Skip to content

Users and Roles in Privacera Encryption

This guide explains the different types of users involved in Privacera Encryption, how they authenticate, and how JWT tokens are used to interact securely with the Privacera Encryption Gateway (PEG).

Types of Encryption Users

Authentication User

A user who is authorized to authenticate against the PEG service.

  • Must exist as a Portal User in the Privacera Platform
  • Must exist in Apache Ranger as a user
  • Can be granted permissions for scheme policies
  • Can impersonate other users using the doAs capability
  • Can generate and use JWT tokens for API access

Creating Authentication Users

  1. Create Users in Privacera Portal:
  2. Navigate to Privacera Portal > Settings > User Management
  3. Enter the required user details and Save

  4. Recommended user setup:

    • Create one user with Role as ROLE_SYSTEM_ADMIN (e.g., John) to manage scheme policies
    • Create other users with Role as ROLE_USER (e.g., Sally-Sales, Emily, Sam, Mark)

  5. These users will be:

  6. Created as External Users in Ranger automatically
  7. Available for use as Authenticated Users for REST API
  8. Able to generate JWT tokens
  9. Eligible for scheme policy permissions
  10. Capable of impersonating other doAs users

Impersonated User (doAs User)

A user whose identity is temporarily assumed by an authenticated user.

  • Must be created in Apache Ranger
  • Can be granted permissions on encryption schemes
  • Does not need to be created in the Privacera Portal
  • Requires a valid authenticated user to impersonate them during PEG API operations
  • Commonly used in:
  • PEG REST APIs
  • Connectors or plugins running as service users (e.g., Databricks, StreamSets)
  • Databricks UDFs for per-user access control

Creating Impersonated (doAs) Users

  1. Create User in Ranger:
  2. Navigate to Privacera Portal > Access Management > Users/Groups/Roles
  3. Enter the required user details and Save

  4. Example: Create user Jenny_Hr in Ranger with Role as User

  5. These users will:

  6. Be eligible for scheme policy permissions
  7. Not require a Privacera Portal user account
  8. Function as doAs Users
  9. Require a valid Authenticated User to impersonate them in REST API requests

JWT Tokens

JWT (JSON Web Token) tokens are required for authentication and authorization when interacting with Privacera Encryption Gateway (PEG) API services. They are required for:

  • Making API calls to encrypt or decrypt data
  • Accessing scheme information
  • Performing other encryption-related operations

Each JWT token is associated with a specific user, carries information about their roles and scope, and has a configurable expiration time.

Generating JWT Tokens

Using Token Management Interface

  1. Log in to your Privacera portal
  2. Navigate to Encryption & Masking section
  3. Select Token Management from the menu
  4. Click the GENERATE TOKEN button
  5. Fill in:
    • User: Select from dropdown
    • Token Name
    • Scope: Choose "Encryption"
    • Description: (Optional)
    • Expiry: Set expiration date/time
    • Never Expire: Check if desired (not recommended)
  6. Click Generate Token
  7. Copy and store the token securely

Using the API Endpoint (Privacera Self Managed)

Bash
1
2
3
curl -X POST -H "Content-Type: application/json" \
  -d '{"username":"admin", "password":"XXXXX"}' \
  'https://<PRIVACERA_HOST>/api/rest/current/service/public/v3/tokens'

Using JWT Tokens with PEG API

Bash
1
2
3
4
curl -X POST -H "Authorization: Bearer <JWT_TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{"scheme":"SCHEME_NAME", "data":"text_to_encrypt"}' \
  'https://<PRIVACERA_HOST>/api/peg/v2/protect'

Common API Endpoints

Endpoint Description Level of Access
/api/peg/v2/protect Encrypts data Users with permission for the schema
/api/peg/v2/unprotect Decrypts data Users with permission for the schema
/api/scheme/v2/get/{schemeName} Retrieves scheme details Users with scheme access permissions

Token Expiration and Security

  • Set token lifetime based on risk tolerance
  • Use the shortest practical expiration time
  • Never share tokens between applications
  • Rotate tokens regularly
  • Use separate tokens for each application or service

Role-Based Permissions

PEG Roles and Permissions

The following roles control access to encryption operations and scheme management:

Role Scheme Management Rights Encryption Operations
ROLE_ENCRYPTION_ALL Full scheme management rights Full encryption operations on authorized schemes
ROLE_ENCRYPTION_READ Read-only access to schemes Read and decrypt access on authorized schemes
SYSTEM_ADMIN Equivalent to full scheme management Full encryption operations on authorized schemes
ROLE_USER No scheme-related permissions Requires specific scheme permissions to perform actions

Role Combinations and Token Generation

User Role/Combinations Can Generate JWT Can Generate for Others
ROLE_USER Yes No
ROLE_ENCRYPTION_ALL Yes Yes
ROLE_ENCRYPTION_READ Yes Yes
ROLE_ACCOUNT_ADMIN Yes Yes
ROLE_ENCRYPTION_, ROLE_POLICY_, ROLE_DISCOVERY_* Yes Yes
ROLE_POLICY_, ROLE_DISCOVERY_ No No

ROLE_ACCOUNT_ADMIN users can generate tokens for others

Assigning Roles in Portal

  1. Go to Access Management > Users & Groups
  2. Select a user or add a new one
  3. Assign one or more roles based on their duties
  4. Save changes

Comments