Privacera Data Access User Synchronization
Learn how you can synchronize users and groups from different connectors.
LDAP
-
Run the following command to enable Privacera UserSync:
cd ~/privacera/privacera-manager cp config/sample-vars/vars.privacera-usersync.yml config/custom-vars/
-
Enable the LDAP connector:
cd ~/privacera/privacera-manager cp config/sample-vars/vars.privacera-usersync.ldap.yml config/custom-vars/ vi config/custom-vars/vars.privacera-usersync.ldap.yml
Edit the following properties:
Property Description Example A) LDAP Connector Info LDAP_CONNECTOR Name of the connector. ad
LDAP_ENABLED Enabled status of connector: true
orfalse
true
LDAP_SERVICE_TYPE Set a service type: ldap
orad
ad
LDAP_DATASOURCE_NAME Name of the datasource: ldap
orad
ad
LDAP_URL URL of source LDAP. ldap://example.us:389
LDAP_BIND_DN Property is used to connect to LDAP and then query for users and groups. CN=Example User,OU=sales,DC=ad,DC=sales,DC=us LDAP_BIND_PASSWORD LDAP bind password for the bind DN specified above. LDAP_AUTH_TYPE Authentication type, the default is simple
simple
LDAP_REFERRAL Set the LDAP context referral:
ignore
orfollow
.Default value is
follow
.follow
B) Enable SSL for LDAP Server PRIVACERA_USERSYNC_SYNC_LDAP_SSL_ENABLED Set this property to enable/disable SSL for Privacera Usersync. true
PRIVACERA_USERSYNC_SYNC_LDAP_SSL_PM_GEN_TS Set this property if you want Privacera Manager to generate a truststore for your SSL-enabled LDAP server. true
PRIVACERA_USERSYNC_AUTH_SSL_ENABLED Set this property if the other Privacera services are not SSL enabled and you are using SSL-enabled LDAP server. true
C) LDAP Search LDAP_SEARCH_GROUP_FIRST Property to enable to search for groups first, before searching for users. true
LDAP_SEARCH_BASE Search base for users and groups. DC=ad,DC=sales,DC=us LDAP_SEARCH_USER_BASE Search base for users. ou=example,dc=ad,dc=sales,dc=us LDAP_SEARCH_USER_SCOPE Set the value for search scope for the users:
base
,one
orsub
.Default value is
sub
.sub LDAP_SEARCH_USER_FILTER Optional additional filter constraining the users selected for syncing. LDAP_SEARCH_USER_GROUPONLY Boolean to only load users in groups. false
LDAP_ATTRIBUTE_ONLY Sync only the attributes of users already synced from other services. false
LDAP_SEARCH_INCREMENTAL_ENABLED Enable incremental search. Syncing changes only since last search. false
LDAP_PAGED_RESULTS_ENABLED Enable paged results control for LDAP Searches. Default is true
.true
LDAP_PAGED_CONTROL_CRITICAL Set paged results control criticality to CRITICAL. Default is true
.true
LDAP_SEARCH_GROUP_BASE Search base for groups. ou=example,dc=ad,dc=sales,dc=us LDAP_SEARCH_GROUP_SCOPE Set the value for search scope for the groups:
base
,one
orsub
.Default value is
sub
.sub
LDAP_SEARCH_GROUP_FILTER Optional additional filter constraining the groups selected for syncing. LDAP_SEARCH_CYCLES_BETWEEN_DELETED_DETECTION Numeric number of cycles between deleted searches. Default value is 6
.6
LDAP_SEARCH_DETECT_DELETED_USERS_GROUPS Enables both user and group deleted searches. Default is false
.false
LDAP_SEARCH_DETECT_DELETED_USERS Override setting for user deleted search. Default value is LDAP_SEARCH_DETECT_DELETED_USERS_GROUPS
.LDAP_SEARCH_DETECT_DELETED_USERS_GROUPS
LDAP_SEARCH_DETECT_DELETED_GROUPS Override setting for group deleted search. Default value is LDAP_SEARCH_DETECT_DELETED_USERS_GROUPS
.LDAP_SEARCH_DETECT_DELETED_USERS_GROUPS
D) LDAP Manage/Ignore List of Users/Groups LDAP_MANAGE_USER_LIST List of users to manage from sync results. If this list is defined, all users not on this list will be ignored. LDAP_IGNORE_USER_LIST List of users to ignore from sync results. LDAP_MANAGE_GROUP_LIST List of groups to manage from sync results. If this list is defined, all groups not on this list will be ignored. LDAP_IGNORE_GROUP_LIST List of groups to ignore from sync results. E) LDAP Object Users/Groups Class LDAP_OBJECT_USER_CLASS Objectclass to identify user entries. user
LDAP_OBJECT_GROUP_CLASS Objectclass to identify group entries. group
F) LDAP User/Group Attributes LDAP_ATTRIBUTE_USERNAME Attribute from user entry that would be treated as user name. SAMAccountName
LDAP_ATTRIBUTE_FIRSTNAME Attribute of a user’s first name. The default is givenName
.givenName
LDAP_ATTRIBUTE_LASTNAME Attribute of a user’s last name. LDAP_ATTRIBUTE_EMAIL Attribute from user entry that would be treated as email address. mail
LDAP_ATTRIBUTE_GROUPNAMES List of attributes from group entry that would be treated as group name. LDAP_ATTRIBUTE_GROUPNAME Attribute from group entry that would be treated as group name. name
LDAP_ATTRIBUTE_GROUP_MEMBER Attribute from group entry that is list of members. member
G) Username/Group name Attribute Modification LDAP_ATTRIBUTE_USERNAME_VALUE_EXTRACTFROMEMAIL Extract username from an email address. (e.g. username@domain.com -> username) Default is false. false
LDAP_ATTRIBUTE_USERNAME_VALUE_PREFIX Prefix to prepend to the username. Default is blank. LDAP_ATTRIBUTE_USERNAME_VALUE_POSTFIX Postfix to append pend to the username. Default is blank. LDAP_ATTRIBUTE_USERNAME_VALUE_TOLOWER Convert the username to lowercase. Default is false. false
LDAP_ATTRIBUTE_USERNAME_VALUE_TOUPPER Convert the username to uppercase. Default is false. false
LDAP_ATTRIBUTE_USERNAME_VALUE_REGEX Attribute to replace username to matching regex. Default is blank. LDAP_ATTRIBUTE_GROUPNAME_VALUE_EXTRACTFROMEMAIL Extract the group name from an email address. Default is false. false
LDAP_ATTRIBUTE_GROUPNAME_VALUE_PREFIX Prefix to prepend to the group's name. Default is blank. LDAP_ATTRIBUTE_GROUPNAME_VALUE_POSTFIX Postfix to append pend to the group's name. Default is blank. LDAP_ATTRIBUTE_GROUPNAME_VALUE_TOLOWER Convert the name to group's name to lower case. Default is false. false
LDAP_ATTRIBUTE_GROUPNAME_VALUE_TOUPPER Convert the group's name to uppercase. Default is false. false
LDAP_ATTRIBUTE_GROUPNAME_VALUE_REGEX Attribute to replace the group's name to matching regex. Default is blank. H) Group Attribute Configuration LDAP_GROUP_ATTRIBUTE_LIST The list of attribute keys to get from synced groups. LDAP_GROUP_ATTRIBUTE_VALUE_PREFIX Append prefix to values of group attributes such as group name. LDAP_GROUP_ATTRIBUTE_KEY_PREFIX Append prefix to key of group attributes such as group name. LDAP_GROUP_LEVELS Configure Privacera usersync with AD/LDAP nested group membership. -
Run the following command:
cd ~/privacera/privacera-manager ./privacera-manager.sh update
LDAP/AD deleted entity detection
When enabled, LDAP/AD deleted entity detection will perform a soft delete of users or groups in Privacera Portal. A soft delete removes all memberships of the group/user and marks them as “hidden”. Hidden users will not appear in auto completion when modifying access policies. References to users/groups in policies will remain, until manually removed or the user/group is fully deleted from Privacera Portal. Hidden users can be fully deleted by using the Privacera Portal UI or REST APIs.
Properties:
-
Boolean:
usersync.connector.0.search.deleted.group.enabled
(default:false
) -
Boolean:
usersync.connector.0.search.deleted.user.enabled
(default:false
) -
Numeric:
usersync.connector.#.search.deleted.cycles
(default:6
)
Privacera Manager Variables:
In the LDAP connector properties table above, see under User Search (section C).
Azure Active Directory (AAD)
-
Run the following command to enable Privacera UserSync:
cd ~/privacera/privacera-manager cp config/sample-vars/vars.privacera-usersync.yml config/custom-vars/
-
Enable the AAD connector:
cd ~/privacera/privacera-manager cp config/sample-vars/vars.privacera-usersync.azuread.yml config/custom-vars/ vi config/custom-vars/vars.privacera-usersync.azuread.yml
Edit the following properties:
Property Description Example A) AAD Basic Info AZURE_AD_CONNECTOR Name of the connector. AAD1
AZURE_AD_ENABLED Enabled status of connector. (true/false) true
AZURE_AD_SERVICE_TYPE Service Type AZURE_AD_DATASOURCE_NAME Name of the datasource. AZURE_AD_ATTRIBUTE_ONLY Sync only the attributes of users already synced from other services. false
B) Azure AAD Info: (Get the following information from Azure Portal) AZURE_AD_TENANT_ID Azure Active Directory Id (Tenant ID) 1a2b3c4d-azyd-4755-9638-e12xa34p56le AZURE_AD_CLIENT_ID Azure Active Directory application client ID which will be used for accessing Microsoft Graph API. 11111111-1111-1111-1111-111111111111 AZURE_AD_CLIENT_SECRET Azure Active Directory application client secret which will be used for accessing Microsoft Graph API. AZURE_AD_USERNAME Azure Account username which will be used for getting access token to be used on behalf of Azure AD application. AZURE_AD_PASSWORD Azure Account password which will be used for getting access token to be used on behalf of Azure AD application. C) AAD Manage/Ignore List of Users/Groups AZURE_AD_MANAGER_USER_LIST List of users to manage from sync results. If this list is defined, all users not on this list will be ignored. AZURE_AD_IGNORE_USER_LIST List of users to ignore from sync results. AZURE_AD_MANAGE_GROUP_LIST List of groups to manage from sync results. If this list is defined, all groups not on this list will be ignored. AZURE_AD_IGNORE_GROUP_LIST List of groups to ignore from sync results. D) AAD Search AZURE_AD_SEARCH_SCOPE Azure AD Application Access Scope AZURE_AD_SEARCH_USER_GROUPONLY Boolean to only load users in groups.
false
AZURE_AD_SEARCH_INCREMENTAL_ENABLED Enable incremental search. Syncing only changes since last search. false
AZURE_AD_SEARCH_DETECT_DELETED_USERS_GROUPS Enables both user and group deleted searches. Default is false
.false
AZURE_AD_SEARCH_DETECT_DELETED_USERS Override setting for user deleted search. Default value is AZURE_AD_SEARCH_DETECT_DELETED_USERS_GROUPS
.AZURE_AD_SEARCH_DETECT_DELETED_USERS_GROUPS
AZURE_AD_SEARCH_DETECT_DELETED_GROUPS Override setting for group deleted search. Default value is AZURE_AD_SEARCH_DETECT_DELETED_USERS_GROUPS
.AZURE_AD_SEARCH_DETECT_DELETED_USERS_GROUPS
E) Azure Service Principal AZURE_AD_SERVICEPRINCIPAL_ENABLED Sync Azure service principal to ranger user entity. AZURE_AD_SERVICEPRINCIPAL_USERNAME Properties to specify from which key to get values of username in case service principal is mapped to Ranger user entity. appId F) AAD User/Group Attributes AZURE_AD_ATTRIBUTE_USERNAME Attribute of a user’s name (default: userPrincipalName) AZURE_AD_ATTRIBUTE_FIRSTNAME Attribute of a user’s first name (default: givenName) AZURE_AD_ATTRIBUTE_LASTNAME Attribute of a user’s last name (default: surname) AZURE_AD_ATTRIBUTE_EMAIL Attribute from user entry that would be treated as email address. AZURE_AD_ATTRIBUTE_GROUPNAME Attribute from group entry that would be treated as group name. AZURE_AD_SERVICEPRINCIPAL_USERNAME Attribute of service principal name. G) Username/Group name Attribute Modification AZURE_AD_ATTRIBUTE_USERNAME_VALUE_EXTRACTFROMEMAIL Extract username from an email address. (e.g. username@domain.com -> username) Default is false. false
AZURE_AD_ATTRIBUTE_USERNAME_VALUE_PREFIX Prefix to prepend to the username. Default is blank. AZURE_AD_ATTRIBUTE_USERNAME_VALUE_POSTFIX Postfix to append pend to the username. Default is blank. AZURE_AD_ATTRIBUTE_USERNAME_VALUE_TOLOWER Convert the username to lowercase. Default is false. false
AZURE_AD_ATTRIBUTE_USERNAME_VALUE_TOUPPER Convert the username to uppercase. Default is false. false
AZURE_AD_ATTRIBUTE_USERNAME_VALUE_REGEX Attribute to replace username to matching regex. Default is blank. AZURE_AD_ATTRIBUTE_GROUPNAME_VALUE_EXTRACTFROMEMAIL Extract the group name from an email address. Default is false. false
AZURE_AD_ATTRIBUTE_GROUPNAME_VALUE_PREFIX Prefix to prepend to the group's name. Default is blank. AZURE_AD_ATTRIBUTE_GROUPNAME_VALUE_POSTFIX Postfix to append pend to the group's name. Default is blank. AZURE_AD_ATTRIBUTE_GROUPNAME_VALUE_TOLOWER Convert the name to group's name to lower case. Default is false. false
AZURE_AD_ATTRIBUTE_GROUPNAME_VALUE_TOUPPER Convert the group's name to uppercase. Default is false. false
AZURE_AD_ATTRIBUTE_GROUPNAME_VALUE_REGEX Attribute to replace the group's name to matching regex. Default is blank. H) Group Attribute Configuration AZURE_AD_GROUP_ATTRIBUTE_LIST The list of attribute keys to get from synced groups. AZURE_AD_GROUP_ATTRIBUTE_VALUE_PREFIX Append prefix to values of group attributes such as group name. AZURE_AD_GROUP_ATTRIBUTE_KEY_PREFIX Append prefix to key of group attributes such as group name. I) Filter Properties AZURE_AD_FILTER_USER_LIST Filter the AAD user list, supported for non-incremental search. When incremental search is enabled delta search does not support filter properties. abc.def@privacera.com
AZURE_AD_FILTER_SERVICEPRINCIPAL_LIST Filter the AAD service principal list, supported for non-incremental search. When incremental search is enabled delta search does not support filter properties. abc-testapp
AZURE_AD_FILTER_GROUP_LIST Filter the AAD group list, supported for non-incremental search. When incremental search is enabled delta search does not support filter properties. PRIVACERA-AB-GROUP-00
J) Domain Properties AZURE_AD_MANAGE_DOMAIN_LIST Only users in manage domain list will be synced. Privacera.US
AZURE_AD_IGNORE_DOMAIN_LIST Users in ignore domain list will not be synced. Privacera.US
AZURE_AD_DOMAIN_ATTRIBUTE Specify the attribute from which you want to compare user domain, email or username are supported. Default is email. username
-
Run the following command:
cd ~/privacera/privacera-manager ./privacera-manager.sh update
Azure Active Directory (AAD) deleted entity detection
When enabled, AAD deleted entity detection will perform a soft delete of users or groups in Privacera Portal. A soft delete removes all memberships of the group/user and marks them as “hidden”. Hidden users will not appear in auto completion when modifying access policies. References to users/groups in policies will remain, until manually removed or the user/group is fully deleted from Privacera Portal. Hidden users can be fully deleted by using the Privacera Portal UI or REST APIs.
Properties:
-
Boolean:
usersync.connector.3.search.deleted.group.enabled
(default:false
) -
Boolean:
usersync.connector.3.search.deleted.user.enabled
(default:false
)
Privacera Manager Variables:
In the AAD connector properties table above, see under AAD Search (section D).
SCIM
-
Run the following command to enable Privacera UserSync:
cd ~/privacera/privacera-manager cp config/sample-vars/vars.privacera-usersync.yml config/custom-vars/
-
Enable the SCIM connector:
cd ~/privacera/privacera-manager cp config/sample-vars/vars.privacera-usersync.scim.yml config/custom-vars/ vi config/custom-vars/vars.privacera-usersync.scim.yml
Edit the following properties:
Property Description Example A) SCIM Connector Info SCIM_CONNECTOR Name of connector. DB1
SCIM_ENABLED Enabled status of connector. (true/false) true
SCIM_SERVICETYPE Service Type scim
SCIM_DATASOURCE_NAME Name of the datasource. databricks1
SCIM_URL Connector URL ADMIN_USER_BEARER_TOKEN Bearer token B) SCIM Manage/Ignore List of Users/Groups SCIM_MANAGE_USER_LIST List of users to manage from sync results. If this list is defined, all users not on this list will be ignored SCIM_IGNORE_USER_LIST List of users to ignore from sync results. SCIM_MANAGE_GROUP_LIST List of groups to manage from sync results. If this list is defined, all groups not on this list will be ignored. SCIM_IGNORE_GROUP_LIST List of groups to ignore from sync results. C) SCIM User/Group Attributes SCIM_ATTRIBUTE_USERNAME Attribute from user entry that would be treated as user name. userName
SCIM_ATTRIBUTE_FIRSTNAME Attribute from user entry that would be treated as firstname. name.givenName
SCIM_ATTRIBUTE_LASTNAME Attribute from user entry that would be treated as lastname. name.familyName
SCIM_ATTRIBUTE_EMAIL Attribute from user entry that would be treated as email address. emails[primary-true].value
SCIM_ATTRIBUTE_ONLY Sync only the attributes of users already synced from other services. (true/false) false
SCIM_ATTRIBUTE_GROUPS Attribute of user’s group list. groups
SCIM_ATTRIBUTE_GROUPNAME Attribute from group entry that would be treated as group name. displayName
SCIM_ATTRIBUTE_GROUP_MEMBER Attribute from group entry that is list of members. members
D) SCIM Server Username Attribute Modifications SCIM_ATTRIBUTE_USERNAME_VALUE_EXTRACTFROMEMAIL Extract the user’s username from an email address. (e.g. username@domain.com -> username) The default is false. false
SCIM_ATTRIBUTE_USERNAME_VALUE_PREFIX Prefix to prepend to username. The default is blank. SCIM_ATTRIBUTE_USERNAME_VALUE_POSTFIX Postfix to append to the username. The default is blank. SCIM_ATTRIBUTE_USERNAME_VALUE_TOLOWER Convert the user’s username to lowercase. The default is false. false
SCIM_ATTRIBUTE_USERNAME_VALUE_TOUPPER Convert the user’s username to uppercase. The default is false. false
SCIM_ATTRIBUTE_USERNAME_VALUE_REGEX Attribute to replace username to matching regex. The default is blank. E) SCIM Server Group Name Attribute Modifications SCIM_ATTRIBUTE_GROUPNAME_VALUE_EXTRACTFROMEMAIL Extract the group’s name from an email address (e.g. groupname@domain.com -> groupname). The default is false. false
SCIM_ATTRIBUTE_GROUPNAME_VALUE_PREFIX Prefix to prepend to the group's name. The default is blank. SCIM_ATTRIBUTE_GROUPNAME_VALUE_POSTFIX Postfix to append to the group's name. The default is blank. SCIM_ATTRIBUTE_GROUPNAME_VALUE_TOLOWER Convert group's name to lowercase. The default is false. false
SCIM_ATTRIBUTE_GROUPNAME_VALUE_TOUPPER Convert the group's name to uppercase. The default is false. false
SCIM_ATTRIBUTE_GROUPNAME_VALUE_REGEX Attribute to replace group's name to matching regex. The default is blank. F) Group Attribute Configuration SCIM_GROUP_ATTRIBUTE_LIST The list of attribute keys to get from synced groups. SCIM_GROUP_ATTRIBUTE_VALUE_PREFIX Append prefix to values of group attributes such as group name. SCIM_GROUP_ATTRIBUTE_KEY_PREFIX Append prefix to key of group attributes such as group name. -
Run the following command:
cd ~/privacera/privacera-manager ./privacera-manager.sh update
SCIM Server
-
Run the following command to enable Privacera UserSync:
cd ~/privacera/privacera-manager cp config/sample-vars/vars.privacera-usersync.yml config/custom-vars/
-
Enable the SCIM Server connector:
cd ~/privacera/privacera-manager cp config/sample-vars/vars.privacera-usersync.scimserver.yml config/custom-vars/ vi config/custom-vars/vars.privacera-usersync.scimserver.yml
Edit the following properties:
Property Description Example A) SCIM Server Connector Info SCIM_SERVER_CONNECTOR Identifying name of this connector. DB1
SCIM_SERVER_ENABLED Enabled status of connector. (true/false) true
SCIM_SERVER_SERVICETYPE Type of service/connector. scimserver
SCIM_SERVER_DATASOURCE_NAME Unique datasource name. Used for identifying source of data and configuring priority list. (Optional) databricks1
SCIM_SERVER_ATTRIBUTE_ONLY Sync only the attributes of users already synced from other services. (true/false) SCIM_SERVER_BEARER_TOKEN Bearer token for auth to SCIM API. When set, SCIM requests with this token will be allowed access. SCIM_SERVER_USERNAME Basic auth username, when set SCIM requests with this username will be allowed access. (Password also required) SCIM_SERVER_PASSWORD Basic auth password, when set SCIM requests with this password will be allowed access. (Username also required) B) SCIM Server Manage/Ignore List of Users/Groups SCIM_SERVER_MANAGE_USER_LIST List of users to manage from sync results. If this list is defined, all users not on this list will be ignored. SCIM_SERVER_IGNORE_USER_LIST List of users to ignore from sync results. SCIM_SERVER_MANAGE_GROUP_LIST List of groups to manage from sync results. If this list is defined, all groups not on this list will be ignored. SCIM_SERVER_IGNORE_GROUP_LIST List of groups to ignore from sync results. C) SCIM Server Attributes SCIM_SERVER_ATTRIBUTE_USERNAME Attribute of a user's name. userName
SCIM_SERVER_ATTRIBUTE_FIRSTNAME Attribute of a user's first name. name.givenName
SCIM_SERVER_ATTRIBUTE_LASTNAME Attribute of a user's last/family name. name.familyName
SCIM_SERVER_ATTRIBUTE_EMAIL Attribute of a user’s email. emails[primary-true].value
SCIM_SERVER_ATTRIBUTE_GROUPS Attribute of a user’s group list. groups
SCIM_SERVER_ATTRIBUTE_GROUPNAME Attribute of a group's name. displayName
SCIM_SERVER_ATTRIBUTE_GROUP_MEMBER Attribute from group entry that is the list of members. members
D) SCIM Server Username Attribute Modifications SCIM_SERVER_ATTRIBUTE_USERNAME_VALUE_EXTRACTFROMEMAIL Extract the user’s username from an email address. (e.g. username@domain.com -> username) The default is false. false
SCIM_SERVER_ATTRIBUTE_USERNAME_VALUE_PREFIX Prefix to prepend to username. The default is blank. SCIM_SERVER_ATTRIBUTE_USERNAME_VALUE_POSTFIX Postfix to append to the username. The default is blank. SCIM_SERVER_ATTRIBUTE_USERNAME_VALUE_TOLOWER Convert the user’s username to lowercase. The default is false. false
SCIM_SERVER_ATTRIBUTE_USERNAME_VALUE_TOUPPER Convert the user’s username to uppercase. The default is false. false
SCIM_SERVER_ATTRIBUTE_USERNAME_VALUE_REGEX Attribute to replace username to matching regex. The default is blank. E) SCIM Server Group Name Attribute Modifications SCIM_SERVER_ATTRIBUTE_GROUPNAME_VALUE_EXTRACTFROMEMAIL Extract the group’s name from an email address (e.g. groupname@domain.com -> groupname). The default is false. false
SCIM_SERVER_ATTRIBUTE_GROUPNAME_VALUE_PREFIX Prefix to prepend to the group's name. The default is blank. SCIM_SERVER_ATTRIBUTE_GROUPNAME_VALUE_POSTFIX Postfix to append to the group's name. The default is blank. SCIM_SERVER_ATTRIBUTE_GROUPNAME_VALUE_TOLOWER Convert group's name to lowercase. The default is false. false
SCIM_SERVER_ATTRIBUTE_GROUPNAME_VALUE_TOUPPER Convert the group's name to uppercase. The default is false. false
SCIM_SERVER_ATTRIBUTE_GROUPNAME_VALUE_REGEX Attribute to replace group's name to matching regex. The default is blank. F) Group Attribute Configuration SCIM_SERVER_GROUP_ATTRIBUTE_LIST The list of attribute keys to get from synced groups. SCIM_SERVER_GROUP_ATTRIBUTE_VALUE_PREFIX Append prefix to values of group attributes such as group name. SCIM_SERVER_GROUP_ATTRIBUTE_KEY_PREFIX Append prefix to key of group attributes such as group name. -
Run the following command:
cd ~/privacera/privacera-manager
./privacera-manager.sh update
OKTA
-
Run the following command to enable Privacera UserSync:
cd ~/privacera/privacera-manager cp config/sample-vars/vars.privacera-usersync.yml config/custom-vars/
-
Enable the OKTA connector:
cd ~/privacera/privacera-manager cp config/sample-vars/vars.privacera-usersync.okta.yml config/custom-vars/ vi config/custom-vars/vars.privacera-usersync.okta.yml
Edit the following properties:
Property Description Example A) OKTA Connector Info OKTA_CONNECTOR Name of the connector. OKTA
OKTA_ENABLED Enabled status of connector. (true/false) true
OKTA_SERVICETYPE Type of service/connector. okta
OKTA_DATASOURCE_NAME Unique datasource name, used for identifying source of data and configuring priority list. (Optional) OKTA_SERVICE_URL Connector URL https://{myOktaDomain}.okta.com
OKTA_API_TOKEN API token A8b2c84d-895a-4fea-82dc-401397b8e50c
B) OKTA Manage/Ignore List of Users/Groups OKTA_USER_LIST List of users to manage from sync results. If this list is defined, all users not on this list will be ignored. OKTA_IGNORE_USER_LIST List of users to ignore from sync results. OKTA_USER_LIST_STATUS List of users to manage with status as equal to: STAGED
,PROVISIONED
,ACTIVE
,RECOVERY
,PASSWORD_EXPIRED
,LOCKED_OUT
orDEPROVISIONED
. If this list is defined, all users not on this list will be ignored.ACTIVE
,STAGED
OKTA_USER_LIST_LOGIN List of users to manage with user login name (can contain ). If this list is defined, all users not on this list will be ignored. sw;mon,san
OKTA_USER_LIST_PROFILE_FIRSTNAME List of users to manage with user first name (can contain ). If this list is defined, all users not on this list will be ignored. sw;mon,san
OKTA_USER_LIST_PROFILE_LASTNAME List of users to manage with user last name (can contain ). If this list is defined, all users not on this list will be ignored. sw;mon,san
OKTA_LIST_PROFILE_EMAIL List of users to manage with user email (can contain ). If this list is defined, all users not on this list will be ignored. sw;mon,san
OKTA_LIST_TYPE List of groups to manage with group type. If this list is defined, all groups not on this list will be ignored. APP_GROUP
,BUILT_IN
,OKTA_GROUP
OKTA_GROUP_LIST List of groups to manage from sync results. If this list is defined, all groups not on this list will be ignored. OKTA_IGNORE_GROUP_LIST List of groups to ignore from sync results. OKTA_GROUP_LIST_SOURCE_ID List of groups to manage with group source id. If this list is defined, all groups not on this list will be ignored. 0oa2v0el0gP90aqjJ0g7,0oa2v0el0gP90aqjJ0g8,0oa2v0el0gP90aqjJ0g0
OKTA_GROUP_LIST_PROFILE_NAME List of groups to manage with group name. If this list is defined, all groups not on this list will be ignored. group1,testGroup,testGroup2
C) OKTA Search OKTA_SEARCH_USER_GROUPONLY Boolean to only load users in groups. false
OKTA_SEARCH_INCREMENTAL_ENABLED Boolean to enable incremental search, syncing only changes since last search. false
D) OKTA User/Group Attributes OKTA_ATTRIBUTE_USERNAME Attribute from user entry that would be treated as user name. login
OKTA_ATTRIBUTE_FIRSTNAME Attribute from user entry that would be treated as firstname. firstName
OKTA_ATTRIBUTE_LASTNAME Attribute from user entry that would be treated as lastname. lastName
OKTA_ATTRIBUTE_EMAIL Attribute from user entry that would be treated as email address. email
OKTA_ATTRIBUTE_GROUPS Attribute of user’s group list. groups
OKTA_ATTRIBUTE_GROUPNAME Attribute of a group’s name. name
OKTA_ATTRIBUTE_ONLY Sync only the attributes of users already synced from other services. (true/false) false
E) OKTA Username Attribute Modifications OKTA_ATTRIBUTE_USERNAME_VALUE_EXTRACTFROMEMAIL Extract the user’s username from an email address. (e.g. username@domain.com -> username) The default is false. false
OKTA_ATTRIBUTE_USERNAME_VALUE_PREFIX Prefix to prepend to username. The default is blank. OKTA_ATTRIBUTE_USERNAME_VALUE_POSTFIX Postfix to append to the username. The default is blank. OKTA_ATTRIBUTE_USERNAME_VALUE_TOLOWER Convert the user’s username to lowercase. The default is false. false
OKTA_ATTRIBUTE_USERNAME_VALUE_TOUPPER Convert the user’s username to uppercase. The default is false. false
OKTA_ATTRIBUTE_USERNAME_VALUE_REGEX Attribute to replace username to matching regex. The default is blank. F) OKTA Group Name Attribute Modifications OKTA_ATTRIBUTE_GROUPNAME_VALUE_EXTRACTFROMEMAIL Extract the group’s name from an email address (e.g. groupname@domain.com -> groupname). The default is false. false
OKTA_ATTRIBUTE_GROUPNAME_VALUE_PREFIX Prefix to prepend to the group's name. The default is blank. OKTA_ATTRIBUTE_GROUPNAME_VALUE_POSTFIX Postfix to append to the group's name. The default is blank. OKTA_ATTRIBUTE_GROUPNAME_VALUE_TOLOWER Convert group's name to lowercase. The default is false. false
OKTA_ATTRIBUTE_GROUPNAME_VALUE_TOUPPER Convert the group's name to uppercase. The default is false. false
OKTA_ATTRIBUTE_GROUPNAME_VALUE_REGEX Attribute to replace group's name to matching regex. The default is blank. -
Run the following command:
cd ~/privacera/privacera-manager ./privacera-manager.sh update