Skip to main content

PrivaceraCloud Documentation

About Account


The Account page contains the following sections:

  • Activity - displays basic information about your master PrivaceraCloud account, such as account status, creation and expiry dates, and portal user count.

  • Manage this Account - if enabled, this module provides the PrivaceraCloud master with linked, or sub-account functionality.


    Contact Privacera Support to request enabling this feature.

  • Allowed IP Address - control access to data sources through VPI-IP configuration.

  • Discovery - enable Discovery and Real-Time scanning.

  • Privacera Encryption - enable/disable Encryption for your datasources.

  • Authentication Settings - allows you to enable SSO for your account.


To edit personal account information or to replace your master account ID with an alias name:

  1. Select the pencil icon next to your account name.

  2. Add an optional alias name.

  3. Edit your company or personal name and phone number.

  4. Click SAVE when you are finished.

Manage this account

Primarily intended for administration purposes, a master account can create an authorized number of linked, or sub-accounts. The new account receives a full set of resources and will function the same as an independent account.

To create a sub-account:

  1. Click MANAGE LINKED ACCOUNTS to open to the Manage Accounts page.


  3. Enter a First and Last name, sub-account name, and Email. The email address of the sub-account can be the same as that of the master account.


A sub-account is automatically approved for use and will deliver a welcome email message to the specified email address.

Allowed IP address

Policy updates and user access to data resources can be restricted to whitelisted IP addresses and Virtual Private Cloud (VPC) identifiers. User access to resource servers is controlled on a more granular level by defining how specific IP addresses can access data sources.

To create and manage allowed IP addresses:


  2. Click ADD NEW IP RANGE.

  3. From the Add IP Range configuration screen, choose one of the following options:

    1. Enter a single IP address. For IP address range should be separated by a /.

    2. Select the Allow All checkbox to enable all IP addresses.

  4. Enter description which is optional.

  5. Select an access traffic type from the drop-down menu.

    • Privacera Encryption Services (PEG)

    • Data Access

    • API Access

    • *All

  6. Click the toggle button to enable or disable this IP address configuration.

  7. Click ADD IP RANGE.



  • Click Enable Discovery toggle button.

  • Click the Enable Real-Time Scanning toggle button.


  • To enable real-time scanning on an S3 bucket, do the following steps. This step assumes you have an existing setup of an AWS SQS account with a queue created. If you do not have an AWS SQS account, set up an account and then create a queue.

    1. Get the following information from the AWS SQS account and enter them here:

      • With Use IAM Role disabled:

        • SQS Endpoint

        • SQS Access Key

        • SQS Secret Key

        • SQS Region

        • SQS Queue Name

      • With Use IAM Role enabled:

        • SQS Endpoint

        • SQS IAM Role

        • SQS Region

        • SQS Queue Name

    2. Click Test Connection to check if the connection is successful, and then click Save Settings.

Azure ADLS

For real-time scanning to be configured, you need to configure an Azure Event Hub. It will process all the events sent from the Azure storage container, whenever a new resource gets added.

Event Hub requires a storage account to store checkpoint information. Checkpointing is a process by which readers (i.e Pkakfa) mark or commit their position within a partition event sequence. In this case, Azure blob storage container is used for storing checkpoints while processing events from Azure Event Hubs.

  1. Configure Event Hub:

    1. Create an Event Hub namespace with a region similar to the region of a Storage Account you want to monitor. Refer to Microsoft documentation on how to Create an Event Hubs namespace .

      Use this Event Hub namespace name in Eventhub Namespace.

    2. Create an Event Hub in the Event Hub namespace. Refer to Microsoft documentation on how to Create an event hub .

      Use this event hub name in Eventhub Name.

    3. Get Eventhub Sas Key Name and Eventhub Sas key:

      1. Navigate to Event hub namespace > Event hub.

      2. Under Settings, click Shared access policies.

      3. Click +Add to create a new Sas policy.

        The Add SAS Policy section is displayed on the right.

      4. Enter a policy name and select appropriate claims.

      5. Click the new policy to populate keys.

        Use the policy name in Eventhub Sas Key Name, and use either the Primary key or Secondary key in Eventhub Sas key.

  2. Create Consumer Group for Pkafka:

    1. Navigate to Event Hubs namespace > Event Hub > Consumer Groups > +Consumer Group. The Consumer Groups tab will be under Entities of the Event Hub page.

    2. Create a consumer group with name as pkafkagroup1.

  3. Configure Checkpoint Storage for Pkafka:

    1. Get Eventhub Storage Account Name:

      Use an existing storage account or create a storage account to use with Eventhub. Refer to Microsoft documentation on how to Create a Storage Account.

      Use this storage account name in Eventhub Storage Account Name.

    2. Get Eventhub Storage Account Key:

      1. Navigate to the storage account.

      2. Under Security + networking, click Access keys.

      3. Click Show Keys for keys to be populated.

      4. Use Key1 value in Eventhub Storage Account Key.

    3. Get Eventhub Storage Container Name:

      Use an existing container name or create a storage container to use with Eventhub. Refer to Microsoft documentation on how to Create a Container .

      Use this container name in Eventhub Storage Container Name.

    4. Get the Eventhub URL Prefix:

      1. Navigate to the container.

      2. Open the container and click Properties, container property details are populated on the right.

      3. Use the URL prefix in Eventhub Storage Url Prefix.

  4. Enable Real-Time Scan:

    1. In Privacera Portal, enable Discovery.

    2. Click Enable Discovery to enable Enable Real-Time Scanning.

    3. Provide the following information:

      • Eventhub Namespace

      • Eventhub Name

      • Eventhub Sas Key Name

      • Eventhub Sas key

      • Eventhub Storage Url Prefix

      • Eventhub Storage Account Name

      • Eventhub Storage Account Key

      • Eventhub Storage Container Name

    4. Click Test Connection to check if the connection is successful, and then click Save Settings.

Privacera Encryption

PrivaceraCloud Privacera Encryption Gateway (PEG) supports two API REST methods: protect and unprotect. It uses Basic Auth (Base64 encoding) authenticated against a single configured service user.

Using the Enable Privacera Encryption toggle button, you can enable encryption for your applications.

  1. In the BASIC tab, enter the following information:

    • Enter credentials (Username and Password) for a PEG service user. These are the Basic Authentication values for the PEG API requests.

    • Enter a value for a secret. This value will be used as a shared secret when configuring embedded encryption using the Privacera Crypto Jar, for use in Databricks. See Databricks Encryption for additional setup details, if using PEG with Databricks SQL and User-Defined Functions (UDFs).

  2. In the ADVANCED tab, you can add custom properties.

  3. Using the IMPORT PROPERTIES and EXPORT PROPERTIES button, you can browse and import/export properties.

  4. Click SAVE.

Thereafter, use the toggle to either disable or enable encryption, and use the EDIT button to modify the configuration.

Authentication settings

Enable the toggle button if you want to allow users to sign in only using SSO.

To enable toggle button, you first need to configure SAML Single Sign-On integration.

Enable Privacera audit access


Contact Privacera Support to request enabling this feature.

The access audits in the Audits page are retained for 90 days in the storage of PrivaceraCloud account. If you want to keep the access audit records for much longer, you can copy the audit records from PrivaceraCloud storage to your AWS bucket. The copied audit records in your AWS bucket is the ZIP or TAR format.

When you configure the AWS bucket and region, an ARN Role will be generated automatically by PrivaceraCloud. After configuring this setting, contact Privacera Support to get the ARN Role. This will be used in the policy of your AWS S3 bucket.

To enable Privacera audit access:

  1. Contact Privacera Support who will enable this feature for you. Then you will be able to view the Privacera Audit Access section in the Account page.

  2. In the Privacera Audit Access section:

    1. In the Enable Backup of Access Audits ( AWS ), click Enable button. The Privacera Access Audit Configuration dialog appears.

    2. In the dialog, enter a bucket name or a folder path and bucket region.


      Once you save the bucket name and region, you will not be allowed to edit the settings later.

    3. Click Save Settings. An ARN Role will be generated by PrivaceraCloud.

    4. Contact Privacera Support to get the ARN Role.

  3. In the AWS console, add the following bucket policy to your AWS S3 bucket:

    "Id": "Policy1645104586202",
    "Version": "2012-10-17",
    "Statement": [
        "Sid": "Stmt1645104584705",
        "Action": "s3:PutObject",
        "Effect": "Allow",
        "Resource": [
        "Principal": {
            "AWS": [

    In the policy above, edit the following information:

    • <bucket_name_or_folder_path> - Add the bucket name or folder path where the audit records will get copied.

    • <ARN_ROLE> - Add the ARN Role received from Privacera Support. For example, arn:aws:iam::9xxxx56xxxx0:role/PRIVACERA_AUDIT_1xxxxx933xxxx2_ROLE.