- Platform Release 6.5
- Privacera Platform Installation
- About Privacera Manager (PM)
- Install overview
- Prerequisites
- Installation
- Default services configuration
- Component services configurations
- Access Management
- Data Server
- PolicySync
- Snowflake
- Redshift
- Redshift Spectrum
- PostgreSQL
- Microsoft SQL Server
- Databricks SQL
- RocksDB
- Google BigQuery
- Power BI
- UserSync
- Privacera Plugin
- Databricks
- Spark standalone
- Spark on EKS
- Portal SSO with PingFederate
- Trino Open Source
- Dremio
- AWS EMR
- AWS EMR with Native Apache Ranger
- GCP Dataproc
- Starburst Enterprise
- Privacera services (Data Assets)
- Audit Fluentd
- Grafana
- Access Request Manager (ARM)
- Ranger Tagsync
- Discovery
- Encryption & Masking
- Privacera Encryption Gateway (PEG) and Cryptography with Ranger KMS
- AWS S3 bucket encryption
- Ranger KMS
- AuthZ / AuthN
- Security
- Access Management
- Reference - Custom Properties
- Validation
- Additional Privacera Manager configurations
- CLI actions
- Debugging and logging
- Advanced service configuration
- Increase Privacera portal timeout for large requests
- Order of precedence in PolicySync filter
- Configure system properties
- PolicySync
- Databricks
- Table properties
- Upgrade Privacera Manager
- Troubleshooting
- How to validate installation
- Possible Errors and Solutions in Privacera Manager
- Unable to Connect to Docker
- Terminate Installation
- 6.5 Platform Installation fails with invalid apiVersion
- Ansible Kubernetes Module does not load
- Unable to connect to Kubernetes Cluster
- Common Errors/Warnings in YAML Config Files
- Delete old unused Privacera Docker images
- Unable to debug error for an Ansible task
- Unable to upgrade from 4.x to 5.x or 6.x due to Zookeeper snapshot issue
- Storage issue in Privacera UserSync & PolicySync
- Permission Denied Errors in PM Docker Installation
- Unable to initialize the Discovery Kubernetes pod
- Portal service
- Grafana service
- Audit server
- Audit Fluentd
- Privacera Plugin
- How-to
- Appendix
- AWS topics
- AWS CLI
- AWS IAM
- Configure S3 for real-time scanning
- Install Docker and Docker compose (AWS-Linux-RHEL)
- AWS S3 MinIO quick setup
- Cross account IAM role for Databricks
- Integrate Privacera services in separate VPC
- Securely access S3 buckets ssing IAM roles
- Multiple AWS account support in Dataserver using Databricks
- Multiple AWS S3 IAM role support in Dataserver
- Azure topics
- GCP topics
- Kubernetes
- Microsoft SQL topics
- Snowflake configuration for PolicySync
- Create Azure resources
- Databricks
- Spark Plug-in
- Azure key vault
- Add custom properties
- Migrate Ranger KMS master key
- IAM policy for AWS controller
- Customize topic and table names
- Configure SSL for Privacera
- Configure Real-time scan across projects in GCP
- Upload custom SSL certificates
- Deployment size
- Service-level system properties
- PrestoSQL standalone installation
- AWS topics
- Privacera Platform User Guide
- Introduction to Privacera Platform
- Settings
- Data inventory
- Token generator
- System configuration
- Diagnostics
- Notifications
- How-to
- Privacera Discovery User Guide
- What is Discovery?
- Discovery Dashboard
- Scan Techniques
- Processing order of scan techniques
- Add and scan resources in a data source
- Start or cancel a scan
- Tags
- Dictionaries
- Patterns
- Scan status
- Data zone movement
- Models
- Disallowed Tags policy
- Rules
- Types of rules
- Example rules and classifications
- Create a structured rule
- Create an unstructured rule
- Create a rule mapping
- Export rules and mappings
- Import rules and mappings
- Post-processing in real-time and offline scans
- Enable post-processing
- Example of post-processing rules on tags
- List of structured rules
- Supported scan file formats
- Data Source Scanning
- Data Inventory
- TagSync using Apache Ranger
- Compliance Workflow
- Data zones and workflow policies
- Workflow Policies
- Alerts Dashboard
- Data Zone Dashboard
- Data zone movement
- Workflow policy use case example
- Discovery Health Check
- Reports
- How-to
- Privacera Encryption Guide
- Overview of Privacera Encryption
- Install Privacera Encryption
- Encryption Key Management
- Schemes
- Encryption with PEG REST API
- Privacera Encryption REST API
- PEG API endpoint
- PEG REST API encryption endpoints
- PEG REST API authentication methods on Privacera Platform
- Common PEG REST API fields
- Construct the datalist for the /protect endpoint
- Deconstruct the response from the /unprotect endpoint
- Example data transformation with the /unprotect endpoint and presentation scheme
- Example PEG API endpoints
- /authenticate
- /protect with encryption scheme
- /protect with masking scheme
- /protect with both encryption and masking schemes
- /unprotect without presentation scheme
- /unprotect with presentation scheme
- /unprotect with masking scheme
- REST API response partial success on bulk operations
- Audit details for PEG REST API accesses
- Make encryption API calls on behalf of another user
- Troubleshoot REST API Issues on Privacera Platform
- Privacera Encryption REST API
- Encryption with Databricks, Hive, Streamsets, Trino
- Databricks UDFs for encryption and masking
- Hive UDFs
- StreamSets Data Collector (SDC) and Privacera Encryption
- Privacera crypto plugin for Trino
- Privacera Access Management User Guide
- Privacera Access Management
- How Polices are evaluated
- Resource policies
- Policies overview
- Creating Resource Based Policies
- Configure Policy with Attribute-Based Access Control
- Configuring Policy with Conditional Masking
- Tag Policies
- Entitlement
- Request Access
- Approve access requests
- Service Explorer
- Users, groups, and roles
- Permissions
- Reports
- Audit
- Security Zone
- Access Control using APIs
- AWS User Guide
- Overview of Privacera on AWS
- Set policies for AWS services
- Using Athena with data access server
- Using DynamoDB with data access server
- Databricks access manager policy
- Accessing Kinesis with data access server
- Accessing Firehose with Data Access Server
- EMR user guide
- AWS S3 bucket encryption
- Getting started with Minio
- Plugins
- How to Get Support
- Coordinated Vulnerability Disclosure (CVD) Program of Privacera
- Shared Security Model
- Privacera Platform documentation changelog
Power BI
This section covers how to enable configure Privacera Power BI connector for workspace fine-grained access-control on Power BI running in Azure. You can set permissions in a Privacera policy depending on the workspace roles: Admin, Member, Contributor, Viewer. Only users and groups from the Azure Active Directory are allowed in Azure Power BI.
Prerequisites
Ensure that the following prerequisites are met:
Create a service principal and application secret for the Power BI, and get the following information from Azure Portal. For more information, refer the Microsoft Azure documentation - click here.
Application (client) ID
Directory (tenant) ID
Client Secret
Create a group to assign your created Power BI application to it. This is required because the Power BI Admin API allows only the service principal to be an Azure AD Group. For more information, refer the Microsoft Azure documentation - click here.
Follow the steps in the link given above, and configure the following to create a group and add Power BI as a member:
On the New Group dialog, select
securityin the Group type, and then add the required group details.Click Create.
On the +Add members dialog, select your Power BI application.
Configure Power BI Tenant to allow Power BI service principals to read the REST API. For more information, refer the Microsoft Azure documentation - click here.
Follow the steps in the link given above and configure the following:
In the Developer settings, enable Allow service principals to use Power BI APIs.
Select Specific security groups (Recommended), and then add the Power BI group you created above.
In the Admin API Settings, enable Allow service principals to use read-only Power BI admin APIs (Preview). For more information, refer the Microsoft Azure documentation - click here.
Select Specific security groups, and then add the Power BI group you created above.
Enable Privacera UserSync for AAD to pull groups attribute ID. For more details, refer to the topic Azure Active Directory - Data Access User Synchronization.
CLI Configuration
SSH to the instance where Privacera is installed.
Run the following command.
cd ~/privacera/privacera-manager/config cp sample-vars/vars.policysync.powerbi.yml custom-vars/ vi custom-vars/vars.policysync.powerbi.yml
Set the properties for your specific installation. For property details and description, see the Configuration Properties section that follows.
Note
Along with the above properties, you can add custom properties that are not included by default. For more information about these properties, see Power BI Connector.
Run the following command:
cd ~/privacera/privacera-manager/ ./privacera-manager.sh update
Configuration Properties
Connection configuration related properties
Name | Type | Default | Required | Description |
|---|---|---|---|---|
|
| Yes | Specifies the authentication username. If you do not specify this value, you must specify a secret for | |
|
| Yes | Specifies the authentication password. If you do not specify this value, you must specify a secret for | |
|
| Yes | Specifies the tenant ID associated with your Microsoft Azure account. | |
|
| Yes | Specifies the principal ID for authentication. | |
|
| Yes | Specifies a client secret for authentication. If you do not specify this value, you must specify both |
Load keys and intervals
Name | Type | Default | Required | Description |
|---|---|---|---|---|
|
|
| No | Specifies the interval in seconds for PolicySync to wait before checking for new resources or changes to existing resources. |
|
|
| No | Specifies the interval in seconds for PolicySync to wait before reconciling principals with those in the data source, such as users, groups, and roles. When differences are detected, PolicySync updates the principals in the data source accordingly. |
|
|
| No | Specifies the interval in seconds for PolicySync to wait before reconciling Apache Ranger access control policies with those in the data source. When differences are detected, PolicySync updates the access control permissions on data source accordingly. |
|
|
| No | Specifies the interval in seconds to elapse before PolicySync retrieves access audits and saves the data in Privacera. |
Resources management
Name | Type | Default | Required | Description |
|---|---|---|---|---|
|
| No | Specifies a comma-separated list of workspace names for which PolicySync manages access control. If unset, access control is managed for all workspaces. If specified, use the following format. You can use wildcards. Names are case-sensitive. An example list of workspaces might resemble the following: If specified, | |
|
| No | Specifies a comma-separated list of workspace names that PolicySync does not provide access control for. You can specify wildcards. Names are case-sensitive. If not specified, all workspaces are subject to access control. This setting supersedes any values specified by |
Users/Groups/Roles management
Name | Type | Default | Required | Description |
|---|---|---|---|---|
|
|
| No | Specifies a regular expression to apply to a username and replaces each matching character with the value specified by the If not specified, no find and replace operation is performed. |
|
|
| No | Specifies a string to replace the characters matched by the regex specified by the If not specified, no find and replace operation is performed. |
|
|
| No | Specifies a regular expression to apply to a group and replaces each matching character with the value specified by the If not specified, no find and replace operation is performed. |
|
|
| No | Specifies a string to replace the characters matched by the regex specified by the If not specified, no find and replace operation is performed. |
|
|
| No | Specifies whether PolicySync converts user names to lowercase when creating local users. If set to |
|
|
| No | Specifies whether PolicySync converts group names to lowercase when creating local groups. If set to |
|
| No | Specifies a comma-separated list of user names for which PolicySync manages access control. You can use wildcards. Names are case-sensitive. If not specified, PolicySync manages access control for all users. If specified, An example user list might resemble the following: | |
|
| No | Specifies a comma-separated list of group names for which PolicySync manages access control. If unset, access control is managed for all groups. If specified, use the following format. You can use wildcards. Names are case-sensitive. An example list of projects might resemble the following: If specified, | |
|
| No | Specifies a comma-separated list of user names that PolicySync does not provide access control for. You can specify wildcards. Names are case-sensitive. If not specified, all users are subject to access control. This setting supersedes any values specified by | |
|
| No | Specifies a comma-separated list of group names that PolicySync does not provide access control for. You can specify wildcards. Names are case-sensitive. If not specified, all groups are subject to access control. This setting supersedes any values specified by | |
|
|
| No | Set this property to true if you only want to manage users who have an email address associated with them in the portal. |
|
|
| No | Specifies whether to manage only the users that are members of groups specified by |
Access control management
Name | Type | Default | Required | Description |
|---|---|---|---|---|
|
|
| No | Specifies whether PolicySync performs grants and revokes for access control and creates, updates, and deletes queries for users, groups, and roles. The default value is |
Access audits management
Name | Type | Default | Required | Description |
|---|---|---|---|---|
|
|
| Yes | Specifies whether Privacera fetches access audit data from the data source. |
|
|
| No | Specifies the initial delay, in minutes, before PolicySync retrieves access audits from Microsoft Power BI. |
Limitations
The role in a resource policy of Access Management is not supported.
Only AAD users/groups are supported in a resource policy of Access Management. The Local users/groups (created manually in Access Management) is not supported.