Skip to content

Setup Wizard

The first user to log in to your PrivaceraCloud account will be directed to a setup wizard. It will assist with:

  1. Connecting data resources to your PrivaceraCloud account.
  2. Importing data access users.
  3. Importing portal users or attaching to an identity provider to enable Single Signon (SSO).

If choose to not configure through the Setup Wizard, you can later use Access Manager: Add Service to connect to data resources, or use Settings: Datasource to configure all three types of connections (data resources, data access users import, and portal user import or SSO configuration). See Connect Data Sources to get started adding data resources without the setup wizard. See Connect Users to get started adding data access users and portal users without the setup wizard.

Add a Service#

Select a Cloud Platform#

Identify the data source hosting cloud platform: AWS or Azure.  Select one and click Next.  The next page will open to the options available for the selected platform. 

AWS#

There are seven AWS data source service options:

  • AWS EMR  (includes Hive, Presto, and Spark)
  • AWS Athena
  • AWS Databricks
  • AWS Redshift
  • AWS Snowflake
  • AWS S3
  • AWS Postgres

Each has a unique set of required data repository and site specific properties to be provided  Select a service type and click Next.

AWS - EMR#

Method A is recommended to integrate PrivaceraCloud into a new cluster.

Method B is recommended for integration with an existing cluster. Download the bootstrap script, then continue the wizard to optionally add data access and optionally configure for Single Sign On.

After providing this information click Done. After completing, you can exit this wizard, return to the start of the wizard to add another service or continue on to Wizard: Add Users.

After completing the wizard, follow instructions in topic Connect EMR: Hive, Presto Spark.

AWS - Athena#

AWS Athena service requires three parameters:

  • AWS Access Key: AWS data repository host account Access Key

  • AWS Account Secret Key: AWS data repository host account Secret Key

  • Query Results storage bucket URI

After providing this information click Done. After completing, you can exit this wizard, return to the start of the wizard (or restart it) to add another service or continue on to Wizard: Add Users. 

To set up your client system for AWS CLI, open User Interface: Launch Pad and follow the steps to install and configure AWS CLI to your workstation.

AWS - Databricks#

Follow the instructions provided. After downloading the bootstrap script, follow instructions in Connect Databricks SQL or Connect Databricks S3 depending on your data repository type, to complete the data source attachment. 

AWS - Redshift#

The key AWS Redshift site-specific parameters are listed below. 
(Other properties are advanced and should be modified in consultation Privacera.)

propertydescriptionexample
Service URLURL connection to  Redshift repository.jdbc:postgresql://redshift-cluster-1.test.redshift.amazonaws.com:5439" 
Service nameConnection service name.
Service usernameUsername database credential
Service passwordPassword database credential 
Service master database name
Persist database connection

Manage database  list

Manage schema list

Manage user list

Manage view list

These three properties follow the same format. For each:

Specify a list of zero or more names of databases, list of schemas, list of users, or list of views to be PrivaceraCloud managed.

If left blank, all target {databases, schemas, users} in the repository will be managed.

If set to none, no databases will be managed.

Accepts single name or multiple names with comma separation.

Regular expressions (Regex) can be used. (E.g. *_xx will match to names company_xx, products_xx, and so on.

Service new user passwordThe password value to be assigned to any new user created during policy synchronization. 

AWS Snowflake#

Snowflake Prerequisites#

Integrating PrivaceraCloud with Snowflake requires establishing a PrivaceraCloud Warehouse and Database for use with PrivaceraCloud PolicySync.

  1. Create a Warehouse to be used by Privacera Policy Sync.

    CREATE WAREHOUSE PRIVACERA_POLICYSYNC_WH WITH 
    WAREHOUSE_SIZE = XSMALL 
    WAREHOUSE_TYPE = STANDARD 
    AUTO_SUSPEND = 600 
    AUTO_RESUME = TRUE 
    MIN_CLUSTER_COUNT = 1 
    MAX_CLUSTER_COUNT = 1 
    SCALING_POLICY = ECONOMY';
    
  2. Create a Privacera Sync Role, and grant it SECURITYADMIN and ACCOUNTADMIN rights so it can create users and additional roles.

    CREATE ROLE PRIVACERA_SYNC_ROLE;
    GRANT ROLE SECURITYADMIN TO ROLE PRIVACERA_SYNC_ROLE;
    GRANT ROLE ACCOUNTADMIN TO ROLE PRIVACERA_SYNC_ROLE;
    
  3. Create a Role for the default owner for user-created resources.

    CREATE ROLE PRIVACERA_DEFAULT_OWNER;
    
  4. Create a Privacera Sync User and assign it a password.  Set the default Warehouse and default roles. Assign it the Privacera Sync Role

    CREATE USER PRIVACERA_SYNC  PASSWORD='<CHANGE_ME-PRIVACERA_SYNC_PASSWORD> 
    MUST_CHANGE_PASSWORD=FALSE 
    DEFAULT_WAREHOUSE='PRIVACERA_SYNC_WH 
    DEFAULT_ROLE='PRIVACERA_SYNC_ROLE';
    
    GRANT ROLE PRIVACERA_SYNC_ROLE TO USER PRIVACERA_SYNC
    
  5. Create the database to store policies.

    create database privacera_db;
    

Key AWS Snowflake site-specific parameters are listed below.  
(Other properties are advanced and should be modified in consultation Privacera.)

propertydescriptionexample
Service URLURL connection Snowflake repository.jdbc:snowflake://testpartner.snowflakecomputing.com 
Service name Connection service name.
Service username Username database credential
Service password Password database credential 
Warehouse name
Service managed global list

Manage database  list

Manage schema list

Manage user list

Manage view list

These three properties follow the same format. For each:

Specify a list of zero or more names of databases, list of schemas, list of users, or list of views to be PrivaceraCloud managed.

If left blank, all target {databases, schemas, users} in the repository will be managed.

If set to none, no databases will be managed.

Accepts single name or multiple names with comma separation.

Regular expressions (Regex) can be used. (E.g. *_xx will match to names company_xx, products_xx, and so on.

Create service user boolean: if true will create new users during policy synchronization.
Service new user password The password value to be assigned to any new user created during policy synchronization. 
Manage service user, group, or  roleboolean: if true will manage service users (group), (role)
Ignore user listData access user ignore list.  Comma-separated names of data access users to be ignored (non-managed) by PrivaceraCloud.  This list is seeded with the list of standard data access service and administrator user names normally created by PrivaceraCloud for each account. It can be edited or augmented with additional site-specific names to be excluded from PrivaceraCloud control."admin,rangerusersync,keyadmin,rangertagsync,hive,s3,
dynamodb,athena,glue,redshift,kinesis,lambda,mssql,
adls,postgres,kafka,snowflake,powerbi,padmin"
User, Role, or Group "Prefix" A string value to be prefixed to Users, Roles, or Groups that are auto-created during synchronization. "pc_user_", "pc_role_", "pc_group_"
Perform grant updatesIf set to true, all grants will be executed.
If false - grant updates will be dry-run and not actually executed.

AWS S3#

AWS S3 service requires two parameters:

  • AWS Access Key:                           - AWS data repository host account Access Key

  • AWS Account Secret Key                - AWS data repository host account Secret Key

AWS Postgres#

The key AWS Postgres site-specific parameters are listed below.  
(Other properties are advanced and should be modified in consultation Privacera.)

propertydescriptionexample
Service URLURL connection Snowflake repository. 
Format: 
 "jdbc:postgresql://<POSTGRES_DB>:<POSTGRES_DB_PORT>" 
"jdbc:postgresql://database-2.cluster-cxw9i.us-east-1.rds.amazonaws.com:5432",
Service name Connection service name.
Service username Username database credential
Service password Password database credential 
Service managed global list

Manage database  list

Manage schema list

Manage user list

Manage view list

These three properties follow the same format. For each:

Specify a list of zero or more names of databases, list of schemas, list of users, or list of views to be PrivaceraCloud managed.

If left blank, all target {databases, schemas, users} in the repository will be managed.

If set to none, no databases will be managed.

Accepts single name or multiple names with comma separation.

Regular expressions (Regex) can be used. (E.g. *_xx will match to names company_xx, products_xx, and so on.

Create service user boolean: if true will create new users during policy synchronization.
Service new user password The password value to be assigned to any new user created during policy synchronization. 
Manage service user, group, or  roleboolean: if true will manage service users (group), (role)
Ignore user listData access user ignore list.  Comma-separated names of data access users to be ignored (non-managed) by PrivaceraCloud.  This list is seeded with the list of standard data access service and administrator user names normally created by PrivaceraCloud for each account. It can be edited or augmented with additional site-specific names to be excluded from PrivaceraCloud control."admin,rangerusersync,keyadmin,rangertagsync,hive,s3,
dynamodb,athena,glue,redshift,kinesis,lambda,mssql,
adls,postgres,kafka,snowflake,powerbi,padmin"
User, Role, or Group "Prefix" A string value to be prefixed to Users, Roles, or Groups that are auto-created during synchronization. "pc_user_", "pc_role_", "pc_group_"
Perform grant updatesIf set to true, all grants will be executed. 
If false - grant updates will be dry-run and not actually executed.

Azure#

There are four Azure data source options:

  • Azure ADLS Gen2
  • Azure MS SQL
  • Azure Snowflake
  • Azure Synapse

Azure - ADLS Gen2#

ADLS setup requires only two properties:

  • ADLS Storage Account ID

  • ADLS Account Storage Key

Once the ADLS service is established, you can want to configure your local ADLS CLI client to redirect requests to this PrivaceraCloud Azure ADLS Data Server proxy.  See topic  User Interface: Launch Pad for these additional steps. 

Azure - MS SQL#

The key Azure MSSQL specific parameters are listed below.  
(Other properties are advanced and should be modified in consultation Privacera.)

propertydescriptionexample
Service URLURL connection MSSQL repository. 
Format: 
jdbc:sqlserver://<JDBC_SQLSERVER_URL_WITH_PORT_NUMBER> 
Service name Connection service name.
Service username Username database credential
Service password Password database credential 
AuthenticationAuthentication Mode: SqlPassword or ActiveDirectoryPassword' 
Audit Storage URLAudit storage URL. https://test.blob.core.windows.net/sqldbauditlogs/test

Manage database  list

Manage schema list

Manage user list

Manage view list

These three properties follow the same format. For each:

Specify a list of zero or more names of databases, list of schemas, list of users, or list of views to be PrivaceraCloud managed.

If left blank, all target {databases, schemas, users} in the repository will be managed.

If set to none, no databases will be managed.

Accepts single name or multiple names with comma separation.

Regular expressions (Regex) can be used. (E.g. *_xx will match to names company_xx, products_xx, and so on.

Create service user boolean: if true will create new users during policy synchronization.
Service new user password The password value to be assigned to any new user created during policy synchronization. 
Manage service user, group, or  roleboolean: if true will manage service users (group), (role)
Ignore user listData access user ignore list.  Comma-separated names of data access users to be ignored (non-managed) by PrivaceraCloud.  This list is seeded with the list of standard data access service and administrator user names normally created by PrivaceraCloud for each account. It can be edited or augmented with additional site-specific names to be excluded from PrivaceraCloud control."admin,rangerusersync,keyadmin,rangertagsync,hive,s3,
dynamodb,athena,glue,redshift,kinesis,lambda,mssql,
adls,postgres,kafka,snowflake,powerbi,padmin"
User, Role, or Group "Prefix" A string value to be prefixed to Users, Roles, or Groups that are auto-created during synchronization. "pc_user_", "pc_role_", "pc_group_"
Perform grant updatesIf set to true, all grants will be executed. 
If false - grant updates will be dry-run and not actually executed.

Azure Snowflake#

Snowflake Prerequisites#

Integrating PrivaceraCloud with Snowflake requires establishing a PrivaceraCloud Warehouse and Database for use with PrivaceraCloud PolicySync.

  1. Create a Warehouse to be used by Privacera Policy Sync.

    CREATE WAREHOUSE PRIVACERA_POLICYSYNC_WH WITH 
    WAREHOUSE_SIZE = XSMALL 
    WAREHOUSE_TYPE = STANDARD 
    AUTO_SUSPEND = 600 
    AUTO_RESUME = TRUE 
    MIN_CLUSTER_COUNT = 1 
    MAX_CLUSTER_COUNT = 1 
    SCALING_POLICY = ECONOMY';
    
  2. Create a Privacera Sync Role, and grant it SECURITYADMIN and ACCOUNTADMIN rights so it can create users and additional roles.

    CREATE ROLE PRIVACERA_SYNC_ROLE;
    GRANT ROLE SECURITYADMIN TO ROLE PRIVACERA_SYNC_ROLE;
    GRANT ROLE ACCOUNTADMIN TO ROLE PRIVACERA_SYNC_ROLE;
    
  3. Create a Role for the default owner for user-created resources.

    CREATE ROLE PRIVACERA_DEFAULT_OWNER;
    
  4. Create a Privacera Sync User and assign it a password.  Set the default Warehouse and default roles. Assign it the Privacera Sync Role

    CREATE USER PRIVACERA_SYNC  PASSWORD='<CHANGE_ME-PRIVACERA_SYNC_PASSWORD> 
    MUST_CHANGE_PASSWORD=FALSE 
    DEFAULT_WAREHOUSE='PRIVACERA_SYNC_WH 
    DEFAULT_ROLE='PRIVACERA_SYNC_ROLE';
    
    GRANT ROLE PRIVACERA_SYNC_ROLE TO USER PRIVACERA_SYNC
    
  5. Create the database to store policies.

    create database privacera_db;
    

Key Azure Snowflake site-specific parameters are shown below.  
(Other properties are advanced and should be modified in consultation Privacera.)

propertydescriptionexample
Service URLURL connection Snowflake repository.jdbc:snowflake://testpartner.snowflakecomputing.com 
Service name Connection service name.
Service username Username database credential
Service password Password database credential 
Warehouse name
Service managed global list

Manage database  list

Manage schema list

Manage user list

Manage view list

These three properties follow the same format. For each:

Specify a list of zero or more names of databases, list of schemas, list of users, or list of views to be PrivaceraCloud managed.

If left blank, all target {databases, schemas, users} in the repository will be managed.

If set to none, no databases will be managed.

Accepts single name or multiple names with comma separation.

Regular expressions (Regex) can be used. (E.g. *_xx will match to names company_xx, products_xx, and so on.

Create service user boolean: if true will create new users during policy synchronization.
Service new user password The password value to be assigned to any new user created during policy synchronization. 
Manage service user, group, or  roleboolean: if true will manage service users (group), (role)
Ignore user listData access user ignore list.  Comma-separated names of data access users to be ignored (non-managed) by PrivaceraCloud.  This list is seeded with the list of standard data access service and administrator user names normally created by PrivaceraCloud for each account. It can be edited or augmented with additional site-specific names to be excluded from PrivaceraCloud control."admin,rangerusersync,keyadmin,rangertagsync,hive,s3,
dynamodb,athena,glue,redshift,kinesis,lambda,mssql,
adls,postgres,kafka,snowflake,powerbi,padmin"
User, Role, or Group "Prefix" A string value to be prefixed to Users, Roles, or Groups that are auto-created during synchronization. "pc_user_", "pc_role_", "pc_group_"
Perform grant updatesIf set to true, all grants will be executed. 
If false - grant updates will be dry-run and not actually executed.

Azure - Synapse#

The key Azure Synapse specific parameters are listed below.  
(Other properties are advanced and should be modified in consultation Privacera.)

propertydescriptionexample
Service URLURL connection MSSQL repository. 
Format: 
jdbc:sqlserver://<JDBC_SQLSERVER_URL_WITH_PORT_NUMBER> 
Service name Connection service name.
Service username Username database credential
Service password Password database credential 
AuthenticationAuthentication Mode: SqlPassword or ActiveDirectoryPassword' 
Audit Storage URLAudit storage URL. https://test.blob.core.windows.net/sqldbauditlogs/test

Manage database  list

Manage schema list

Manage user list

Manage view list

These three properties follow the same format. For each:

Specify a list of zero or more names of databases, list of schemas, list of users, or list of views to be PrivaceraCloud managed.

If left blank, all target {databases, schemas, users} in the repository will be managed.

If set to none, no databases will be managed.

Accepts single name or multiple names with comma separation.

Regular expressions (Regex) can be used. (E.g. *_xx will match to names company_xx, products_xx, and so on.

Create service user boolean: if true will create new users during policy synchronization.
Service new user password The password value to be assigned to any new user created during policy synchronization. 
Manage service user, group, or  roleboolean: if true will manage service users (group), (role)
Ignore user listData access user ignore list.  Comma-separated names of data access users to be ignored (non-managed) by PrivaceraCloud.  This list is seeded with the list of standard data access service and administrator user names normally created by PrivaceraCloud for each account. It can be edited or augmented with additional site-specific names to be excluded from PrivaceraCloud control."admin,rangerusersync,keyadmin,rangertagsync,hive,s3,dynamodb,athena,glue,
redshift,kinesis,lambda,mssql,adls,postgres,kafka,
snowflake,powerbi,padmin,gcs,gbq"
Ignore Schema ListComma-separated names of schemas to be ignored (non-managed) by PrivaceraCloud.  This list is seeded. It can be edited or augmented with additional site-specific names to be excluded from PrivaceraCloud control."*.sys,*.privacera_security,*.INFORMATION_SCHEMA,*.guest,*.db_denydatareader,
*.db_denydatawriter,*.db_datareader,*.db_datawriter,*.db_ddladmin,*.db_backupoperator,
*.db_accessadmin,*.db_securityadmin,*.db_owner"
User, Role, or Group "Prefix" A string value to be prefixed to Users, Roles, or Groups that are auto-created during synchronization. "pc_user_", "pc_role_", "pc_group_"
Perform grant updatesIf set to true, all grants will be executed. 
If false - grant updates will be dry-run and not actually executed.

Add Users (optional)#

These steps provide a data access user provisioning import from LDAP, LDAP-SSL, Active Directory, Azure Active Directory, or SCIM identity servers. If selected No, user provisioning for data access users can be configrued at a later time. See First Steps: Connect Users.

Add Users: If selected Yes, select one of LDAP / AD, AAD, or SCIM. Provide connection information for your selected directory service or identity provider.

Single Sign On#

PrivaceraCloud can be configured to use an external Identity Provider. Connecting to an Identity Provider activates use of Single Sign On.

Single Sign On, if selected Yes, provides the means to configure a connection via SAML to an identity provider. If selected No, enabling SSO for portal access can be configrued at a later time. See First Steps: Connect Users.

PrivaceraCloud SAML and SSO has been validated for use with Okta

An Okta account must first be established and information obtained from that account prior to configuring Privacera SAML.

See Okta Identity Provider Setup for instructions for obtaining the required SAML and metadata information. Once that information is available return to this section to complete the setup.

  • Entity Id: Service Provider (SP) identifier value assigned to your account, provided by the Identity Provider.
    (For Okta, this is provided on the Okta Configuration page.)
  • Identity Provider Url: Access URL to the Identity Provider.
    (For Okta, this is the Okta Embedded Link.)
  • Identity Provider Metadata: Metadata description file. Use the upload control to provide this information. This file is provided by the Identity Provider.

Complete with UserName, FirstName Attribute, LastName Attribute, and Email Attribute.

Save this configuration.

Once completed, a Single Sign-On (SSO) button will be displayed on the PrivaceraCloud Login page.

SSO authenticated identities must have a matching defined Privacera portal user for authorization. Identities without matching portal user will not authorized** to use any part of the PrivaceraCloud UI or API.


Last update: August 19, 2021