module.

ROLE_DISCOVERY_STEWARDS

All permissions to Discovery module except Delete functionality.

ROLE_DISCOVERY_GOVERNANCE

Read-only permission to Discovery module.

ROLE_DISCOVERY_SERVICE

All permissions to Discovery module except Delete functionality.. The role is assigned to privacera_service_discovery user only, and it can not be assigned to another user.

ROLE_MONITORING_ALL

All permissions related to Monitoring.

ROLE_MONITORING_READ

Read-only permission to Monitoring.

ROLE_ANONYMOUS

No permission granted.

ROLE_USER

No permission granted.

ROLE_DISCOVERY_READ_RESTRICTED

Read-only permission to Discovery module along with hiding sample values of classifications.

ROLE_ENCRYPTION_ALL

All permissions to Encryption module.

ROLE_ENCRYPTION_READ

Read-only permissions to Encryption module.

ROLE_DATASERVER_ADMIN

All permissions to Cloud module.

ROLE_CLOUD_ADMIN

All permissions to Cloud module.

ROLE_EXPLORER_ALL

This role will provide all required permission for File Explorer.

ROLE_EXPLORER_METADATA

This role will have METADATA (Listing) permission for File Explorer.

ROLE_EXPLORER_READ

This role will have READ permission for File Explorer.

ROLE_EXPLORER_WRITE

This role will have WRITE permission for File Explorer.

ROLE_EXPLORER_DELETE

This role will have DELETE permission for File Explorer.

ROLE_READ_ONLY

This role will have READ ONLY permission for Privacera Portal.

Example: If a user is allowed read-only access to Monitoring and Discovery modules, then ROLE_SYS_ADMIN can assign role of ROLE_D ISCOVERY_READ and ROLE_MONITORING_READ to that particular user.

LDAP Role Mapping

LDAP role mapping is required to map LDAP roles with the existing Privacera roles. You can associate LDAP users roles to Privacera roles using this LDAP role mapping feature.

By default LDAP role mapping feature is disabled, you need to enable it by adding auth.ldap.enabled=true in Custom Properties section. The following are steps to enable LDAP role mapping feature:

  1. On the Privacera home page, expand the Settings menu and click on System Configurations from left menu.

  2. Select the Custom Properties.

  3. Click the Add Property.

  4. Enter the Key as auth.ldap.enabled.

  5. Enter the Value as true.

  6. Click Add.

Assign a Role to an LDAP User.

  1. On the Privacera home page, expand the Settings menu and click on Ldap Role Mapping from left menu.

  2. On the LDAP Role Mapping page, enter the LDAP Group/Role name next to the Privacera role you want to map it to.

  3. Click Save.

Add Users

  1. On the Privacera home page, expand the Settings menu and click on User Management from left menu.

  2. Click +Add.

  3. In the Add User dialog, enter the following details:

    • First Name (Mandatory)

    • Last Name

    • Email Id

    • User Name (Mandatory)

    • Select Role (Mandatory)

    • New Password

    • Confirm Password.

    Note

    Email ID of a user must be unique. No two users can share the same email ID, because the email ID of the second user will appear blank.

  4. Click Save.

Edit/Delete User

  1. On the Privacera home page, expand the Settings menu and click on User Management from left menu.

  2. Click Edit (pencil icon) for the user.

  3. Edit the user details.

    Note: You are not allowed to change the Username once it is created. Hence, Username field is not editable.

  4. Click Save.

  5. To delete a user, click the Delete icon next to the user name.

Edit User Profiles

  1. On the Privacera home page, click on Username and then click on Profile on top-right.

  2. Edit the profile properties.Profile pop-up displays.

  3. Change the password.

    1. Click Edit next to the Old Password.

    2. Enter the old password.

    3. Enter the new password and confirm it.

Create Databricks Policies

To create a Databricks policy in Privacera Portal, follow these steps:

  1. Login to Privacera Portal.

  2. On the Privacera home page, expand the Settings menu and click on Databricks Policies from left menu.

  3. Click the +Create Policy.

    1. Enter the Policy Name. (Mandatory)

    2. Select the Type, Users, Groups, IAM Role from the respective drop-down.

      Note

      You are allowed to select multiple Users and Groups.

    3. Enter the Additional JSON (If any). This will append with the existing JSON which will be fetched from back-end.

      image306.jpg

  4. Click Save.

    The policy is created successfully.

Important

By default, Admin groups will have permission to all the policies. If you haven't configured Databricks properties in Privacera Portal properties file then you will get the below error.

image307.jpg

  • The Token should be generated from a user who is an Admin.

  • Additional JSON that can be used to create policy.

        {
    "autoscale.min_workers": {
            "type": "range",
            "minValue": 1,
            "hidden": false
        },
        "autoscale.max_workers": {
            "type": "range",
            "maxValue": 2
        },
        "cluster_name": {
            "type": "fixed",
            "value": "secured"
        },
        "spark_version": {
            "type": "regex",
            "pattern": "5.5.x-scala2.11"
        },
        "spark_conf.spark.hadoop.hadoop.security.credential.provider.path": {
            "type": "fixed",
            "value": "jceks://dbfs@/${JCEKS_FILE_PATH}",
            "hidden": true
        },
        "spark_conf.spark.databricks.delta.formatCheck.enabled": {
            "type": "fixed",
            "value": "false",
            "hidden": true
        },
        "spark_conf.spark.databricks.delta.preview.enabled": {
            "type": "fixed",
            "value": "true",
            "hidden": true
        },
        "node_type_id": {
            "type": "regex",
            "pattern": "m4.*"
        },
        "autotermination_minutes": {
            "type": "unlimited",
            "defaultValue": 50
        }
    }

To know more about Databricks Policy, refer Privacera Platform Installation: Databricks Policy Management Guide

Data Subject Rights

Data Subject Rights

To add a data subject rights, use the following steps:

  1. In the Privacera home page, expand the Settings menu and click on Data Subject Rights from left menu.

  2. In the Data Subject Rights page, click +Add.

The Add Data Subject Rights pop-up displays.

  • Enter the following details:

    • Enter the Name (Mandatory)

    • Enter the GUID

    • Select the Consent. By default, it is Yes.

    • Select the Content Expiry

Data Subject Rights

This section holds the list of data subject rights which are created in the application. You can filter the list of data subject rights using the search option.

  • Name: This indicates name of data subject rights.

  • GUID: This indicates GUID of data subject rights.

  • Consent: This indicates consent of data subject rights.

  • Consent Expiry: This indicates expiry date of consent.

  • Actions: This allows you to edit the data subject rights as well as you can delete the data subject rights on clicking the respective icon under Actions column.

Global Import/Export

Restore or save a backup of the current configuration. You can use Export to save the current configuration in an external file and later Import to restore the system from a saved configuration file.

Export a Configuration File

  1. From the home page, click Settings > Import / Export.

  2. Click Global Export.

  3. Select the items you want to export and click Export.

Import a Configuration File

  1. From the home page, click Settings > Import / Export.

  2. Click Global Import.

  3. Browse and select the JSON file and click Save.