Skip to content

Add Service

The Access Manager: Add Service wizard steps through adding a Service.

Services can also be created through a series of manual steps with Settings: Datasource, and Access Manager: Service Config. See Connect Data Sources for specific instructions for this method. 

Add a Service#

Select a Cloud Platform#

  1. Select the data source hosting cloud platform: AWS or Azure.

    Services list is populated based on the selected cloud platform.

  2. Select the required Service from the Select Service list and click Next.

    The next page will open to the options available for the selected platform. 

AWS#

There are eight AWS data source service options:

  • AWS EMR  (includes Hive, Presto, and Spark)
  • AWS Athena
  • AWS Databricks
  • AWS Redshift
  • AWS Snowflake
  • AWS S3
  • AWS Postgres
  • AWS Databricks SQL

Each has a unique set of required data repository and site specific properties to be provided. Select a service type and click Next.

AWS - EMR#

Configure EMR for PrivaceraCloud

  1. Method A is recommended to integrate PrivaceraCloud into a new cluster.

  2. Method B is recommended for integration with an existing cluster. Download the bootstrap script, then continue the wizard to optionally add data access and configure for Single Sign On.

  3. Click Finish.

After completing the wizard, follow instructions in topic Connect EMR: Hive, Presto Spark.

AWS - Athena#

Configure Athena for PrivaceraCloud

  1. Provide values to the following parameters:

    • AWS IAM Role
    • AWS_ATHENA_RESULT_STORAGE_URL
    • AWS Access Key
    • AWS Secret Key
    • Add New Properties
  2. Click Finish.

To set up your client system for AWS CLI, open User Interface: Launch Pad and follow the steps to install and configure AWS CLI to your workstation.

AWS - Databricks#

Configure Databricks for PrivaceraCloud

  1. Follow the instructions provided.

  2. After downloading the bootstrap script, follow instructions in Connect Databricks SQL or Connect Databricks S3 depending on your data repository type, to complete the data source attachment.

  3. Click Finish

AWS - Redshift#

The key AWS Redshift site-specific parameters are listed below. 
(Other properties are advanced and should be modified in consultation Privacera Support.

propertydescriptionexample
Service URLURL connection to  Redshift repository.jdbc:postgresql://redshift-cluster-1.test.redshift.amazonaws.com:5439" 
Service nameConnection service name.
Service usernameUsername database credential
Service passwordPassword database credential 
Service master database name
Persist database connection

Manage database  list

Manage schema list

Manage user list

Manage view list

These three properties follow the same format. For each:

Specify a list of zero or more names of databases, list of schemas, list of users, or list of views to be PrivaceraCloud managed.

If left blank, all target {databases, schemas, users} in the repository will be managed.

If set to none, no databases will be managed.

Accepts single name or multiple names with comma separation.

Regular expressions (Regex) can be used. (E.g. *_xx will match to names company_xx, products_xx, and so on.

Service new user passwordThe password value to be assigned to any new user created during policy synchronization. 

AWS Snowflake#

Snowflake Prerequisites#

PrivaceraCloud integration with Snowflake requires establishment of a PrivaceraCloud Warehouse and Database for use with PrivaceraCloud PolicySync activity.

Use the Snowflake console to do the following steps:

  1. Create a Warehouse to be used by Privacera Policy Sync.

    CREATE WAREHOUSE PRIVACERA_POLICYSYNC_WH WITH 
    WAREHOUSE_SIZE = XSMALL 
    WAREHOUSE_TYPE = STANDARD 
    AUTO_SUSPEND = 600 
    AUTO_RESUME = TRUE 
    MIN_CLUSTER_COUNT = 1 
    MAX_CLUSTER_COUNT = 1 
    SCALING_POLICY = ECONOMY';
    
  2. Create a Privacera Sync Role, and grant it SECURITYADMIN and ACCOUNTADMIN rights so it can create users and additional roles.

    CREATE ROLE PRIVACERA_SYNC_ROLE;
    GRANT ROLE SECURITYADMIN TO ROLE PRIVACERA_SYNC_ROLE;
    GRANT ROLE ACCOUNTADMIN TO ROLE PRIVACERA_SYNC_ROLE;
    
  3. Create a Role for the default owner for user-created resources.

    CREATE ROLE PRIVACERA_DEFAULT_OWNER;
    
  4. Create a Privacera Sync User and assign it a password.  Set the default Warehouse and default roles. Assign it the Privacera Sync Role

    CREATE USER PRIVACERA_SYNC  PASSWORD='<CHANGE_ME-PRIVACERA_SYNC_PASSWORD> 
    MUST_CHANGE_PASSWORD=FALSE 
    DEFAULT_WAREHOUSE='PRIVACERA_SYNC_WH 
    DEFAULT_ROLE='PRIVACERA_SYNC_ROLE';
    
    GRANT ROLE PRIVACERA_SYNC_ROLE TO USER PRIVACERA_SYNC
    
  5. Create the database to store making policies.

    create database privacera_db;
    

Key AWS Snowflake site-specific parameters are listed below.  
Other properties are advanced and should be modified in consultation Privacera Support.

propertydescriptionexample
Service URLURL connection Snowflake repository.jdbc:snowflake://testpartner.snowflakecomputing.com 
Service name Connection service name.
Service username Username database credential
Service password Password database credential 
Warehouse name
Service managed global list

Manage database  list

Manage schema list

Manage user list

Manage view list

These three properties follow the same format. For each:

Specify a list of zero or more names of databases, list of schemas, list of users, or list of views to be PrivaceraCloud managed.

If left blank, all target {databases, schemas, users} in the repository will be managed.

If set to none, no databases will be managed.

Accepts single name or multiple names with comma separation.

Regular expressions (Regex) can be used. (E.g. *_xx will match to names company_xx, products_xx, and so on.

Create service user boolean: if true will create new users during policy synchronization.
Service new user password The password value to be assigned to any new user created during policy synchronization. 
Manage service user, group, or  roleboolean: if true will manage service users (group), (role)
Ignore user listData access user ignore list.  Comma-separated names of data access users to be ignored (non-managed) by PrivaceraCloud.  This list is seeded with the list of standard data access service and administrator user names normally created by PrivaceraCloud for each account. It can be edited or augmented with additional site-specific names to be excluded from PrivaceraCloud control."admin,rangerusersync,keyadmin,rangertagsync,hive,s3,
dynamodb,athena,glue,redshift,kinesis,lambda,mssql,
adls,postgres,kafka,snowflake,powerbi,padmin"
User, Role, or Group "Prefix" A string value to be prefixed to Users, Roles, or Groups that are auto-created during synchronization. "pc_user_", "pc_role_", "pc_group_"
Perform grant updatesIf set to true, all grants will be executed.
If false - grant updates will be dry-run and not actually executed.

AWS S3#

Configure S3 for PrivaceraCloud

  1. Enable the Use IAM Role button or provide the values of the following parameters:

    Parameter Values
    AWS Access Key Enter AWS data repository host account Access Key
    AWS Secret Key Enter AWS data repository host account Secret Key
    AWS Region Current default value is “us-west-1"
    Properties Enter any additional properties
  2. Click Finish.

AWS Postgres#

The key AWS Postgres site-specific parameters are listed below.  
(Other properties are advanced and should be modified in consultation Privacera.)

propertydescriptionexample
Service URLURL connection Snowflake repository. 
Format: 
 "jdbc:postgresql://<POSTGRES_DB>:<POSTGRES_DB_PORT>" 
"jdbc:postgresql://database-2.cluster-cxw9i.us-east-1.rds.amazonaws.com:5432",
Service name Connection service name.
Service username Username database credential
Service password Password database credential 
Service managed global list

Manage database  list

Manage schema list

Manage user list

Manage view list

These three properties follow the same format. For each:

Specify a list of zero or more names of databases, list of schemas, list of users, or list of views to be PrivaceraCloud managed.

If left blank, all target {databases, schemas, users} in the repository will be managed.

If set to none, no databases will be managed.

Accepts single name or multiple names with comma separation.

Regular expressions (Regex) can be used. (E.g. *_xx will match to names company_xx, products_xx, and so on.

Create service user boolean: if true will create new users during policy synchronization.
Service new user password The password value to be assigned to any new user created during policy synchronization. 
Manage service user, group, or  roleboolean: if true will manage service users (group), (role)
Ignore user listData access user ignore list.  Comma-separated names of data access users to be ignored (non-managed) by PrivaceraCloud.  This list is seeded with the list of standard data access service and administrator user names normally created by PrivaceraCloud for each account. It can be edited or augmented with additional site-specific names to be excluded from PrivaceraCloud control."admin,rangerusersync,keyadmin,rangertagsync,hive,s3,
dynamodb,athena,glue,redshift,kinesis,lambda,mssql,
adls,postgres,kafka,snowflake,powerbi,padmin"
User, Role, or Group "Prefix" A string value to be prefixed to Users, Roles, or Groups that are auto-created during synchronization. "pc_user_", "pc_role_", "pc_group_"
Perform grant updatesIf set to true, all grants will be executed. 
If false - grant updates will be dry-run and not actually executed.

Azure#

There are four Azure data source options:

  • Azure ADLS Gen2
  • Azure MS SQL
  • Azure Snowflake
  • Azure Synapse

Azure - ADLS Gen2#

ADLS setup requires only two properties:

  • ADLS Storage Account ID

  • ADLS Account Storage Key

Once the ADLS service is established, you can want to configure your local ADLS CLI client to redirect requests to this PrivaceraCloud Azure ADLS Data Server proxy.  See topic  User Interface: Launch Pad for these additional steps. 

Azure - MS SQL#

The key Azure MSSQL specific parameters are listed below.  
(Other properties are advanced and should be modified in consultation Privacera.)

propertydescriptionexample
Service URLURL connection MSSQL repository. 
Format: 
jdbc:sqlserver://<JDBC_SQLSERVER_URL_WITH_PORT_NUMBER> 
Service name Connection service name.
Service username Username database credential
Service password Password database credential 
AuthenticationAuthentication Mode: SqlPassword or ActiveDirectoryPassword' 
Audit Storage URLAudit storage URL. https://test.blob.core.windows.net/sqldbauditlogs/test

Manage database  list

Manage schema list

Manage user list

Manage view list

These three properties follow the same format. For each:

Specify a list of zero or more names of databases, list of schemas, list of users, or list of views to be PrivaceraCloud managed.

If left blank, all target {databases, schemas, users} in the repository will be managed.

If set to none, no databases will be managed.

Accepts single name or multiple names with comma separation.

Regular expressions (Regex) can be used. (E.g. *_xx will match to names company_xx, products_xx, and so on.

Create service user boolean: if true will create new users during policy synchronization.
Service new user password The password value to be assigned to any new user created during policy synchronization. 
Manage service user, group, or  roleboolean: if true will manage service users (group), (role)
Ignore user listData access user ignore list.  Comma-separated names of data access users to be ignored (non-managed) by PrivaceraCloud.  This list is seeded with the list of standard data access service and administrator user names normally created by PrivaceraCloud for each account. It can be edited or augmented with additional site-specific names to be excluded from PrivaceraCloud control."admin,rangerusersync,keyadmin,rangertagsync,hive,s3,
dynamodb,athena,glue,redshift,kinesis,lambda,mssql,
adls,postgres,kafka,snowflake,powerbi,padmin"
User, Role, or Group "Prefix" A string value to be prefixed to Users, Roles, or Groups that are auto-created during synchronization. "pc_user_", "pc_role_", "pc_group_"
Perform grant updatesIf set to true, all grants will be executed. 
If false - grant updates will be dry-run and not actually executed.

Azure Snowflake#

Snowflake Prerequisites#

PrivaceraCloud integration with Snowflake requires establishment of a PrivaceraCloud Warehouse and Database for use with PrivaceraCloud PolicySync activity.

Use the Snowflake console to do the following steps:

  1. Create a Warehouse to be used by Privacera Policy Sync.

    CREATE WAREHOUSE PRIVACERA_POLICYSYNC_WH WITH 
    WAREHOUSE_SIZE = XSMALL 
    WAREHOUSE_TYPE = STANDARD 
    AUTO_SUSPEND = 600 
    AUTO_RESUME = TRUE 
    MIN_CLUSTER_COUNT = 1 
    MAX_CLUSTER_COUNT = 1 
    SCALING_POLICY = ECONOMY';
    
  2. Create a Privacera Sync Role, and grant it SECURITYADMIN and ACCOUNTADMIN rights so it can create users and additional roles.

    CREATE ROLE PRIVACERA_SYNC_ROLE;
    GRANT ROLE SECURITYADMIN TO ROLE PRIVACERA_SYNC_ROLE;
    GRANT ROLE ACCOUNTADMIN TO ROLE PRIVACERA_SYNC_ROLE;
    
  3. Create a Role for the default owner for user-created resources.

    CREATE ROLE PRIVACERA_DEFAULT_OWNER;
    
  4. Create a Privacera Sync User and assign it a password.  Set the default Warehouse and default roles. Assign it the Privacera Sync Role

    CREATE USER PRIVACERA_SYNC  PASSWORD='<CHANGE_ME-PRIVACERA_SYNC_PASSWORD> 
    MUST_CHANGE_PASSWORD=FALSE 
    DEFAULT_WAREHOUSE='PRIVACERA_SYNC_WH 
    DEFAULT_ROLE='PRIVACERA_SYNC_ROLE';
    
    GRANT ROLE PRIVACERA_SYNC_ROLE TO USER PRIVACERA_SYNC
    
  5. Create the database to store making policies.

    create database privacera_db;
    

Key Azure Snowflake site-specific parameters are shown below.  
(Other properties are advanced and should be modified in consultation Privacera.)

propertydescriptionexample
Service URLURL connection Snowflake repository.jdbc:snowflake://testpartner.snowflakecomputing.com 
Service name Connection service name.
Service username Username database credential
Service password Password database credential 
Warehouse name
Service managed global list

Manage database  list

Manage schema list

Manage user list

Manage view list

These three properties follow the same format. For each:

Specify a list of zero or more names of databases, list of schemas, list of users, or list of views to be PrivaceraCloud managed.

If left blank, all target {databases, schemas, users} in the repository will be managed.

If set to none, no databases will be managed.

Accepts single name or multiple names with comma separation.

Regular expressions (Regex) can be used. (E.g. *_xx will match to names company_xx, products_xx, and so on.

Create service user boolean: if true will create new users during policy synchronization.
Service new user password The password value to be assigned to any new user created during policy synchronization. 
Manage service user, group, or  roleboolean: if true will manage service users (group), (role)
Ignore user listData access user ignore list.  Comma-separated names of data access users to be ignored (non-managed) by PrivaceraCloud.  This list is seeded with the list of standard data access service and administrator user names normally created by PrivaceraCloud for each account. It can be edited or augmented with additional site-specific names to be excluded from PrivaceraCloud control."admin,rangerusersync,keyadmin,rangertagsync,hive,s3,
dynamodb,athena,glue,redshift,kinesis,lambda,mssql,
adls,postgres,kafka,snowflake,powerbi,padmin"
User, Role, or Group "Prefix" A string value to be prefixed to Users, Roles, or Groups that are auto-created during synchronization. "pc_user_", "pc_role_", "pc_group_"
Perform grant updatesIf set to true, all grants will be executed. 
If false - grant updates will be dry-run and not actually executed.

Azure - Synapse#

The key Azure Synapse specific parameters are listed below.  
(Other properties are advanced and should be modified in consultation Privacera.)

propertydescriptionexample
Service URLURL connection MSSQL repository. 
Format: 
jdbc:sqlserver://<JDBC_SQLSERVER_URL_WITH_PORT_NUMBER> 
Service name Connection service name.
Service username Username database credential
Service password Password database credential 
AuthenticationAuthentication Mode: SqlPassword or ActiveDirectoryPassword' 
Audit Storage URLAudit storage URL. https://test.blob.core.windows.net/sqldbauditlogs/test

Manage database  list

Manage schema list

Manage user list

Manage view list

These three properties follow the same format. For each:

Specify a list of zero or more names of databases, list of schemas, list of users, or list of views to be PrivaceraCloud managed.

If left blank, all target {databases, schemas, users} in the repository will be managed.

If set to none, no databases will be managed.

Accepts single name or multiple names with comma separation.

Regular expressions (Regex) can be used. (E.g. *_xx will match to names company_xx, products_xx, and so on.

Create service user boolean: if true will create new users during policy synchronization.
Service new user password The password value to be assigned to any new user created during policy synchronization. 
Manage service user, group, or  roleboolean: if true will manage service users (group), (role)
Ignore user listData access user ignore list.  Comma-separated names of data access users to be ignored (non-managed) by PrivaceraCloud.  This list is seeded with the list of standard data access service and administrator user names normally created by PrivaceraCloud for each account. It can be edited or augmented with additional site-specific names to be excluded from PrivaceraCloud control."admin,rangerusersync,keyadmin,rangertagsync,hive,s3,dynamodb,athena,glue,
redshift,kinesis,lambda,mssql,adls,postgres,kafka,
snowflake,powerbi,padmin,gcs,gbq"
Ignore Schema ListComma-separated names of schemas to be ignored (non-managed) by PrivaceraCloud.  This list is seeded. It can be edited or augmented with additional site-specific names to be excluded from PrivaceraCloud control."*.sys,*.privacera_security,*.INFORMATION_SCHEMA,*.guest,*.db_denydatareader,
*.db_denydatawriter,*.db_datareader,*.db_datawriter,*.db_ddladmin,*.db_backupoperator,
*.db_accessadmin,*.db_securityadmin,*.db_owner"
User, Role, or Group "Prefix" A string value to be prefixed to Users, Roles, or Groups that are auto-created during synchronization. "pc_user_", "pc_role_", "pc_group_"
Perform grant updatesIf set to true, all grants will be executed. 
If false - grant updates will be dry-run and not actually executed.

Last update: August 16, 2021