- Platform Release 6.5
- Privacera Platform Installation
- About Privacera Manager (PM)
- Install overview
- Prerequisites
- Installation
- Default services configuration
- Component services configurations
- Access Management
- Data Server
- PolicySync
- Snowflake
- Redshift
- Redshift Spectrum
- PostgreSQL
- Microsoft SQL Server
- Databricks SQL
- RocksDB
- Google BigQuery
- Power BI
- UserSync
- Privacera Plugin
- Databricks
- Spark standalone
- Spark on EKS
- Trino Open Source
- Dremio
- AWS EMR
- AWS EMR with Native Apache Ranger
- GCP Dataproc
- Starburst Enterprise
- Privacera services (Data Assets)
- Audit Fluentd
- Grafana
- Access Request Manager (ARM)
- Ranger Tagsync
- Discovery
- Encryption & Masking
- Privacera Encryption Gateway (PEG) and Cryptography with Ranger KMS
- AWS S3 bucket encryption
- Ranger KMS
- AuthZ / AuthN
- Security
- Access Management
- Reference - Custom Properties
- Validation
- Additional Privacera Manager configurations
- CLI actions
- Debugging and logging
- Advanced service configuration
- Increase Privacera portal timeout for large requests
- Order of precedence in PolicySync filter
- Configure system properties
- PolicySync
- Databricks
- Table properties
- Upgrade Privacera Manager
- Troubleshooting
- Possible Errors and Solutions in Privacera Manager
-
- Unable to Connect to Docker
- Terminate Installation
- 6.5 Platform Installation fails with invalid apiVersion
- Ansible Kubernetes Module does not load
- Unable to connect to Kubernetes Cluster
- Common Errors/Warnings in YAML Config Files
- Delete old unused Privacera Docker images
- Unable to debug error for an Ansible task
- Unable to upgrade from 4.x to 5.x or 6.x due to Zookeeper snapshot issue
- Storage issue in Privacera UserSync & PolicySync
- Permission Denied Errors in PM Docker Installation
- Unable to initialize the Discovery Kubernetes pod
- Portal service
- Grafana service
- Audit server
- Audit Fluentd
- Privacera Plugin
-
- Possible Errors and Solutions in Privacera Manager
- How-to
- Appendix
- AWS topics
- AWS CLI
- AWS IAM
- Configure S3 for real-time scanning
- Install Docker and Docker compose (AWS-Linux-RHEL)
- AWS S3 MinIO quick setup
- Cross account IAM role for Databricks
- Integrate Privacera services in separate VPC
- Securely access S3 buckets ssing IAM roles
- Multiple AWS account support in Dataserver using Databricks
- Multiple AWS S3 IAM role support in Dataserver
- Azure topics
- GCP topics
- Kubernetes
- Microsoft SQL topics
- Snowflake configuration for PolicySync
- Create Azure resources
- Databricks
- Spark Plug-in
- Azure key vault
- Add custom properties
- Migrate Ranger KMS master key
- IAM policy for AWS controller
- Customize topic and table names
- Configure SSL for Privacera
- Configure Real-time scan across projects in GCP
- Upload custom SSL certificates
- Deployment size
- Service-level system properties
- PrestoSQL standalone installation
- AWS topics
- Privacera Platform User Guide
- Introduction to Privacera Platform
- Settings
- Data inventory
- Token generator
- System configuration
- Diagnostics
- Notifications
- How-to
- Privacera Discovery User Guide
- What is Discovery?
- Discovery Dashboard
- Scan Techniques
- Processing order of scan techniques
- Add and scan resources in a data source
- Start or cancel a scan
- Tags
- Dictionaries
- Patterns
- Scan status
- Data zone movement
- Models
- Disallowed Tags Policy
- Rules
- Types of rules
- Example rules and classifications
- Create a structured rule
- Create an unstructured rule
- Create a rule mapping
- Export rules and mappings
- Import rules and mappings
- Post-processing in real-time and offline scans
- Enable post-processing
- Example of post-processing rules on tags
- List of structured rules
- Supported scan file formats
- Data Source Scanning
- Data Inventory
- TagSync using Apache Ranger
- Compliance Workflow
- Data zones and workflow policies
- Workflow Policies
- Alerts Dashboard
- Data Zone Dashboard
- Data zone movement
- Example Workflow Usage
- Discovery health check
- Reports
- Built-in Reports
- Saved reports
- Offline reports
- Reports with the query builder
- How-to
- Privacera Encryption Guide
- Essential Privacera Encryption terminology
- Install Privacera Encryption
- Encryption Key Management
- Schemes
- Scheme Policies
- Encryption Schemes
- Presentation Schemes
- Masking schemes
- Encryption formats, algorithms, and scopes
- Deprecated encryption formats, algorithms, and scopes
- Encryption with PEG REST API
- PEG REST API on Privacera Platform
- PEG API Endpoint
- Encryption Endpoint Summary for Privacera Platform
- Authentication Methods on Privacera Platform
- Anatomy of the /protect API Endpoint on Privacera Platform
- About Constructing the datalist for protect
- About Deconstructing the datalist for unprotect
- Example of Data Transformation with /unprotect and Presentation Scheme
- Example PEG API endpoints
- /unprotect with masking scheme
- REST API Response Partial Success on Bulk Operations
- Audit Details for PEG REST API Accesses
- REST API Reference
- Make calls on behalf of another user
- Troubleshoot REST API Issues on Privacera Platform
- PEG REST API on Privacera Platform
- Encryption with Databricks, Hive, Streamsets, Trino
- Databricks UDFs for encryption and masking
- Hive UDFs
- Streamsets
- Trino UDFs
- Privacera Access Management User Guide
- Privacera Access Management
- How Polices are evaluated
- Resource policies
- Policies overview
- Creating Resource Based Policies
- Configure Policy with Attribute-Based Access Control
- Configuring Policy with Conditional Masking
- Tag Policies
- Entitlement
- Request Access
- Approve access requests
- Service Explorer
- User/Groups/Roles
- Permissions
- Reports
- Audit
- Security Zone
- Access Control using APIs
- AWS User Guide
- Overview of Privacera on AWS
- Set policies for AWS services
- Using Athena with data access server
- Using DynamoDB with data access server
- Databricks access manager policy
- Accessing Kinesis with data access server
- Accessing Firehose with Data Access Server
- EMR user guide
- AWS S3 bucket encryption
- S3 browser
- Getting started with Minio
- Plugins
- How to Get Support
- Coordinated Vulnerability Disclosure (CVD) Program of Privacera
- Shared Security Model
- Privacera documentation changelog
User/Groups/Roles
Concepts in Access Management
For conceptual background, see How Access Management Works.
Manage data access for users, groups, and roles.
Users
Data access users are identified in the creation and definition of Resource Policies. Users may be included or excluded specifically or in groups.
User Source value reflects the method of their creation or import (source).
Internal users - created within your Access Management account. Administrative users are Users: 'admin', 'rangerusersync', 'keyadmin', 'rangertagsync', and '{OWNER}' are created by the system.
External users:
A data access user with the same username as the first 'Administrator'/ Portal user;
A 'service' user for each data resource service (e.g. 'hive', 's3', ...);
Users imported User Sync with an LDAP or Active Directory.
Visibility indicates if a user is listed when creating or editing a Policy in Access Management: Resource Policies. If a user is Visible, they will be found and selectable under "Select User" column. If a user is Hidden, they will not be selectable. This is useful when your account has been synchronized with a user directory with a large number of users. Visibility may be set by selecting a user object row (on the left side of the table, and using the 'Visibility' action (between +Add and Delete).
User Role here is one of ('User', 'Administrator', or 'Auditor'). Note that this user Role is different than the custom Roles defined in the User Management: Roles tab.
Use the Search control to limit displayed objects those matching a specific value. First select a column name, then a value. The table will be filtered to show only those objects that match the value. Users objects may be added, edited, or deleted.
Add Users
From the home page, click Access Management > Users/Groups/Roles.
Select the Users tab and click +Add. The Add User pop-up displays.
Enter the user details.
Click Save.
Add Discovery User for encryption service
To use encryption in the Compliance Workflow policies of the Discovery service, you need to add privacera_service_discovery user in the Users/Groups/Roles of Access Management.
From the home page, click Settings > Users Management.
In the Portal Users tab, on the User Management page, click the edit button next to the privacera_service_discovery user.
On the Edit User page, click Save.
After saving, verify if the
privacera_service_discoveryhas been added. Go to Access Management > Users/Groups/Roles > USERS tab.Add the user in Schema Policies. See Add User in Default Policy.
Add the user in Ranger KMS. See Set User Access for Encryption Service.
Edit Users
From the home page, click Access Management > Users/Groups/Roles.
Under the Users tab, select the User and click the pen icon in the Actions column.
Edit User dialog displays three tabs:
Basic Information
Change Password
Attributes
In the Basic Information tab, you can modify the user details.
In the Change Password tab, you can set new password.
Note
For external users, you can only edit the user role and password.
In the Attributes tab, you can add new attributes, delete, or modify existing attributes. For more information about attributes, see Considerations for User or group attributes.
Click Save.
Groups
Use groups to manage multiple users with similar data access needs. A user can belong to more than one group.
Add Groups
From the home page, click Access Management > Users/Groups/Roles.
Select the Groups tab and click +Add. The Add User pop-up displays.
Enter the group details.
Click Save.
Edit Groups
To edit the user, use the following steps:
From the home page, click Access Management > Users/Groups/Roles.
Select the Groups tab.
Select the group and click the pen icon in Actions column.
Edit Group dialog displays two tabs:
Basic Information
Attributes
In the Basic Information tab, you can edit only a description.
In the Attributes tab, you can add new attributes, delete, or modify existing attributes. For more information about attributes, see Considerations for User or group attributes.
Click Save.
Roles
Assign roles to users based on job functions.
Add Roles
From the home page, click Access Management > Users/Groups/Roles.
Select the Roles tab and click +Add.
Enter the role details and click Save.
Edit Roles
From the home page, click Access Management > Users/Groups/Roles.
Select the Roles tab.
Select the role and click the pen icon in Actions column.
Click Save.
Considerations for User or group attributes
Consider the following points when editing User or Group attributes:
Only Admin users have access to change the user attributes. Other users are unable to view or edit user attributes.
These modifications are limited to the Ranger DB and have no impact on the source.
Only the values can be changed. These values are considered as a single string (multiple comma-separate values cannot be added).
Internal UserSync attributes such as
full_name,service_id, andsync_sourcecannot be changed or removed. If these internal UserSync attributes are added manually through the UI for an internal user, no further modification or deletion will be permitted.When Ranger UserSync is restarted, the attributes from the source are overridden, but the custom attributes added from the UI are retained.
If a user exists in more than one location, such as LDAP and Azure, If you sync that user from both sources, the attributes will be merged, and if there are any common attributes, only the attribute value from the most recent source will be retained.
If an attribute is deleted from the source or UserSync, it will still be visible in the UI. If it is no longer required, you can delete it manually.