Privacera Data Access User Synchronization

This topic covers how you can synchronize users, and groups from different connectors.

LDAP

1. Run the following command. This enables Privacera user sync.

   cd ~/privacera/privacera-manager
   cp config/sample-vars/vars.privacera-usersync.yml config/custom-vars/
   

2. To enable the LDAP connector, run the following command.

   cd ~/privacera/privacera-manager
   cp config/sample-vars/vars.privacera-usersync.ldap.yml config/custom-vars/
   vi config/custom-vars/vars.privacera-usersync.ldap.yml
   

   Edit the following properties:

   Property	Description	Example
   A) LDAP Connector Info
   LDAP_CONNECTOR	Name of the connector.	AD
   LDAP_ENABLED	Enable the connector.	true
   LDAP_SERVICE_TYPE	Set a service type: ldap or ad	ad
   LDAP_DATASOURCE_NAME	Name of the datasource:ldap or ad	ad
   LDAP_URL	URL of source ldap.	ldap://example.us:389
   LDAP_BIND_DN	Property is used to connect to LDAP and then query for users and groups.	CN=Example User,OU=sales,DC=ad,DC=sales,DC=us
   LDAP_BIND_PASSWORD	ldap bind password for the bind DN specified above.
   LDAP_AUTH_TYPE	Authentication type: Simple	Simple
   LDAP_REFERRAL	Set the LDAP context referral: ignore or follow. Default value is follow.	follow
   B) Enable SSL for LDAP Server
   PRIVACERA_USERSYNC_SYNC_LDAP_SSL_ENABLED	Set this property to enable/disable SSL for Privacera Usersync.	true
   PRIVACERA_USERSYNC_SYNC_LDAP_SSL_PM_GEN_TS		true
   C) LDAP Search
   LDAP_SEARCH_GROUP_FIRST	Property to enable to search for groups first, before searching for users.	true
   LDAP_SEARCH_BASE	Search base for users and groups.	DC=ad,DC=sales,DC=us
   LDAP_SEARCH_USER_BASE	Search base for users.	ou=example,dc=ad,dc=sales,dc=us
   LDAP_SEARCH_USER_SCOPE	Set the value for search scope for the users: base, one, sub. Default value is sub.	sub
   LDAP_SEARCH_USER_FILTER	Optional additional filter constraining the users selected for syncing.
   LDAP_SEARCH_USER_GROUPONLY	Only loads the users in groups.	false
   LDAP_SEARCH_GROUP_BASE	Search base for groups.	ou=example,dc=ad,dc=sales,dc=us
   LDAP_SEARCH_GROUP_SCOPE	Set the value for search scope for the groups: base, one, sub. Default value is sub.	sub
   LDAP_SEARCH_GROUP_FILTER	Optional additional filter constraining the groups selected for syncing.
   D) LDAP Manage/Ignore List of Users/Groups
   LDAP_MANAGE_USER_LIST
   LDAP_IGNORE_USER_LIST	Ignores the users from the list.
   LDAP_MANAGE_GROUP_LIST
   LDAP_IGNORE_GROUP_LIST	Ignores the groups from the list.
   E) LDAP Object Users/Groups Class
   LDAP_OBJECT_USER_CLASS	Objectclass to identify user entries.	user
   LDAP_OBJECT_GROUP_CLASS	Objectclass to identify group entries.	group
   F) LDAP User/Group Attributes
   LDAP_ATTRIBUTE_USERNAME	Attribute from user entry that would be treated as user name.	sAMAccountName
   LDAP_ATTRIBUTE_EMAIL	Attribute from user entry that would be treated as email address.	mail
   LDAP_ATTRIBUTE_GROUPNAMES	List of attributes from group entry that would be treated as group name.
   LDAP_ATTRIBUTE_GROUPNAME	Attribute from group entry that would be treated as group name.	name
   LDAP_ATTRIBUTE_GROUP_MEMBER	Attribute from group entry that is list of members.	member
   LDAP_ATTRIBUTE_LIST
   LDAP_ATTRIBUTE_VALUE_PREFIX
   LDAP_ATTRIBUTE_KEY_PREFIX
   G) Miscellaneous Properties
   LDAP_GROUP_LEVELS	Configuring privacera usersync with AD/LDAP nested group membership.

3. Run the following command.

   cd ~/privacera/privacera-manager 
   ./privacera-manager.sh update
   

Azure Active Directory (AAD)

1. Run the following command. This enables Privacera user sync.

   cd ~/privacera/privacera-manager
   cp config/sample-vars/vars.privacera-usersync.yml config/custom-vars/
   

2. To enable the AAD connector, run the following command.

   cd ~/privacera/privacera-manager
   cp config/sample-vars/vars.privacera-usersync.azuread.yml config/custom-vars/
   vi config/custom-vars/vars.privacera-usersync.azuread.yml
   

   Edit the following properties:

   Property	Description	Example
   A) AAD Basic Info
   AZURE_AD_CONNECTOR	Name of the connector.	AAD1
   AZURE_AD_ENABLED	Enable the connector.	true
   AZURE_AD_SERVICE_TYPE	Service Type
   AZURE_AD_DATASOURCE_NAME	Name of the datasource.
   AZURE_AD_CLASS
   B) Azure AAD Info: Get the following information from Azure Portal.
   AZURE_AD_TENANT_ID	Azure Active Directory Id (Tenant ID)	1a2b3c4d-azyd-4755-9638-e12xa34p56le
   AZURE_AD_CLIENT_ID	Azure Active Directory application client ID which will be used for accessing Microsoft Graph API.	11111111-1111-1111-1111-111111111111
   AZURE_AD_CLIENT_SECRET	Azure Active Directory application client secret which will be used for accessing Microsoft Graph API.
   AZURE_AD_USERNAME	Azure Account username which will be used for getting access token to be used on behalf of Azure AD application.
   AZURE_AD_PASSWORD	Azure Account password which will be used for getting access token to be used on behalf of Azure AD application.
   C) AAD Manage/Ignore List of Users/Groups
   AZURE_AD_MANAGER_USER_LIST
   AZURE_AD_MANAGER_USER_LIST
   AZURE_AD_MANAGE_GROUP_LIST	Ignores the users from the list.
   AZURE_AD_IGNORE_GROUP_LIST	Ignores the groups from the list.
   D) AAD Search
   AZURE_AD_SEARCH_SCOPE	Azure AD Application Access Scope
   AZURE_AD_SEARCH_USER_GROUPONLY	Only loads the users in groups.	false
   E) Azure Service Principal
   AZURE_AD_SERVICEPRINCIPAL_ENABLED	Sync Azure service principal to ranger user entity.
   AZURE_AD_SERVICEPRINCIPAL_USERNAME	Properties to specify from which key to get values of username in case service principal is mapped to Ranger user entity.	appId
   F) AAD User/Group Attributes
   AZURE_AD_ATTRIBUTE_USERNAME	Attribute from user entry that would be treated as user name.
   AZURE_AD_ATTRIBUTE_FIRSTNAME	Attribute from user entry that would be treated as firstname.
   AZURE_AD_ATTRIBUTE_EMAIL	Attribute from user entry that would be treated as email address.
   AZURE_AD_ATTRIBUTE_GROUPNAME	Attribute from group entry that would be treated as group name.
   AZURE_AD_ATTRIBUTE_LIST
   AZURE_AD_ATTRIBUTE_VALUE_PREFIX
   AZURE_AD_ATTRIBUTE_KEY_PREFIX

3. Run the following command.

   cd ~/privacera/privacera-manager 
   ./privacera-manager.sh update
   

SCIM

1. Run the following command. This enables Privacera user sync.

   cd ~/privacera/privacera-manager
   cp config/sample-vars/vars.privacera-usersync.yml config/custom-vars/
   

2. To enable the SCIM connector, run the following command.

   cd ~/privacera/privacera-manager
   cp config/sample-vars/vars.privacera-usersync.scim.yml config/custom-vars/
   vi config/custom-vars/vars.privacera-usersync.scim.yml
   

   Edit the following properties:

   Property	Description	Example
   A) SCIM Connector Info
   SCIM_CONNECTOR	Name of connector.	DB1
   SCIM_ENABLED	Enable the connector.	true
   SCIM_SERVICETYPE	Service Type	scim
   SCIM_DATASOURCE_NAME	Name of the datasource.	databricks1
   SCIM_URL	Connector URL
   ADMIN_USER_BEARER_TOKEN	Bearer token
   B) SCIM Manage/Ignore List of Users/Groups
   SCIM_MANAGE_USER_LIST
   SCIM_IGNORE_USER_LIST	Ignores the users from the list.
   SCIM_MANAGE_GROUP_LIST
   SCIM_IGNORE_GROUP_LIST	Ignores the groups from the list.
   C) SCIM User/Group Attributes
   SCIM_ATTRIBUTE_USERNAME	Attribute from user entry that would be treated as user name.	userName
   SCIM_ATTRIBUTE_FIRSTNAME	Attribute from user entry that would be treated as firstname.	name.givenName
   SCIM_ATTRIBUTE_LASTNAME	Attribute from user entry that would be treated as lastname.	name.familyName
   SCIM_ATTRIBUTE_EMAIL	Attribute from user entry that would be treated as email address.	emails[primary-true].value
   SCIM_ATTRIBUTE_GROUPS		groups
   SCIM_ATTRIBUTE_GROUPNAME	Attribute from group entry that would be treated as group name.	displayName
   SCIM_ATTRIBUTE_GROUP_MEMBER	Attribute from group entry that is list of members.	members
   SCIM_ATTRIBUTE_LIST
   SCIM_ATTRIBUTE_VALUE_PREFIX
   SCIM_ATTRIBUTE_PREFIX

3. Run the following command.

   cd ~/privacera/privacera-manager 
   ./privacera-manager.sh update
   

OKTA

1. Run the following command. This enables Privacera user sync.

   cd ~/privacera/privacera-manager
   cp config/sample-vars/vars.privacera-usersync.yml config/custom-vars/
   

2. To enable the OKTA connector, run the following command.

   cd ~/privacera/privacera-manager
   cp config/sample-vars/vars.privacera-usersync.okta.yml config/custom-vars/
   vi config/custom-vars/vars.privacera-usersync.okta.yml
   

   Edit the following properties:

   Property	Description	Example
   A) OKTA Connector Info
   OKTA_CONNECTOR	Name of the connector.	OKTA
   OKTA_ENABLED	Enable the connector.	true
   OKTA_SERVICETYPE	Service Type
   OKTA_DATASOURCE_NAME	Name of the datasource.
   OKTA_SERVICE_URL	Connector URL	https://{myOktaDomain}.okta.com
   OKTA_API_TOKEN	API token	A8b2c84d-895a-4fea-82dc-401397b8e50c
   B) OKTA Manage/Ignore List of Users/Groups
   OKTA_USER_LIST_STATUS		eq;ACTIVE,STAGED
   OKTA_USER_LIST_PROFILE_FIRSTNAME		sw;mon,san
   OKTA_USER_LIST_PROFILE_LASTNAME		sw;mon,san
   OKTA_LIST_PROFILE_EMAIL		sw;mon,san
   OKTA_LIST_TYPE		eq;APP_GROUP,BUILT_IN,OKTA_GROUP
   OKTA_GROUP_LIST		ra,tes
   OKTA_IGNORE_GROUP_LIST	Ignores the groups from the list.
   C) OKTA Search
   OKTA_SEARCH_USER_GROUPONLY	Only loads the users in groups	false
   A) OKTA User/Group Attributes
   OKTA_ATTRIBUTE_USERNAME	Attribute from user entry that would be treated as user name.	login
   OKTA_ATTRIBUTE_FIRSTNAME	Attribute from user entry that would be treated as firstname.	firstName
   OKTA_ATTRIBUTE_LASTNAME	Attribute from user entry that would be treated as lastname.	lastName
   OKTA_ATTRIBUTE_EMAIL	Attribute from user entry that would be treated as email address.	email
   OKTA_ATTRIBUTE_GROUPS		groups
   OKTA_ATTRIBUTE_LIST

3. Run the following command.

   cd ~/privacera/privacera-manager 
   ./privacera-manager.sh update
   

---

Last update: October 7, 2021