Skip to content

Privacera Data Access User Synchronization#

This topic covers how you can synchronize users, and groups from different connectors.

LDAP#

  1. Run the following command. This enables Privacera user sync.

    cd ~/privacera/privacera-manager
cp config/sample-vars/vars.privacera-usersync.yml config/custom-vars/

  2. To enable the LDAP connector, run the following command.

    cd ~/privacera/privacera-manager
cp config/sample-vars/vars.privacera-usersync.ldap.yml config/custom-vars/
vi config/custom-vars/vars.privacera-usersync.ldap.yml

    Edit the following properties:

    Property Description Example
    A) LDAP Connector Info
    LDAP_CONNECTOR Name of the connector. AD
    LDAP_ENABLED Enable the connector. true
    LDAP_SERVICE_TYPE Set a service type: ldap or ad ad
    LDAP_DATASOURCE_NAME Name of the datasource:ldap or ad ad
    LDAP_URL URL of source ldap. ldap://example.us:389
    LDAP_BIND_DN Property is used to connect to LDAP and then query for users and groups. CN=Example User,OU=sales,DC=ad,DC=sales,DC=us
    LDAP_BIND_PASSWORD ldap bind password for the bind DN specified above.
    LDAP_AUTH_TYPE Authentication type: Simple Simple
    LDAP_REFERRAL

    Set the LDAP context referral: ignore or follow.

    Default value is follow.

    		 follow
    B) Enable SSL for LDAP Server
    PRIVACERA_USERSYNC_SYNC_LDAP_SSL_ENABLED Set this property to enable/disable SSL for Privacera Usersync. true
    PRIVACERA_USERSYNC_SYNC_LDAP_SSL_PM_GEN_TS true
    C) LDAP Search
    LDAP_SEARCH_GROUP_FIRST Property to enable to search for groups first, before searching for users. true
    LDAP_SEARCH_BASE Search base for users and groups. DC=ad,DC=sales,DC=us
    LDAP_SEARCH_USER_BASE Search base for users. ou=example,dc=ad,dc=sales,dc=us
    LDAP_SEARCH_USER_SCOPE

    Set the value for search scope for the users: base, one, sub.

    Default value is sub.

    		 sub
    LDAP_SEARCH_USER_FILTER Optional additional filter constraining the users selected for syncing.
    LDAP_SEARCH_USER_GROUPONLY Only loads the users in groups. false
    LDAP_SEARCH_GROUP_BASE Search base for groups. ou=example,dc=ad,dc=sales,dc=us
    LDAP_SEARCH_GROUP_SCOPE

    Set the value for search scope for the groups: base, one, sub.

    Default value is sub.

    		 sub
    LDAP_SEARCH_GROUP_FILTER Optional additional filter constraining the groups selected for syncing.
    D) LDAP Manage/Ignore List of Users/Groups
    LDAP_MANAGE_USER_LIST
    LDAP_IGNORE_USER_LIST Ignores the users from the list.
    LDAP_MANAGE_GROUP_LIST
    LDAP_IGNORE_GROUP_LIST Ignores the groups from the list.
    E) LDAP Object Users/Groups Class
    LDAP_OBJECT_USER_CLASS Objectclass to identify user entries. user
    LDAP_OBJECT_GROUP_CLASS Objectclass to identify group entries. group
    F) LDAP User/Group Attributes
    LDAP_ATTRIBUTE_USERNAME Attribute from user entry that would be treated as user name. sAMAccountName
    LDAP_ATTRIBUTE_EMAIL Attribute from user entry that would be treated as email address. mail
    LDAP_ATTRIBUTE_GROUPNAMES List of attributes from group entry that would be treated as group name.
    LDAP_ATTRIBUTE_GROUPNAME Attribute from group entry that would be treated as group name. name
    LDAP_ATTRIBUTE_GROUP_MEMBER Attribute from group entry that is list of members. member
    LDAP_ATTRIBUTE_LIST
    LDAP_ATTRIBUTE_VALUE_PREFIX
    LDAP_ATTRIBUTE_KEY_PREFIX
    G) Miscellaneous Properties
    LDAP_GROUP_LEVELS Configuring privacera usersync with AD/LDAP nested group membership.

  3. Run the following command.

    cd ~/privacera/privacera-manager 
./privacera-manager.sh update

Azure Active Directory (AAD)#

  1. Run the following command. This enables Privacera user sync.

    cd ~/privacera/privacera-manager
cp config/sample-vars/vars.privacera-usersync.yml config/custom-vars/

  2. To enable the AAD connector, run the following command.

    cd ~/privacera/privacera-manager
cp config/sample-vars/vars.privacera-usersync.azuread.yml config/custom-vars/
vi config/custom-vars/vars.privacera-usersync.azuread.yml

    Edit the following properties:

    Property Description Example
    A) AAD Basic Info
    AZURE_AD_CONNECTOR Name of the connector. AAD1
    AZURE_AD_ENABLED Enable the connector. true
    AZURE_AD_SERVICE_TYPE Service Type
    AZURE_AD_DATASOURCE_NAME Name of the datasource.
    AZURE_AD_CLASS
    B) Azure AAD Info: Get the following information from Azure Portal.
    AZURE_AD_TENANT_ID Azure Active Directory Id (Tenant ID) 1a2b3c4d-azyd-4755-9638-e12xa34p56le
    AZURE_AD_CLIENT_ID Azure Active Directory application client ID which will be used for accessing Microsoft Graph API. 11111111-1111-1111-1111-111111111111
    AZURE_AD_CLIENT_SECRET Azure Active Directory application client secret which will be used for accessing Microsoft Graph API.
    AZURE_AD_USERNAME Azure Account username which will be used for getting access token to be used on behalf of Azure AD application.
    AZURE_AD_PASSWORD Azure Account password which will be used for getting access token to be used on behalf of Azure AD application.
    C) AAD Manage/Ignore List of Users/Groups
    AZURE_AD_MANAGER_USER_LIST
    AZURE_AD_MANAGER_USER_LIST
    AZURE_AD_MANAGE_GROUP_LIST Ignores the users from the list.
    AZURE_AD_IGNORE_GROUP_LIST Ignores the groups from the list.
    D) AAD Search
    AZURE_AD_SEARCH_SCOPE Azure AD Application Access Scope
    AZURE_AD_SEARCH_USER_GROUPONLY

    Only loads the users in groups.

    		 false
    E) Azure Service Principal
    AZURE_AD_SERVICEPRINCIPAL_ENABLED Sync Azure service principal to ranger user entity.
    AZURE_AD_SERVICEPRINCIPAL_USERNAME Properties to specify from which key to get values of username in case service principal is mapped to Ranger user entity. appId
    F) AAD User/Group Attributes
    AZURE_AD_ATTRIBUTE_USERNAME Attribute from user entry that would be treated as user name.
    AZURE_AD_ATTRIBUTE_FIRSTNAME Attribute from user entry that would be treated as firstname.
    AZURE_AD_ATTRIBUTE_EMAIL Attribute from user entry that would be treated as email address.
    AZURE_AD_ATTRIBUTE_GROUPNAME Attribute from group entry that would be treated as group name.
    AZURE_AD_ATTRIBUTE_LIST
    AZURE_AD_ATTRIBUTE_VALUE_PREFIX
    AZURE_AD_ATTRIBUTE_KEY_PREFIX

  3. Run the following command.

    cd ~/privacera/privacera-manager 
./privacera-manager.sh update

SCIM#

  1. Run the following command. This enables Privacera user sync.

    cd ~/privacera/privacera-manager
cp config/sample-vars/vars.privacera-usersync.yml config/custom-vars/

  2. To enable the SCIM connector, run the following command.

    cd ~/privacera/privacera-manager
cp config/sample-vars/vars.privacera-usersync.scim.yml config/custom-vars/
vi config/custom-vars/vars.privacera-usersync.scim.yml

    Edit the following properties:

    Property Description Example
    A) SCIM Connector Info
    SCIM_CONNECTOR Name of connector. DB1
    SCIM_ENABLED Enable the connector. true
    SCIM_SERVICETYPE Service Type scim
    SCIM_DATASOURCE_NAME Name of the datasource. databricks1
    SCIM_URL Connector URL
    ADMIN_USER_BEARER_TOKEN Bearer token
    B) SCIM Manage/Ignore List of Users/Groups
    SCIM_MANAGE_USER_LIST
    SCIM_IGNORE_USER_LIST Ignores the users from the list.
    SCIM_MANAGE_GROUP_LIST
    SCIM_IGNORE_GROUP_LIST Ignores the groups from the list.
    C) SCIM User/Group Attributes
    SCIM_ATTRIBUTE_USERNAME Attribute from user entry that would be treated as user name. userName
    SCIM_ATTRIBUTE_FIRSTNAME Attribute from user entry that would be treated as firstname. name.givenName
    SCIM_ATTRIBUTE_LASTNAME Attribute from user entry that would be treated as lastname. name.familyName
    SCIM_ATTRIBUTE_EMAIL Attribute from user entry that would be treated as email address. emails[primary-true].value
    SCIM_ATTRIBUTE_GROUPS groups
    SCIM_ATTRIBUTE_GROUPNAME Attribute from group entry that would be treated as group name. displayName
    SCIM_ATTRIBUTE_GROUP_MEMBER Attribute from group entry that is list of members. members
    SCIM_ATTRIBUTE_LIST
    SCIM_ATTRIBUTE_VALUE_PREFIX
    SCIM_ATTRIBUTE_PREFIX

  3. Run the following command.

    cd ~/privacera/privacera-manager 
./privacera-manager.sh update

OKTA#

  1. Run the following command. This enables Privacera user sync.

    cd ~/privacera/privacera-manager
cp config/sample-vars/vars.privacera-usersync.yml config/custom-vars/

  2. To enable the OKTA connector, run the following command.

    cd ~/privacera/privacera-manager
cp config/sample-vars/vars.privacera-usersync.okta.yml config/custom-vars/
vi config/custom-vars/vars.privacera-usersync.okta.yml

    Edit the following properties:

    Property Description Example
    A) OKTA Connector Info
    OKTA_CONNECTOR Name of the connector. OKTA
    OKTA_ENABLED Enable the connector. true
    OKTA_SERVICETYPE Service Type
    OKTA_DATASOURCE_NAME Name of the datasource.
    OKTA_SERVICE_URL Connector URL https://{myOktaDomain}.okta.com
    OKTA_API_TOKEN API token A8b2c84d-895a-4fea-82dc-401397b8e50c
    B) OKTA Manage/Ignore List of Users/Groups
    OKTA_USER_LIST_STATUS eq;ACTIVE,STAGED
    OKTA_USER_LIST_PROFILE_FIRSTNAME sw;mon,san
    OKTA_USER_LIST_PROFILE_LASTNAME sw;mon,san
    OKTA_LIST_PROFILE_EMAIL sw;mon,san
    OKTA_LIST_TYPE eq;APP_GROUP,BUILT_IN,OKTA_GROUP
    OKTA_GROUP_LIST ra,tes
    OKTA_IGNORE_GROUP_LIST Ignores the groups from the list.
    C) OKTA Search
    OKTA_SEARCH_USER_GROUPONLY Only loads the users in groups false
    A) OKTA User/Group Attributes
    OKTA_ATTRIBUTE_USERNAME Attribute from user entry that would be treated as user name. login
    OKTA_ATTRIBUTE_FIRSTNAME Attribute from user entry that would be treated as firstname. firstName
    OKTA_ATTRIBUTE_LASTNAME Attribute from user entry that would be treated as lastname. lastName
    OKTA_ATTRIBUTE_EMAIL Attribute from user entry that would be treated as email address. email
    OKTA_ATTRIBUTE_GROUPS groups
    OKTA_ATTRIBUTE_LIST

  3. Run the following command.

    cd ~/privacera/privacera-manager 
./privacera-manager.sh update