Skip to content

Users and Roles in Privacera Encryption

This guide explains the different types of users involved in Privacera Encryption, how they authenticate, and how JWT tokens are used to interact securely with the Privacera Encryption Gateway (PEG).

Types of Encryption Users

Authentication User

A user who is authorized to authenticate against the PEG service.

  • Must exist as a Portal User in the Privacera Platform.
  • Must exist in Apache Ranger as a user.
  • Can be granted permissions for scheme policies.
  • Can impersonate other users using the doAs capability.
  • Can generate and use JWT tokens for API access.

Creating Authentication Users

  1. Create Users in Privacera Portal:
  2. Navigate to Privacera Portal > Settings > User Management
  3. Enter the required user details and Save
  4. Recommended user setup:
    • Create one user with Role as ROLE_SYSTEM_ADMIN (e.g., John) to manage scheme policies
    • Create other users with Role as ROLE_USER (e.g., Sally-Sales, Emily, Sam, Mark)
  1. Navigate to PrivaceraCloud platform > Settings > User Management
  2. Enter the required user details
  3. Select role as ROLE_ENCRYPTION_READ and Save

The authentication user will be:

  • Created as External Users in Ranger automatically
  • Available for use as Authenticated Users for REST API
  • Able to generate JWT tokens
  • Eligible for scheme policy permissions
  • Capable of impersonating other doAs users

Impersonated User (doAs User)

A user whose identity is temporarily assumed by an authenticated user.

  • Must be created in Apache Ranger.
  • Can be granted permissions on encryption schemes.
  • Does not need to be created in the Privacera Portal.
  • Requires a valid authenticated user to impersonate them during PEG API operations.
  • Commonly used in:
    • PEG REST APIs.
    • Connectors or plugins running as service users (e.g., Databricks, StreamSets).
    • Databricks UDFs for per-user access control.

Creating Impersonated (doAs) Users

  1. Create User in Ranger:
  2. Navigate to Privacera Portal > Access Management > Users/Groups/Roles
  3. Enter the required user details and Save
  4. Example: Create user Jenny_Hr in Ranger with Role as User
  1. Navigate to PrivaceraCloud platform > Access Management > Users/Groups/Roles
  2. Enter the required user details and Save
  3. Example: Create user Jenny_Hr in Ranger with Role as User

The ranger user will:

  • Be eligible for scheme policy permissions
  • Not require a Privacera Portal user account
  • Function as doAs Users
  • Require a valid Authenticated User to impersonate them in REST API requests

How to get the PEG API URL

Run the following command:

Bash
1
cat privacera/privacera-manager/output/service-urls.txt

You will see the PEG URL in the output. Copy and save it securely for further use.

  1. Navigate to Settings > API Keys
  2. Click on the icon (API key info button)
  3. Below you will find the PEG URL
  4. Copy and save it securely for further use

JWT Tokens

JWT (JSON Web Token) tokens are required for authentication and authorization when interacting with Privacera Encryption Gateway (PEG) API services. They are required for:

  • Making API calls to encrypt or decrypt data.
  • Accessing scheme information.
  • Performing other encryption-related operations.

Each JWT token is associated with a specific user, carries information about their roles and scope, and has a configurable expiration time.

Generating JWT Tokens

Using Token Management Interface

  1. Log in to your Privacera portal
  2. Navigate to Encryption & Masking section
  3. Select Token Management from the menu
  4. Click the GENERATE TOKEN button
  5. Fill in:
    • User: Select from dropdown
    • Token Name
    • Scope: Choose "Encryption"
    • Description: (Optional)
    • Expiry: Set expiration date/time
    • Never Expire: Check if desired (not recommended)
  6. Click Generate Token
  7. Copy and store the token securely
  1. Log in to PrivaceraCloud platform
  2. Navigate to JWT TOKEN under Encryption & Masking
  3. Select the user for which you want to generate the token
  4. Click on Generate Token button
  5. Fill in:
    • Token Name
    • Description: (Optional)
    • Expiry: Set expiration date/time
    • Never Expire: Check if desired (not recommended)
  6. Click Generate Token
  7. Copy and store the token securely

Using the API Endpoint

Bash
1
2
3
curl -X POST -H "Content-Type: application/json" \
  -d '{"username":"admin", "password":"XXXXX"}' \
  'https://<PRIVACERA_HOST>/api/rest/current/service/public/v3/tokens'

Using JWT Tokens with PEG API

Bash
1
2
3
4
curl -X POST -H "Authorization: Bearer <JWT_TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{"scheme":"SCHEME_NAME", "data":"text_to_encrypt"}' \
  'https://<PRIVACERA_HOST>/api/peg/v2/protect'

Common API Endpoints

Endpoint Description Level of Access
/api/peg/v2/protect Encrypts data Users with permission for the schema
/api/peg/v2/unprotect Decrypts data Users with permission for the schema
/api/scheme/v2/get/{schemeName} Retrieves scheme details Users with scheme access permissions

Token Expiration and Security

  • Set token lifetime based on risk tolerance.
  • Use the shortest practical expiration time.
  • Never share tokens between applications.
  • Rotate tokens regularly.
  • Use separate tokens for each application or service.

Role-Based Permissions

PEG Roles and Permissions

The following roles control access to encryption operations and scheme management:

Role Scheme Management Rights Encryption Operations
ROLE_ENCRYPTION_ALL Full scheme management rights Full encryption operations on authorized schemes
ROLE_ENCRYPTION_READ Read-only access to schemes Read and decrypt access on authorized schemes
SYSTEM_ADMIN Equivalent to full scheme management Full encryption operations on authorized schemes
ROLE_USER No scheme-related permissions Requires specific scheme permissions to perform actions

Role Combinations and Token Generation

User Role/Combinations Can Generate JWT Can Generate for Others
ROLE_USER Yes No
ROLE_ENCRYPTION_ALL Yes Yes
ROLE_ENCRYPTION_READ Yes Yes
ROLE_ACCOUNT_ADMIN Yes Yes
ROLE_ENCRYPTION_, ROLE_POLICY_, ROLE_DISCOVERY_* Yes Yes
ROLE_POLICY_, ROLE_DISCOVERY_ No No

ROLE_ACCOUNT_ADMIN users can generate tokens for others

Assigning Roles in Portal

  1. Go to Access Management > Users & Groups.
  2. Select a user or add a new one.
  3. Assign one or more roles based on their duties.
  4. Save changes.