Skip to content

Privacera Data Access User Synchronization

Learn how you can synchronize users and groups from different connectors.

LDAP

  1. Run the following command to enable Privacera UserSync:

    cd ~/privacera/privacera-manager
    cp config/sample-vars/vars.privacera-usersync.yml config/custom-vars/
    
  2. Enable the LDAP connector:

    cd ~/privacera/privacera-manager
    cp config/sample-vars/vars.privacera-usersync.ldap.yml config/custom-vars/
    vi config/custom-vars/vars.privacera-usersync.ldap.yml
    

    Edit the following properties:

    Property Description Example
    A) LDAP Connector Info
    LDAP_CONNECTOR Name of the connector. ad
    LDAP_ENABLED Enabled status of connector: true or false true
    LDAP_SERVICE_TYPE Set a service type: ldap or ad ad
    LDAP_DATASOURCE_NAME Name of the datasource: ldap or ad ad
    LDAP_URL URL of source LDAP. ldap://example.us:389
    LDAP_BIND_DN Property is used to connect to LDAP and then query for users and groups. CN=Example User,OU=sales,DC=ad,DC=sales,DC=us
    LDAP_BIND_PASSWORD LDAP bind password for the bind DN specified above.
    LDAP_AUTH_TYPE Authentication type, the default is simple simple
    LDAP_REFERRAL

    Set the LDAP context referral: ignore or follow.

    Default value is follow.

    follow
    B) Enable SSL for LDAP Server
    PRIVACERA_USERSYNC_SYNC_LDAP_SSL_ENABLED Set this property to enable/disable SSL for Privacera Usersync. true
    PRIVACERA_USERSYNC_SYNC_LDAP_SSL_PM_GEN_TS Set this property if you want Privacera Manager to generate a truststore for your SSL-enabled LDAP server. true
    PRIVACERA_USERSYNC_AUTH_SSL_ENABLED Set this property if the other Privacera services are not SSL enabled and you are using SSL-enabled LDAP server. true
    C) LDAP Search
    LDAP_SEARCH_GROUP_FIRST Property to enable to search for groups first, before searching for users. true
    LDAP_SEARCH_BASE Search base for users and groups. DC=ad,DC=sales,DC=us
    LDAP_SEARCH_USER_BASE Search base for users. ou=example,dc=ad,dc=sales,dc=us
    LDAP_SEARCH_USER_SCOPE

    Set the value for search scope for the users: base, one or sub.

    Default value is sub.

    sub
    LDAP_SEARCH_USER_FILTER Optional additional filter constraining the users selected for syncing.
    LDAP_SEARCH_USER_GROUPONLY Boolean to only load users in groups. false
    LDAP_ATTRIBUTE_ONLY Sync only the attributes of users already synced from other services. false
    LDAP_SEARCH_INCREMENTAL_ENABLED Enable incremental search. Syncing changes only since last search. false
    LDAP_PAGED_RESULTS_ENABLED Enable paged results control for LDAP Searches. Default is true. true
    LDAP_PAGED_CONTROL_CRITICAL Set paged results control criticality to CRITICAL. Default is true. true
    LDAP_SEARCH_GROUP_BASE Search base for groups. ou=example,dc=ad,dc=sales,dc=us
    LDAP_SEARCH_GROUP_SCOPE

    Set the value for search scope for the groups: base, one or sub.

    Default value is sub.

    sub
    LDAP_SEARCH_GROUP_FILTER Optional additional filter constraining the groups selected for syncing.
    LDAP_SEARCH_CYCLES_BETWEEN_DELETED_DETECTION Numeric number of cycles between deleted searches. Default value is 6. 6
    LDAP_SEARCH_DETECT_DELETED_USERS_GROUPS Enables both user and group deleted searches. Default is false. false
    LDAP_SEARCH_DETECT_DELETED_USERS Override setting for user deleted search. Default value is LDAP_SEARCH_DETECT_DELETED_USERS_GROUPS. LDAP_SEARCH_DETECT_DELETED_USERS_GROUPS
    LDAP_SEARCH_DETECT_DELETED_GROUPS Override setting for group deleted search. Default value is LDAP_SEARCH_DETECT_DELETED_USERS_GROUPS. LDAP_SEARCH_DETECT_DELETED_USERS_GROUPS
    D) LDAP Manage/Ignore List of Users/Groups
    LDAP_MANAGE_USER_LIST List of users to manage from sync results. If this list is defined, all users not on this list will be ignored.
    LDAP_IGNORE_USER_LIST List of users to ignore from sync results.
    LDAP_MANAGE_GROUP_LIST List of groups to manage from sync results. If this list is defined, all groups not on this list will be ignored.
    LDAP_IGNORE_GROUP_LIST List of groups to ignore from sync results.
    E) LDAP Object Users/Groups Class
    LDAP_OBJECT_USER_CLASS Objectclass to identify user entries. user
    LDAP_OBJECT_GROUP_CLASS Objectclass to identify group entries. group
    F) LDAP User/Group Attributes
    LDAP_ATTRIBUTE_USERNAME Attribute from user entry that would be treated as user name. SAMAccountName
    LDAP_ATTRIBUTE_FIRSTNAME Attribute of a user’s first name. The default is givenName. givenName
    LDAP_ATTRIBUTE_LASTNAME Attribute of a user’s last name.
    LDAP_ATTRIBUTE_EMAIL Attribute from user entry that would be treated as email address. mail
    LDAP_ATTRIBUTE_GROUPNAMES List of attributes from group entry that would be treated as group name.
    LDAP_ATTRIBUTE_GROUPNAME Attribute from group entry that would be treated as group name. name
    LDAP_ATTRIBUTE_GROUP_MEMBER Attribute from group entry that is list of members. member
    G) Username/Group name Attribute Modification
    LDAP_ATTRIBUTE_USERNAME_VALUE_EXTRACTFROMEMAIL Extract username from an email address. (e.g. username@domain.com -> username) Default is false. false
    LDAP_ATTRIBUTE_USERNAME_VALUE_PREFIX Prefix to prepend to the username. Default is blank.
    LDAP_ATTRIBUTE_USERNAME_VALUE_POSTFIX Postfix to append pend to the username. Default is blank.
    LDAP_ATTRIBUTE_USERNAME_VALUE_TOLOWER Convert the username to lowercase. Default is false. false
    LDAP_ATTRIBUTE_USERNAME_VALUE_TOUPPER Convert the username to uppercase. Default is false. false
    LDAP_ATTRIBUTE_USERNAME_VALUE_REGEX Attribute to replace username to matching regex. Default is blank.
    LDAP_ATTRIBUTE_GROUPNAME_VALUE_EXTRACTFROMEMAIL Extract the group name from an email address. Default is false. false
    LDAP_ATTRIBUTE_GROUPNAME_VALUE_PREFIX Prefix to prepend to the group's name. Default is blank.
    LDAP_ATTRIBUTE_GROUPNAME_VALUE_POSTFIX Postfix to append pend to the group's name. Default is blank.
    LDAP_ATTRIBUTE_GROUPNAME_VALUE_TOLOWER Convert the name to group's name to lower case. Default is false. false
    LDAP_ATTRIBUTE_GROUPNAME_VALUE_TOUPPER Convert the group's name to uppercase. Default is false. false
    LDAP_ATTRIBUTE_GROUPNAME_VALUE_REGEX Attribute to replace the group's name to matching regex. Default is blank.
    H) Group Attribute Configuration
    LDAP_GROUP_ATTRIBUTE_LIST The list of attribute keys to get from synced groups.
    LDAP_GROUP_ATTRIBUTE_VALUE_PREFIX Append prefix to values of group attributes such as group name.
    LDAP_GROUP_ATTRIBUTE_KEY_PREFIX Append prefix to key of group attributes such as group name.
    LDAP_GROUP_LEVELS Configure Privacera usersync with AD/LDAP nested group membership.

  3. Run the following command:

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    

LDAP/AD deleted entity detection

When enabled, LDAP/AD deleted entity detection will perform a soft delete of users or groups in Privacera Portal. A soft delete removes all memberships of the group/user and marks them as “hidden”. Hidden users will not appear in auto completion when modifying access policies. References to users/groups in policies will remain, until manually removed or the user/group is fully deleted from Privacera Portal. Hidden users can be fully deleted by using the Privacera Portal UI or REST APIs.

Properties:

  • Boolean: usersync.connector.0.search.deleted.group.enabled (default: false)

  • Boolean: usersync.connector.0.search.deleted.user.enabled (default: false)

  • Numeric: usersync.connector.#.search.deleted.cycles (default: 6)

Privacera Manager Variables:

In the LDAP connector properties table above, see under User Search (section C).

Azure Active Directory (AAD)

  1. Run the following command to enable Privacera UserSync:

    cd ~/privacera/privacera-manager
    cp config/sample-vars/vars.privacera-usersync.yml config/custom-vars/
    
  2. Enable the AAD connector:

    cd ~/privacera/privacera-manager
    cp config/sample-vars/vars.privacera-usersync.azuread.yml config/custom-vars/
    vi config/custom-vars/vars.privacera-usersync.azuread.yml
    

    Edit the following properties:


    Property Description Example
    A) AAD Basic Info
    AZURE_AD_CONNECTOR Name of the connector. AAD1
    AZURE_AD_ENABLED Enabled status of connector. (true/false) true
    AZURE_AD_SERVICE_TYPE Service Type
    AZURE_AD_DATASOURCE_NAME Name of the datasource.
    AZURE_AD_ATTRIBUTE_ONLY Sync only the attributes of users already synced from other services. false
    B) Azure AAD Info: (Get the following information from Azure Portal)
    AZURE_AD_TENANT_ID Azure Active Directory Id (Tenant ID) 1a2b3c4d-azyd-4755-9638-e12xa34p56le
    AZURE_AD_CLIENT_ID Azure Active Directory application client ID which will be used for accessing Microsoft Graph API. 11111111-1111-1111-1111-111111111111
    AZURE_AD_CLIENT_SECRET Azure Active Directory application client secret which will be used for accessing Microsoft Graph API.
    AZURE_AD_USERNAME Azure Account username which will be used for getting access token to be used on behalf of Azure AD application.
    AZURE_AD_PASSWORD Azure Account password which will be used for getting access token to be used on behalf of Azure AD application.
    C) AAD Manage/Ignore List of Users/Groups
    AZURE_AD_MANAGER_USER_LIST List of users to manage from sync results. If this list is defined, all users not on this list will be ignored.
    AZURE_AD_IGNORE_USER_LIST List of users to ignore from sync results.
    AZURE_AD_MANAGE_GROUP_LIST List of groups to manage from sync results. If this list is defined, all groups not on this list will be ignored.
    AZURE_AD_IGNORE_GROUP_LIST List of groups to ignore from sync results.
    D) AAD Search
    AZURE_AD_SEARCH_SCOPE Azure AD Application Access Scope
    AZURE_AD_SEARCH_USER_GROUPONLY

    Boolean to only load users in groups.

    false
    AZURE_AD_SEARCH_INCREMENTAL_ENABLED Enable incremental search. Syncing only changes since last search. false
    AZURE_AD_SEARCH_DETECT_DELETED_USERS_GROUPS Enables both user and group deleted searches. Default is false. false
    AZURE_AD_SEARCH_DETECT_DELETED_USERS Override setting for user deleted search. Default value is AZURE_AD_SEARCH_DETECT_DELETED_USERS_GROUPS. AZURE_AD_SEARCH_DETECT_DELETED_USERS_GROUPS
    AZURE_AD_SEARCH_DETECT_DELETED_GROUPS Override setting for group deleted search. Default value is AZURE_AD_SEARCH_DETECT_DELETED_USERS_GROUPS. AZURE_AD_SEARCH_DETECT_DELETED_USERS_GROUPS
    E) Azure Service Principal
    AZURE_AD_SERVICEPRINCIPAL_ENABLED Sync Azure service principal to ranger user entity.
    AZURE_AD_SERVICEPRINCIPAL_USERNAME Properties to specify from which key to get values of username in case service principal is mapped to Ranger user entity. appId
    F) AAD User/Group Attributes
    AZURE_AD_ATTRIBUTE_USERNAME Attribute of a user’s name (default: userPrincipalName)
    AZURE_AD_ATTRIBUTE_FIRSTNAME Attribute of a user’s first name (default: givenName)
    AZURE_AD_ATTRIBUTE_LASTNAME Attribute of a user’s last name (default: surname)
    AZURE_AD_ATTRIBUTE_EMAIL Attribute from user entry that would be treated as email address.
    AZURE_AD_ATTRIBUTE_GROUPNAME Attribute from group entry that would be treated as group name.
    AZURE_AD_SERVICEPRINCIPAL_USERNAME Attribute of service principal name.
    G) Username/Group name Attribute Modification
    AZURE_AD_ATTRIBUTE_USERNAME_VALUE_EXTRACTFROMEMAIL Extract username from an email address. (e.g. username@domain.com -> username) Default is false. false
    AZURE_AD_ATTRIBUTE_USERNAME_VALUE_PREFIX Prefix to prepend to the username. Default is blank.
    AZURE_AD_ATTRIBUTE_USERNAME_VALUE_POSTFIX Postfix to append pend to the username. Default is blank.
    AZURE_AD_ATTRIBUTE_USERNAME_VALUE_TOLOWER Convert the username to lowercase. Default is false. false
    AZURE_AD_ATTRIBUTE_USERNAME_VALUE_TOUPPER Convert the username to uppercase. Default is false. false
    AZURE_AD_ATTRIBUTE_USERNAME_VALUE_REGEX Attribute to replace username to matching regex. Default is blank.
    AZURE_AD_ATTRIBUTE_GROUPNAME_VALUE_EXTRACTFROMEMAIL Extract the group name from an email address. Default is false. false
    AZURE_AD_ATTRIBUTE_GROUPNAME_VALUE_PREFIX Prefix to prepend to the group's name. Default is blank.
    AZURE_AD_ATTRIBUTE_GROUPNAME_VALUE_POSTFIX Postfix to append pend to the group's name. Default is blank.
    AZURE_AD_ATTRIBUTE_GROUPNAME_VALUE_TOLOWER Convert the name to group's name to lower case. Default is false. false
    AZURE_AD_ATTRIBUTE_GROUPNAME_VALUE_TOUPPER Convert the group's name to uppercase. Default is false. false
    AZURE_AD_ATTRIBUTE_GROUPNAME_VALUE_REGEX Attribute to replace the group's name to matching regex. Default is blank.
    H) Group Attribute Configuration
    AZURE_AD_GROUP_ATTRIBUTE_LIST The list of attribute keys to get from synced groups.
    AZURE_AD_GROUP_ATTRIBUTE_VALUE_PREFIX Append prefix to values of group attributes such as group name.
    AZURE_AD_GROUP_ATTRIBUTE_KEY_PREFIX Append prefix to key of group attributes such as group name.
    I) Filter Properties
    AZURE_AD_FILTER_USER_LIST Filter the AAD user list, supported for non-incremental search. When incremental search is enabled delta search does not support filter properties. abc.def@privacera.com
    AZURE_AD_FILTER_SERVICEPRINCIPAL_LIST Filter the AAD service principal list, supported for non-incremental search. When incremental search is enabled delta search does not support filter properties. abc-testapp
    AZURE_AD_FILTER_GROUP_LIST Filter the AAD group list, supported for non-incremental search. When incremental search is enabled delta search does not support filter properties. PRIVACERA-AB-GROUP-00
    J) Domain Properties
    AZURE_AD_MANAGE_DOMAIN_LIST Only users in manage domain list will be synced. Privacera.US
    AZURE_AD_IGNORE_DOMAIN_LIST Users in ignore domain list will not be synced. Privacera.US
    AZURE_AD_DOMAIN_ATTRIBUTE Specify the attribute from which you want to compare user domain, email or username are supported. Default is email. username

  3. Run the following command:

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    

Azure Active Directory (AAD) deleted entity detection

When enabled, AAD deleted entity detection will perform a soft delete of users or groups in Privacera Portal. A soft delete removes all memberships of the group/user and marks them as “hidden”. Hidden users will not appear in auto completion when modifying access policies. References to users/groups in policies will remain, until manually removed or the user/group is fully deleted from Privacera Portal. Hidden users can be fully deleted by using the Privacera Portal UI or REST APIs.

Properties:

  • Boolean: usersync.connector.3.search.deleted.group.enabled (default: false)

  • Boolean: usersync.connector.3.search.deleted.user.enabled (default: false)

Privacera Manager Variables:

In the AAD connector properties table above, see under AAD Search (section D).

SCIM

  1. Run the following command to enable Privacera UserSync:

    cd ~/privacera/privacera-manager
    cp config/sample-vars/vars.privacera-usersync.yml config/custom-vars/
    
  2. Enable the SCIM connector:

    cd ~/privacera/privacera-manager
    cp config/sample-vars/vars.privacera-usersync.scim.yml config/custom-vars/
    vi config/custom-vars/vars.privacera-usersync.scim.yml
    

    Edit the following properties:

    Property Description Example
    A) SCIM Connector Info
    SCIM_CONNECTOR Name of connector. DB1
    SCIM_ENABLED Enabled status of connector. (true/false) true
    SCIM_SERVICETYPE Service Type scim
    SCIM_DATASOURCE_NAME Name of the datasource. databricks1
    SCIM_URL Connector URL
    ADMIN_USER_BEARER_TOKEN Bearer token
    B) SCIM Manage/Ignore List of Users/Groups
    SCIM_MANAGE_USER_LIST List of users to manage from sync results. If this list is defined, all users not on this list will be ignored
    SCIM_IGNORE_USER_LIST List of users to ignore from sync results.
    SCIM_MANAGE_GROUP_LIST List of groups to manage from sync results. If this list is defined, all groups not on this list will be ignored.
    SCIM_IGNORE_GROUP_LIST List of groups to ignore from sync results.
    C) SCIM User/Group Attributes
    SCIM_ATTRIBUTE_USERNAME Attribute from user entry that would be treated as user name. userName
    SCIM_ATTRIBUTE_FIRSTNAME Attribute from user entry that would be treated as firstname. name.givenName
    SCIM_ATTRIBUTE_LASTNAME Attribute from user entry that would be treated as lastname. name.familyName
    SCIM_ATTRIBUTE_EMAIL Attribute from user entry that would be treated as email address. emails[primary-true].value
    SCIM_ATTRIBUTE_ONLY Sync only the attributes of users already synced from other services. (true/false) false
    SCIM_ATTRIBUTE_GROUPS Attribute of user’s group list. groups
    SCIM_ATTRIBUTE_GROUPNAME Attribute from group entry that would be treated as group name. displayName
    SCIM_ATTRIBUTE_GROUP_MEMBER Attribute from group entry that is list of members. members
    D) SCIM Server Username Attribute Modifications
    SCIM_ATTRIBUTE_USERNAME_VALUE_EXTRACTFROMEMAIL Extract the user’s username from an email address. (e.g. username@domain.com -> username) The default is false. false
    SCIM_ATTRIBUTE_USERNAME_VALUE_PREFIX Prefix to prepend to username. The default is blank.
    SCIM_ATTRIBUTE_USERNAME_VALUE_POSTFIX Postfix to append to the username. The default is blank.
    SCIM_ATTRIBUTE_USERNAME_VALUE_TOLOWER Convert the user’s username to lowercase. The default is false. false
    SCIM_ATTRIBUTE_USERNAME_VALUE_TOUPPER Convert the user’s username to uppercase. The default is false. false
    SCIM_ATTRIBUTE_USERNAME_VALUE_REGEX Attribute to replace username to matching regex. The default is blank.
    E) SCIM Server Group Name Attribute Modifications
    SCIM_ATTRIBUTE_GROUPNAME_VALUE_EXTRACTFROMEMAIL Extract the group’s name from an email address (e.g. groupname@domain.com -> groupname). The default is false. false
    SCIM_ATTRIBUTE_GROUPNAME_VALUE_PREFIX Prefix to prepend to the group's name. The default is blank.
    SCIM_ATTRIBUTE_GROUPNAME_VALUE_POSTFIX Postfix to append to the group's name. The default is blank.
    SCIM_ATTRIBUTE_GROUPNAME_VALUE_TOLOWER Convert group's name to lowercase. The default is false. false
    SCIM_ATTRIBUTE_GROUPNAME_VALUE_TOUPPER Convert the group's name to uppercase. The default is false. false
    SCIM_ATTRIBUTE_GROUPNAME_VALUE_REGEX Attribute to replace group's name to matching regex. The default is blank.
    F) Group Attribute Configuration
    SCIM_GROUP_ATTRIBUTE_LIST The list of attribute keys to get from synced groups.
    SCIM_GROUP_ATTRIBUTE_VALUE_PREFIX Append prefix to values of group attributes such as group name.
    SCIM_GROUP_ATTRIBUTE_KEY_PREFIX Append prefix to key of group attributes such as group name.

  3. Run the following command:

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    

SCIM Server

  1. Run the following command to enable Privacera UserSync:

    cd ~/privacera/privacera-manager
    cp config/sample-vars/vars.privacera-usersync.yml config/custom-vars/
    
  2. Enable the SCIM Server connector:

    cd ~/privacera/privacera-manager
    cp config/sample-vars/vars.privacera-usersync.scimserver.yml config/custom-vars/
    vi config/custom-vars/vars.privacera-usersync.scimserver.yml
    

    Edit the following properties:

    Property Description Example
    A) SCIM Server Connector Info
    SCIM_SERVER_CONNECTOR Identifying name of this connector. DB1
    SCIM_SERVER_ENABLED Enabled status of connector. (true/false) true
    SCIM_SERVER_SERVICETYPE Type of service/connector. scimserver
    SCIM_SERVER_DATASOURCE_NAME Unique datasource name. Used for identifying source of data and configuring priority list. (Optional) databricks1
    SCIM_SERVER_ATTRIBUTE_ONLY Sync only the attributes of users already synced from other services. (true/false)
    SCIM_SERVER_BEARER_TOKEN Bearer token for auth to SCIM API. When set, SCIM requests with this token will be allowed access.
    SCIM_SERVER_USERNAME Basic auth username, when set SCIM requests with this username will be allowed access. (Password also required)
    SCIM_SERVER_PASSWORD Basic auth password, when set SCIM requests with this password will be allowed access. (Username also required)
    B) SCIM Server Manage/Ignore List of Users/Groups
    SCIM_SERVER_MANAGE_USER_LIST List of users to manage from sync results. If this list is defined, all users not on this list will be ignored.
    SCIM_SERVER_IGNORE_USER_LIST List of users to ignore from sync results.
    SCIM_SERVER_MANAGE_GROUP_LIST List of groups to manage from sync results. If this list is defined, all groups not on this list will be ignored.
    SCIM_SERVER_IGNORE_GROUP_LIST List of groups to ignore from sync results.
    C) SCIM Server Attributes
    SCIM_SERVER_ATTRIBUTE_USERNAME Attribute of a user's name. userName
    SCIM_SERVER_ATTRIBUTE_FIRSTNAME Attribute of a user's first name. name.givenName
    SCIM_SERVER_ATTRIBUTE_LASTNAME Attribute of a user's last/family name. name.familyName
    SCIM_SERVER_ATTRIBUTE_EMAIL Attribute of a user’s email. emails[primary-true].value
    SCIM_SERVER_ATTRIBUTE_GROUPS Attribute of a user’s group list. groups
    SCIM_SERVER_ATTRIBUTE_GROUPNAME Attribute of a group's name. displayName
    SCIM_SERVER_ATTRIBUTE_GROUP_MEMBER Attribute from group entry that is the list of members. members
    D) SCIM Server Username Attribute Modifications
    SCIM_SERVER_ATTRIBUTE_USERNAME_VALUE_EXTRACTFROMEMAIL Extract the user’s username from an email address. (e.g. username@domain.com -> username) The default is false. false
    SCIM_SERVER_ATTRIBUTE_USERNAME_VALUE_PREFIX Prefix to prepend to username. The default is blank.
    SCIM_SERVER_ATTRIBUTE_USERNAME_VALUE_POSTFIX Postfix to append to the username. The default is blank.
    SCIM_SERVER_ATTRIBUTE_USERNAME_VALUE_TOLOWER Convert the user’s username to lowercase. The default is false. false
    SCIM_SERVER_ATTRIBUTE_USERNAME_VALUE_TOUPPER Convert the user’s username to uppercase. The default is false. false
    SCIM_SERVER_ATTRIBUTE_USERNAME_VALUE_REGEX Attribute to replace username to matching regex. The default is blank.
    E) SCIM Server Group Name Attribute Modifications
    SCIM_SERVER_ATTRIBUTE_GROUPNAME_VALUE_EXTRACTFROMEMAIL Extract the group’s name from an email address (e.g. groupname@domain.com -> groupname). The default is false. false
    SCIM_SERVER_ATTRIBUTE_GROUPNAME_VALUE_PREFIX Prefix to prepend to the group's name. The default is blank.
    SCIM_SERVER_ATTRIBUTE_GROUPNAME_VALUE_POSTFIX Postfix to append to the group's name. The default is blank.
    SCIM_SERVER_ATTRIBUTE_GROUPNAME_VALUE_TOLOWER Convert group's name to lowercase. The default is false. false
    SCIM_SERVER_ATTRIBUTE_GROUPNAME_VALUE_TOUPPER Convert the group's name to uppercase. The default is false. false
    SCIM_SERVER_ATTRIBUTE_GROUPNAME_VALUE_REGEX Attribute to replace group's name to matching regex. The default is blank.
    F) Group Attribute Configuration
    SCIM_SERVER_GROUP_ATTRIBUTE_LIST The list of attribute keys to get from synced groups.
    SCIM_SERVER_GROUP_ATTRIBUTE_VALUE_PREFIX Append prefix to values of group attributes such as group name.
    SCIM_SERVER_GROUP_ATTRIBUTE_KEY_PREFIX Append prefix to key of group attributes such as group name.

  3. Run the following command:

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update

OKTA

  1. Run the following command to enable Privacera UserSync:

    cd ~/privacera/privacera-manager
    cp config/sample-vars/vars.privacera-usersync.yml config/custom-vars/
    
  2. Enable the OKTA connector:

    cd ~/privacera/privacera-manager
    cp config/sample-vars/vars.privacera-usersync.okta.yml config/custom-vars/
    vi config/custom-vars/vars.privacera-usersync.okta.yml
    

    Edit the following properties:

    Property Description Example
    A) OKTA Connector Info
    OKTA_CONNECTOR Name of the connector. OKTA
    OKTA_ENABLED Enabled status of connector. (true/false) true
    OKTA_SERVICETYPE Type of service/connector. okta
    OKTA_DATASOURCE_NAME Unique datasource name, used for identifying source of data and configuring priority list. (Optional)
    OKTA_SERVICE_URL Connector URL https://{myOktaDomain}.okta.com
    OKTA_API_TOKEN API token A8b2c84d-895a-4fea-82dc-401397b8e50c
    B) OKTA Manage/Ignore List of Users/Groups
    OKTA_USER_LIST List of users to manage from sync results. If this list is defined, all users not on this list will be ignored.
    OKTA_IGNORE_USER_LIST List of users to ignore from sync results.
    OKTA_USER_LIST_STATUS List of users to manage with status as equal to: STAGED, PROVISIONED,ACTIVE,RECOVERY,PASSWORD_EXPIRED,LOCKED_OUT or DEPROVISIONED. If this list is defined, all users not on this list will be ignored. ACTIVE,STAGED
    OKTA_USER_LIST_LOGIN List of users to manage with user login name (can contain ). If this list is defined, all users not on this list will be ignored. sw;mon,san
    OKTA_USER_LIST_PROFILE_FIRSTNAME List of users to manage with user first name (can contain ). If this list is defined, all users not on this list will be ignored. sw;mon,san
    OKTA_USER_LIST_PROFILE_LASTNAME List of users to manage with user last name (can contain ). If this list is defined, all users not on this list will be ignored. sw;mon,san
    OKTA_LIST_PROFILE_EMAIL List of users to manage with user email (can contain ). If this list is defined, all users not on this list will be ignored. sw;mon,san
    OKTA_LIST_TYPE List of groups to manage with group type. If this list is defined, all groups not on this list will be ignored. APP_GROUP,BUILT_IN,OKTA_GROUP
    OKTA_GROUP_LIST List of groups to manage from sync results. If this list is defined, all groups not on this list will be ignored.
    OKTA_IGNORE_GROUP_LIST List of groups to ignore from sync results.
    OKTA_GROUP_LIST_SOURCE_ID List of groups to manage with group source id. If this list is defined, all groups not on this list will be ignored. 0oa2v0el0gP90aqjJ0g7,0oa2v0el0gP90aqjJ0g8,0oa2v0el0gP90aqjJ0g0
    OKTA_GROUP_LIST_PROFILE_NAME List of groups to manage with group name. If this list is defined, all groups not on this list will be ignored. group1,testGroup,testGroup2
    C) OKTA Search
    OKTA_SEARCH_USER_GROUPONLY Boolean to only load users in groups. false
    OKTA_SEARCH_INCREMENTAL_ENABLED Boolean to enable incremental search, syncing only changes since last search. false
    D) OKTA User/Group Attributes
    OKTA_ATTRIBUTE_USERNAME Attribute from user entry that would be treated as user name. login
    OKTA_ATTRIBUTE_FIRSTNAME Attribute from user entry that would be treated as firstname. firstName
    OKTA_ATTRIBUTE_LASTNAME Attribute from user entry that would be treated as lastname. lastName
    OKTA_ATTRIBUTE_EMAIL Attribute from user entry that would be treated as email address. email
    OKTA_ATTRIBUTE_GROUPS Attribute of user’s group list. groups
    OKTA_ATTRIBUTE_GROUPNAME Attribute of a group’s name. name
    OKTA_ATTRIBUTE_ONLY Sync only the attributes of users already synced from other services. (true/false) false
    E) OKTA Username Attribute Modifications
    OKTA_ATTRIBUTE_USERNAME_VALUE_EXTRACTFROMEMAIL Extract the user’s username from an email address. (e.g. username@domain.com -> username) The default is false. false
    OKTA_ATTRIBUTE_USERNAME_VALUE_PREFIX Prefix to prepend to username. The default is blank.
    OKTA_ATTRIBUTE_USERNAME_VALUE_POSTFIX Postfix to append to the username. The default is blank.
    OKTA_ATTRIBUTE_USERNAME_VALUE_TOLOWER Convert the user’s username to lowercase. The default is false. false
    OKTA_ATTRIBUTE_USERNAME_VALUE_TOUPPER Convert the user’s username to uppercase. The default is false. false
    OKTA_ATTRIBUTE_USERNAME_VALUE_REGEX Attribute to replace username to matching regex. The default is blank.
    F) OKTA Group Name Attribute Modifications
    OKTA_ATTRIBUTE_GROUPNAME_VALUE_EXTRACTFROMEMAIL Extract the group’s name from an email address (e.g. groupname@domain.com -> groupname). The default is false. false
    OKTA_ATTRIBUTE_GROUPNAME_VALUE_PREFIX Prefix to prepend to the group's name. The default is blank.
    OKTA_ATTRIBUTE_GROUPNAME_VALUE_POSTFIX Postfix to append to the group's name. The default is blank.
    OKTA_ATTRIBUTE_GROUPNAME_VALUE_TOLOWER Convert group's name to lowercase. The default is false. false
    OKTA_ATTRIBUTE_GROUPNAME_VALUE_TOUPPER Convert the group's name to uppercase. The default is false. false
    OKTA_ATTRIBUTE_GROUPNAME_VALUE_REGEX Attribute to replace group's name to matching regex. The default is blank.

  3. Run the following command:

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update