Skip to main content

Privacera Platform master publication

Privacera UserSync
:
Privacera Data Access User Synchronization

Learn how you can synchronize users and groups from different connectors.

LDAP
  1. Run the following command to enable Privacera UserSync:

    cd ~/privacera/privacera-manager 
    cp config/sample-vars/vars.privacera-usersync.yml config/custom-vars/
  2. Enable the LDAP connector:

    cd ~/privacera/privacera-manager 
    cp config/sample-vars/vars.privacera-usersync.ldap.yml config/custom-vars/ 
    vi config/custom-vars/vars.privacera-usersync.ldap.yml

    Edit the following properties:

    Property

    Description

    Example

    A) LDAP Connector Info

    LDAP_CONNECTOR

    Name of the connector.

    ad

    LDAP_ENABLED

    Enabled status of connector: true or false

    true

    LDAP_SERVICE_TYPE

    Set a service type: ldap or ad

    ad

    LDAP_DATASOURCE_NAME

    Name of the datasource: ldap or ad

    ad

    LDAP_URL

    URL of source LDAP.

    ldap://example.us:389

    LDAP_BIND_DN

    Property is used to connect to LDAP and then query for users and groups.

    CN=Example User,OU=sales,DC=ad,DC=sales,DC=us

    LDAP_BIND_PASSWORD

    LDAP bind password for the bind DN specified above.

    LDAP_AUTH_TYPE

    Authentication type, the default is simple

    simple

    LDAP_REFERRAL

    Set the LDAP context referral: ignore or follow.

    Default value is follow.

    follow

    LDAP_SYNC_INTERVAL

    Frequency of usersync pulls and audit records in seconds. Default value is 3600, minimum value is 300.

    3600

    B) Enable SSL for LDAP Server

    Note

    Support Chain SSL - Preview Functionality

    Previously Privacera services were only using one SSL certificate of LDAP server even if a chain of certificates was available. Now as a Preview functionality, all the certificates which are available in the chain certificate are imported it into the truststore. This is added for Privacera usersync, Ranger usersync and portal SSL certificates.

    PRIVACERA_USERSYNC_SYNC_LDAP_SSL_ENABLED

    Set this property to enable/disable SSL for Privacera Usersync.

    true

    PRIVACERA_USERSYNC_SYNC_LDAP_SSL_PM_GEN_TS

    Set this property if you want Privacera Manager to generate a truststore for your SSL-enabled LDAP server.

    true

    PRIVACERA_USERSYNC_AUTH_SSL_ENABLED

    Set this property if the other Privacera services are not SSL enabled and you are using SSL-enabled LDAP server.

    true

    C) LDAP Search

    LDAP_SEARCH_GROUP_FIRST

    Property to enable to search for groups first, before searching for users.

    true

    LDAP_SEARCH_BASE

    Search base for users and groups.

    DC=ad,DC=sales,DC=us

    LDAP_SEARCH_USER_BASE

    Search base for users.

    ou=example,dc=ad,dc=sales,dc=us

    LDAP_SEARCH_USER_SCOPE

    Set the value for search scope for the users: base, one or sub.

    Default value is sub.

    sub

    LDAP_SEARCH_USER_FILTER

    Optional additional filter constraining the users selected for syncing.

    LDAP_SEARCH_USER_GROUPONLY

    Boolean to only load users in groups.

    false

    LDAP_ATTRIBUTE_ONLY

    Sync only the attributes of users already synced from other services.

    false

    LDAP_SEARCH_INCREMENTAL_ENABLED

    Enable incremental search. Syncing changes only since last search.

    false

    LDAP_PAGED_RESULTS_ENABLED

    Enable paged results control for LDAP Searches. Default is true.

    true

    LDAP_PAGED_CONTROL_CRITICAL

    Set paged results control criticality to CRITICAL. Default is true.

    true

    LDAP_SEARCH_GROUP_BASE

    Search base for groups.

    ou=example,dc=ad,dc=sales,dc=us

    LDAP_SEARCH_GROUP_SCOPE

    Set the value for search scope for the groups: base, one or sub.

    Default value is sub.

    sub

    LDAP_SEARCH_GROUP_FILTER

    Optional additional filter constraining the groups selected for syncing.

    LDAP_SEARCH_CYCLES_BETWEEN_DELETED_DETECTION

    Numeric number of cycles between deleted searches. Default value is 6.

    6

    LDAP_SEARCH_DETECT_DELETED_USERS_GROUPS

    Enables both user and group deleted searches. Default is false.

    false

    LDAP_SEARCH_DETECT_DELETED_USERS

    Override setting for user deleted search. Default value is LDAP_SEARCH_DETECT_DELETED_USERS_GROUPS.

    LDAP_SEARCH_DETECT_DELETED_USERS_GROUPS

    LDAP_SEARCH_DETECT_DELETED_GROUPS

    Override setting for group deleted search. Default value is LDAP_SEARCH_DETECT_DELETED_USERS_GROUPS.

    LDAP_SEARCH_DETECT_DELETED_USERS_GROUPS

    D) LDAP Manage/Ignore List of Users/Groups

    LDAP_MANAGE_USER_LIST

    List of users to manage from sync results. If this list is defined, all users not on this list will be ignored.

    LDAP_IGNORE_USER_LIST

    List of users to ignore from sync results.

    LDAP_MANAGE_GROUP_LIST

    List of groups to manage from sync results. If this list is defined, all groups not on this list will be ignored.

    LDAP_IGNORE_GROUP_LIST

    List of groups to ignore from sync results.

    E) LDAP Object Users/Groups Class

    LDAP_OBJECT_USER_CLASS

    Objectclass to identify user entries.

    user

    LDAP_OBJECT_GROUP_CLASS

    Objectclass to identify group entries.

    group

    F) LDAP User/Group Attributes

    LDAP_ATTRIBUTE_USERNAME

    Attribute from user entry that would be treated as user name.

    SAMAccountName

    LDAP_ATTRIBUTE_FIRSTNAME

    Attribute of a user’s first name. The default is givenName.

    givenName

    LDAP_ATTRIBUTE_LASTNAME

    Attribute of a user’s last name.

    LDAP_ATTRIBUTE_EMAIL

    Attribute from user entry that would be treated as email address.

    mail

    LDAP_ATTRIBUTE_GROUPNAMES

    List of attributes from group entry that would be treated as group name.

    LDAP_ATTRIBUTE_GROUPNAME

    Attribute from group entry that would be treated as group name.

    name

    LDAP_ATTRIBUTE_GROUP_MEMBER

    Attribute from group entry that is list of members.

    member

    G) Username/Group name Attribute Modification

    LDAP_ATTRIBUTE_USERNAME_VALUE_EXTRACTFROMEMAIL

    Extract username from an email address. (e.g. username@domain.com -> username) Default is false.

    false

    LDAP_ATTRIBUTE_USERNAME_VALUE_PREFIX

    Prefix to prepend to the username. Default is blank.

    LDAP_ATTRIBUTE_USERNAME_VALUE_POSTFIX

    Postfix to append pend to the username. Default is blank.

    LDAP_ATTRIBUTE_USERNAME_VALUE_TOLOWER

    Convert the username to lowercase. Default is false.

    false

    LDAP_ATTRIBUTE_USERNAME_VALUE_TOUPPER

    Convert the username to uppercase. Default is false.

    false

    LDAP_ATTRIBUTE_USERNAME_VALUE_REGEX

    Attribute to replace username to matching regex. Default is blank.

    LDAP_ATTRIBUTE_GROUPNAME_VALUE_EXTRACTFROMEMAIL

    Extract the group name from an email address. Default is false.

    false

    LDAP_ATTRIBUTE_GROUPNAME_VALUE_PREFIX

    Prefix to prepend to the group's name. Default is blank.

    LDAP_ATTRIBUTE_GROUPNAME_VALUE_POSTFIX

    Postfix to append pend to the group's name. Default is blank.

    LDAP_ATTRIBUTE_GROUPNAME_VALUE_TOLOWER

    Convert the name to group's name to lower case. Default is false.

    false

    LDAP_ATTRIBUTE_GROUPNAME_VALUE_TOUPPER

    Convert the group's name to uppercase. Default is false.

    false

    LDAP_ATTRIBUTE_GROUPNAME_VALUE_REGEX

    Attribute to replace the group's name to matching regex. Default is blank.

    H) Group Attribute Configuration

    LDAP_GROUP_ATTRIBUTE_LIST

    The list of attribute keys to get from synced groups.

    LDAP_GROUP_ATTRIBUTE_VALUE_PREFIX

    Append prefix to values of group attributes such as group name.

    LDAP_GROUP_ATTRIBUTE_KEY_PREFIX

    Append prefix to key of group attributes such as group name.

    LDAP_GROUP_LEVELS

    Configure Privacera usersync with AD/LDAP nested group membership.

  3. Run the following command:

    cd ~/privacera/privacera-manager 
    ./privacera-manager.sh update
LDAP/AD deleted entity detection

When enabled, LDAP/AD deleted entity detection will perform a soft delete of users or groups in Privacera Portal. A soft delete removes all memberships of the group/user and marks them as “hidden”. Hidden users will not appear in auto completion when modifying access policies. References to users/groups in policies will remain, until manually removed or the user/group is fully deleted from Privacera Portal. Hidden users can be fully deleted by using the Privacera Portal UI or REST APIs.

Properties:

  • Boolean: usersync.connector.0.search.deleted.group.enabled (default: false)

  • Boolean: usersync.connector.0.search.deleted.user.enabled (default: false)

  • Numeric: usersync.connector.#.search.deleted.cycles (default: 6)

Privacera Manager Variables:

In the LDAP connector properties table above, see under User Search (section C).

Azure Active Directory (AAD)
  1. Run the following command to enable Privacera UserSync:

    cd ~/privacera/privacera-manager 
    cp config/sample-vars/vars.privacera-usersync.yml config/custom-vars/
  2. Enable the AAD connector:

    cd ~/privacera/privacera-manager 
    cp config/sample-vars/vars.privacera-usersync.azuread.yml config/custom-vars/ 
    vi config/custom-vars/vars.privacera-usersync.azuread.yml

    Edit the following properties:

    Property

    Description

    Example

    A) AAD Basic Info

    AZURE_AD_CONNECTOR

    Name of the connector.

    AAD1

    AZURE_AD_ENABLED

    Enabled status of connector. (true/false)

    true

    AZURE_AD_SERVICE_TYPE

    Service Type

    AZURE_AD_DATASOURCE_NAME

    Name of the datasource.

    AZURE_AD_ATTRIBUTE_ONLY

    Sync only the attributes of users already synced from other services.

    false

    AZURE_AD_SYNC_INTERVAL

    Frequency of usersync pulls and audit records in seconds. Default value is 3600, minimum value is 300.

    3600

    B) Azure AAD Info: (Get the following information from Azure Portal)

    AZURE_AD_TENANT_ID

    Azure Active Directory Id (Tenant ID)

    1a2b3c4d-azyd-4755-9638-e12xa34p56le

    AZURE_AD_CLIENT_ID

    Azure Active Directory application client ID which will be used for accessing Microsoft Graph API.

    11111111-1111-1111-1111-111111111111

    AZURE_AD_CLIENT_SECRET

    Azure Active Directory application client secret which will be used for accessing Microsoft Graph API.

    AZURE_AD_USERNAME

    Azure Account username which will be used for getting access token to be used on behalf of Azure AD application.

    AZURE_AD_PASSWORD

    Azure Account password which will be used for getting access token to be used on behalf of Azure AD application.

    C) AAD Manage/Ignore List of Users/Groups

    AZURE_AD_MANAGER_USER_LIST

    List of users to manage from sync results. If this list is defined, all users not on this list will be ignored.

    AZURE_AD_IGNORE_USER_LIST

    List of users to ignore from sync results.

    AZURE_AD_MANAGE_GROUP_LIST

    List of groups to manage from sync results. If this list is defined, all groups not on this list will be ignored.

    AZURE_AD_IGNORE_GROUP_LIST

    List of groups to ignore from sync results.

    D) AAD Search

    AZURE_AD_SEARCH_SCOPE

    Azure AD Application Access Scope

    AZURE_AD_SEARCH_USER_GROUPONLY

    Boolean to only load users in groups.

    false

    AZURE_AD_SEARCH_INCREMENTAL_ENABLED

    Enable incremental search. Syncing only changes since last search.

    false

    AZURE_AD_SEARCH_DETECT_DELETED_USERS_GROUPS

    Enables both user and group deleted searches. Default is false.

    false

    AZURE_AD_SEARCH_DETECT_DELETED_USERS

    Override setting for user deleted search. Default value is AZURE_AD_SEARCH_DETECT_DELETED_USERS_GROUPS.

    AZURE_AD_SEARCH_DETECT_DELETED_USERS_GROUPS

    AZURE_AD_SEARCH_DETECT_DELETED_GROUPS

    Override setting for group deleted search. Default value is AZURE_AD_SEARCH_DETECT_DELETED_USERS_GROUPS.

    AZURE_AD_SEARCH_DETECT_DELETED_USERS_GROUPS

    E) Azure Service Principal

    Note

    If Sync Service Principals as Users is enabled, AAD does not require that displayName of a Service Principal be a unique value. In this case a different attribute (such as appId) should be used as the Service Principal Username.

    AZURE_AD_SERVICEPRINCIPAL_ENABLED

    Sync Azure service principal to ranger user entity.

    false

    AZURE_AD_SERVICEPRINCIPAL_USERNAME

    Properties to specify from which key to get values of username in case service principal is mapped to Ranger user entity.

    displayName

    F) AAD User/Group Attributes

    AZURE_AD_ATTRIBUTE_USERNAME

    Attribute of a user’s name (default: userPrincipalName)

    AZURE_AD_ATTRIBUTE_FIRSTNAME

    Attribute of a user’s first name (default: givenName)

    AZURE_AD_ATTRIBUTE_LASTNAME

    Attribute of a user’s last name (default: surname)

    AZURE_AD_ATTRIBUTE_EMAIL

    Attribute from user entry that would be treated as email address.

    AZURE_AD_ATTRIBUTE_GROUPNAME

    Attribute from group entry that would be treated as group name.

    AZURE_AD_SERVICEPRINCIPAL_USERNAME

    Attribute of service principal name.

    G) Username/Group name Attribute Modification

    AZURE_AD_ATTRIBUTE_USERNAME_VALUE_EXTRACTFROMEMAIL

    Extract username from an email address. (e.g. username@domain.com -> username) Default is false.

    false

    AZURE_AD_ATTRIBUTE_USERNAME_VALUE_PREFIX

    Prefix to prepend to the username. Default is blank.

    AZURE_AD_ATTRIBUTE_USERNAME_VALUE_POSTFIX

    Postfix to append pend to the username. Default is blank.

    AZURE_AD_ATTRIBUTE_USERNAME_VALUE_TOLOWER

    Convert the username to lowercase. Default is false.

    false

    AZURE_AD_ATTRIBUTE_USERNAME_VALUE_TOUPPER

    Convert the username to uppercase. Default is false.

    false

    AZURE_AD_ATTRIBUTE_USERNAME_VALUE_REGEX

    Attribute to replace username to matching regex. Default is blank.

    AZURE_AD_ATTRIBUTE_GROUPNAME_VALUE_EXTRACTFROMEMAIL

    Extract the group name from an email address. Default is false.

    false

    AZURE_AD_ATTRIBUTE_GROUPNAME_VALUE_PREFIX

    Prefix to prepend to the group's name. Default is blank.

    AZURE_AD_ATTRIBUTE_GROUPNAME_VALUE_POSTFIX

    Postfix to append pend to the group's name. Default is blank.

    AZURE_AD_ATTRIBUTE_GROUPNAME_VALUE_TOLOWER

    Convert the name to group's name to lower case. Default is false.

    false

    AZURE_AD_ATTRIBUTE_GROUPNAME_VALUE_TOUPPER

    Convert the group's name to uppercase. Default is false.

    false

    AZURE_AD_ATTRIBUTE_GROUPNAME_VALUE_REGEX

    Attribute to replace the group's name to matching regex. Default is blank.

    H) Group Attribute Configuration

    AZURE_AD_GROUP_ATTRIBUTE_LIST

    The list of attribute keys to get from synced groups.

    AZURE_AD_GROUP_ATTRIBUTE_VALUE_PREFIX

    Append prefix to values of group attributes such as group name.

    AZURE_AD_GROUP_ATTRIBUTE_KEY_PREFIX

    Append prefix to key of group attributes such as group name.

    I) Filter Properties

    AZURE_AD_FILTER_USER_LIST

    Filter the AAD user list, supported for non-incremental search. When incremental search is enabled delta search does not support filter properties.

    abc.def@privacera.com

    AZURE_AD_FILTER_SERVICEPRINCIPAL_LIST

    Filter the AAD service principal list, supported for non-incremental search. When incremental search is enabled delta search does not support filter properties.

    abc-testapp

    AZURE_AD_FILTER_GROUP_LIST

    Filter the AAD group list, supported for non-incremental search. When incremental search is enabled delta search does not support filter properties.

    PRIVACERA-AB-GROUP-00

    J) Domain Properties

    AZURE_AD_MANAGE_DOMAIN_LIST

    Only users in manage domain list will be synced.

    Privacera.US

    AZURE_AD_IGNORE_DOMAIN_LIST

    Users in ignore domain list will not be synced.

    Privacera.US

    AZURE_AD_DOMAIN_ATTRIBUTE

    Specify the attribute from which you want to compare user domain, email or username are supported. Default is email.

    username

  3. Run the following command:

    cd ~/privacera/privacera-manager 
    ./privacera-manager.sh update
Azure Active Directory (AAD) deleted entity detection

When enabled, AAD deleted entity detection will perform a soft delete of users or groups in Privacera Portal. A soft delete removes all memberships of the group/user and marks them as “hidden”. Hidden users will not appear in auto completion when modifying access policies. References to users/groups in policies will remain, until manually removed or the user/group is fully deleted from Privacera Portal. Hidden users can be fully deleted by using the Privacera Portal UI or REST APIs.

Properties:

  • Boolean: usersync.connector.3.search.deleted.group.enabled (default: false)

  • Boolean: usersync.connector.3.search.deleted.user.enabled (default: false)

Privacera Manager Variables:

In the AAD connector properties table above, see under AAD Search (section D).

SCIM
  1. Run the following command to enable Privacera UserSync:

    cd ~/privacera/privacera-manager 
    cp config/sample-vars/vars.privacera-usersync.yml config/custom-vars/
  2. Enable the SCIM connector:

    cd ~/privacera/privacera-manager 
    cp config/sample-vars/vars.privacera-usersync.scim.yml config/custom-vars/ 
    vi config/custom-vars/vars.privacera-usersync.scim.yml

    Edit the following properties:

    Property

    Description

    Example

    A) SCIM Connector Info

    SCIM_CONNECTOR

    Name of connector.

    DB1

    SCIM_ENABLED

    Enabled status of connector. (true/false)

    true

    SCIM_SERVICETYPE

    Service Type

    scim

    SCIM_DATASOURCE_NAME

    Name of the datasource.

    databricks1

    SCIM_URL

    Connector URL

    ADMIN_USER_BEARER_TOKEN

    Bearer token

    SCIM_SYNC_INTERVAL

    Frequency of usersync pulls and audit records in seconds. Default value is 3600, minimum value is 300.

    3600

    B) SCIM Manage/Ignore List of Users/Groups

    SCIM_MANAGE_USER_LIST

    List of users to manage from sync results. If this list is defined, all users not on this list will be ignored

    SCIM_IGNORE_USER_LIST

    List of users to ignore from sync results.

    SCIM_MANAGE_GROUP_LIST

    List of groups to manage from sync results. If this list is defined, all groups not on this list will be ignored.

    SCIM_IGNORE_GROUP_LIST

    List of groups to ignore from sync results.

    C) SCIM User/Group Attributes

    SCIM_ATTRIBUTE_USERNAME

    Attribute from user entry that would be treated as user name.

    userName

    SCIM_ATTRIBUTE_FIRSTNAME

    Attribute from user entry that would be treated as firstname.

    name.givenName

    SCIM_ATTRIBUTE_LASTNAME

    Attribute from user entry that would be treated as lastname.

    name.familyName

    SCIM_ATTRIBUTE_EMAIL

    Attribute from user entry that would be treated as email address.

    emails[primary-true].value

    SCIM_ATTRIBUTE_ONLY

    Sync only the attributes of users already synced from other services. (true/false)

    false

    SCIM_ATTRIBUTE_GROUPS

    Attribute of user’s group list.

    groups

    SCIM_ATTRIBUTE_GROUPNAME

    Attribute from group entry that would be treated as group name.

    displayName

    SCIM_ATTRIBUTE_GROUP_MEMBER

    Attribute from group entry that is list of members.

    members

    D) SCIM Server Username Attribute Modifications

    SCIM_ATTRIBUTE_USERNAME_VALUE_EXTRACTFROMEMAIL

    Extract the user’s username from an email address. (e.g. username@domain.com -> username) The default is false.

    false

    SCIM_ATTRIBUTE_USERNAME_VALUE_PREFIX

    Prefix to prepend to username. The default is blank.

    SCIM_ATTRIBUTE_USERNAME_VALUE_POSTFIX

    Postfix to append to the username. The default is blank.

    SCIM_ATTRIBUTE_USERNAME_VALUE_TOLOWER

    Convert the user’s username to lowercase. The default is false.

    false

    SCIM_ATTRIBUTE_USERNAME_VALUE_TOUPPER

    Convert the user’s username to uppercase. The default is false.

    false

    SCIM_ATTRIBUTE_USERNAME_VALUE_REGEX

    Attribute to replace username to matching regex. The default is blank.

    E) SCIM Server Group Name Attribute Modifications

    SCIM_ATTRIBUTE_GROUPNAME_VALUE_EXTRACTFROMEMAIL

    Extract the group’s name from an email address (e.g. groupname@domain.com -> groupname). The default is false.

    false

    SCIM_ATTRIBUTE_GROUPNAME_VALUE_PREFIX

    Prefix to prepend to the group's name. The default is blank.

    SCIM_ATTRIBUTE_GROUPNAME_VALUE_POSTFIX

    Postfix to append to the group's name. The default is blank.

    SCIM_ATTRIBUTE_GROUPNAME_VALUE_TOLOWER

    Convert group's name to lowercase. The default is false.

    false

    SCIM_ATTRIBUTE_GROUPNAME_VALUE_TOUPPER

    Convert the group's name to uppercase. The default is false.

    false

    SCIM_ATTRIBUTE_GROUPNAME_VALUE_REGEX

    Attribute to replace group's name to matching regex. The default is blank.

    F) Group Attribute Configuration

    SCIM_GROUP_ATTRIBUTE_LIST

    The list of attribute keys to get from synced groups.

    SCIM_GROUP_ATTRIBUTE_VALUE_PREFIX

    Append prefix to values of group attributes such as group name.

    SCIM_GROUP_ATTRIBUTE_KEY_PREFIX

    Append prefix to key of group attributes such as group name.

  3. Run the following command:

    cd ~/privacera/privacera-manager ./privacera-manager.sh update
SCIM Server

Note

SCIM Server exposes privacera-usersync service externally on a Public/Internet-facing LB.

  1. Run the following command to enable Privacera UserSync:

    cd ~/privacera/privacera-manager 
    cp config/sample-vars/vars.privacera-usersync.yml config/custom-vars/
  2. Enable the SCIM Server connector:

    cd ~/privacera/privacera-manager 
    cp config/sample-vars/vars.privacera-usersync.scimserver.yml config/custom-vars/ 
    vi config/custom-vars/vars.privacera-usersync.scimserver.yml

    Edit the following properties:

    Property

    Description

    Example

    A) SCIM Server Connector Info

    SCIM_SERVER_CONNECTOR

    Identifying name of this connector.

    DB1

    SCIM_SERVER_ENABLED

    Enabled status of connector. (true/false)

    true

    SCIM_SERVER_SERVICETYPE

    Type of service/connector.

    scimserver

    SCIM_SERVER_DATASOURCE_NAME

    Unique datasource name. Used for identifying source of data and configuring priority list. (Optional)

    databricks1

    SCIM_SERVER_ATTRIBUTE_ONLY

    Sync only the attributes of users already synced from other services. (true/false)

    SCIM_SERVER_BEARER_TOKEN

    Bearer token for auth to SCIM API. When set, SCIM requests with this token will be allowed access.

    SCIM_SERVER_USERNAME

    Basic auth username, when set SCIM requests with this username will be allowed access. (Password also required)

    SCIM_SERVER_PASSWORD

    Basic auth password, when set SCIM requests with this password will be allowed access. (Username also required)

    SCIM_SERVER_SYNC_INTERVAL

    Frequency of usersync audit records in seconds. Default value is 3600, minimum value is 300.

    3600

    B) SCIM Server Manage/Ignore List of Users/Groups

    SCIM_SERVER_MANAGE_USER_LIST

    List of users to manage from sync results. If this list is defined, all users not on this list will be ignored.

    SCIM_SERVER_IGNORE_USER_LIST

    List of users to ignore from sync results.

    SCIM_SERVER_MANAGE_GROUP_LIST

    List of groups to manage from sync results. If this list is defined, all groups not on this list will be ignored.

    SCIM_SERVER_IGNORE_GROUP_LIST

    List of groups to ignore from sync results.

    C) SCIM Server Attributes

    SCIM_SERVER_ATTRIBUTE_USERNAME

    Attribute of a user's name.

    userName

    SCIM_SERVER_ATTRIBUTE_FIRSTNAME

    Attribute of a user's first name.

    name.givenName

    SCIM_SERVER_ATTRIBUTE_LASTNAME

    Attribute of a user's last/family name.

    name.familyName

    SCIM_SERVER_ATTRIBUTE_EMAIL

    Attribute of a user’s email.

    emails[primary-true].value

    SCIM_SERVER_ATTRIBUTE_GROUPS

    Attribute of a user’s group list.

    groups

    SCIM_SERVER_ATTRIBUTE_GROUPNAME

    Attribute of a group's name.

    displayName

    SCIM_SERVER_ATTRIBUTE_GROUP_MEMBER

    Attribute from group entry that is the list of members.

    members

    D) SCIM Server Username Attribute Modifications

    SCIM_SERVER_ATTRIBUTE_USERNAME_VALUE_EXTRACTFROMEMAIL

    Extract the user’s username from an email address. (e.g. username@domain.com -> username) The default is false.

    false

    SCIM_SERVER_ATTRIBUTE_USERNAME_VALUE_PREFIX

    Prefix to prepend to username. The default is blank.

    SCIM_SERVER_ATTRIBUTE_USERNAME_VALUE_POSTFIX

    Postfix to append to the username. The default is blank.

    SCIM_SERVER_ATTRIBUTE_USERNAME_VALUE_TOLOWER

    Convert the user’s username to lowercase. The default is false.

    false

    SCIM_SERVER_ATTRIBUTE_USERNAME_VALUE_TOUPPER

    Convert the user’s username to uppercase. The default is false.

    false

    SCIM_SERVER_ATTRIBUTE_USERNAME_VALUE_REGEX

    Attribute to replace username to matching regex. The default is blank.

    E) SCIM Server Group Name Attribute Modifications

    SCIM_SERVER_ATTRIBUTE_GROUPNAME_VALUE_EXTRACTFROMEMAIL

    Extract the group’s name from an email address (e.g. groupname@domain.com -> groupname). The default is false.

    false

    SCIM_SERVER_ATTRIBUTE_GROUPNAME_VALUE_PREFIX

    Prefix to prepend to the group's name. The default is blank.

    SCIM_SERVER_ATTRIBUTE_GROUPNAME_VALUE_POSTFIX

    Postfix to append to the group's name. The default is blank.

    SCIM_SERVER_ATTRIBUTE_GROUPNAME_VALUE_TOLOWER

    Convert group's name to lowercase. The default is false.

    false

    SCIM_SERVER_ATTRIBUTE_GROUPNAME_VALUE_TOUPPER

    Convert the group's name to uppercase. The default is false.

    false

    SCIM_SERVER_ATTRIBUTE_GROUPNAME_VALUE_REGEX

    Attribute to replace group's name to matching regex. The default is blank.

    F) Group Attribute Configuration

    SCIM_SERVER_GROUP_ATTRIBUTE_LIST

    The list of attribute keys to get from synced groups.

    SCIM_SERVER_GROUP_ATTRIBUTE_VALUE_PREFIX

    Append prefix to values of group attributes such as group name.

    SCIM_SERVER_GROUP_ATTRIBUTE_KEY_PREFIX

    Append prefix to key of group attributes such as group name.

  3. If NGINX Ingress is Enabled, and NGINX controller is running on Internal LB, ensure to disable the ingress for Usersync so that it can pick a Public/Internet facing LB by adding the below variable:

    vi config/custom-vars/vars.kubernetes.nginx-ingress.yml
    
    PRIVACERA_USERSYNC_K8S_NGINX_INGRESS_ENABLE: “false”
  4. Run the following command:

    cd ~/privacera/privacera-manager 
    ./privacera-manager.sh update
OKTA
  1. Run the following command to enable Privacera UserSync:

    cd ~/privacera/privacera-manager 
    cp config/sample-vars/vars.privacera-usersync.yml config/custom-vars/
  2. Enable the OKTA connector:

    cd ~/privacera/privacera-manager 
    cp config/sample-vars/vars.privacera-usersync.okta.yml config/custom-vars/ 
    vi config/custom-vars/vars.privacera-usersync.okta.yml

    Edit the following properties:

    Property

    Description

    Example

    A) OKTA Connector Info

    OKTA_CONNECTOR

    Name of the connector.

    OKTA

    OKTA_ENABLED

    Enabled status of connector. (true/false)

    true

    OKTA_SERVICETYPE

    Type of service/connector.

    okta

    OKTA_DATASOURCE_NAME

    Unique datasource name, used for identifying source of data and configuring priority list. (Optional)

    OKTA_SERVICE_URL

    Connector URL

    https://{myOktaDomain}.okta.com

    OKTA_API_TOKEN

    API token

    A8b2c84d-895a-4fea-82dc-401397b8e50c

    OKTA_SYNC_INTERVAL

    Frequency of usersync pulls and audit records in seconds. Default value is 3600, minimum value is 300.

    3600

    B) OKTA Manage/Ignore List of Users/Groups

    OKTA_USER_LIST

    List of users to manage from sync results. If this list is defined, all users not on this list will be ignored.

    OKTA_IGNORE_USER_LIST

    List of users to ignore from sync results.

    OKTA_USER_LIST_STATUS

    List of users to manage with status as equal to: STAGED, PROVISIONED,ACTIVE,RECOVERY,PASSWORD_EXPIRED,LOCKED_OUT or DEPROVISIONED. If this list is defined, all users not on this list will be ignored.

    ACTIVE,STAGED

    OKTA_USER_LIST_LOGIN

    List of users to manage with user login name (can contain ). If this list is defined, all users not on this list will be ignored.

    sw;mon,san

    OKTA_USER_LIST_PROFILE_FIRSTNAME

    List of users to manage with user first name (can contain ). If this list is defined, all users not on this list will be ignored.

    sw;mon,san

    OKTA_USER_LIST_PROFILE_LASTNAME

    List of users to manage with user last name (can contain ). If this list is defined, all users not on this list will be ignored.

    sw;mon,san

    OKTA_LIST_PROFILE_EMAIL

    List of users to manage with user email (can contain ). If this list is defined, all users not on this list will be ignored.

    sw;mon,san

    OKTA_LIST_TYPE

    List of groups to manage with group type. If this list is defined, all groups not on this list will be ignored.

    APP_GROUP,BUILT_IN,OKTA_GROUP

    OKTA_GROUP_LIST

    List of groups to manage from sync results. If this list is defined, all groups not on this list will be ignored.

    OKTA_IGNORE_GROUP_LIST

    List of groups to ignore from sync results.

    OKTA_GROUP_LIST_SOURCE_ID

    List of groups to manage with group source id. If this list is defined, all groups not on this list will be ignored.

    0oa2v0el0gP90aqjJ0g7,0oa2v0el0gP90aqjJ0g8,0oa2v0el0gP90aqjJ0g0

    OKTA_GROUP_LIST_PROFILE_NAME

    List of groups to manage with group name. If this list is defined, all groups not on this list will be ignored.

    group1,testGroup,testGroup2

    C) OKTA Search

    OKTA_SEARCH_USER_GROUPONLY

    Boolean to only load users in groups.

    false

    OKTA_SEARCH_INCREMENTAL_ENABLED

    Boolean to enable incremental search, syncing only changes since last search.

    false

    D) OKTA User/Group Attributes

    OKTA_ATTRIBUTE_USERNAME

    Attribute from user entry that would be treated as user name.

    login

    OKTA_ATTRIBUTE_FIRSTNAME

    Attribute from user entry that would be treated as firstname.

    firstName

    OKTA_ATTRIBUTE_LASTNAME

    Attribute from user entry that would be treated as lastname.

    lastName

    OKTA_ATTRIBUTE_EMAIL

    Attribute from user entry that would be treated as email address.

    email

    OKTA_ATTRIBUTE_GROUPS

    Attribute of user’s group list.

    groups

    OKTA_ATTRIBUTE_GROUPNAME

    Attribute of a group’s name.

    name

    OKTA_ATTRIBUTE_ONLY

    Sync only the attributes of users already synced from other services. (true/false)

    false

    E) OKTA Username Attribute Modifications

    OKTA_ATTRIBUTE_USERNAME_VALUE_EXTRACTFROMEMAIL

    Extract the user’s username from an email address. (e.g. username@domain.com -> username) The default is false.

    false

    OKTA_ATTRIBUTE_USERNAME_VALUE_PREFIX

    Prefix to prepend to username. The default is blank.

    OKTA_ATTRIBUTE_USERNAME_VALUE_POSTFIX

    Postfix to append to the username. The default is blank.

    OKTA_ATTRIBUTE_USERNAME_VALUE_TOLOWER

    Convert the user’s username to lowercase. The default is false.

    false

    OKTA_ATTRIBUTE_USERNAME_VALUE_TOUPPER

    Convert the user’s username to uppercase. The default is false.

    false

    OKTA_ATTRIBUTE_USERNAME_VALUE_REGEX

    Attribute to replace username to matching regex. The default is blank.

    F) OKTA Group Name Attribute Modifications

    OKTA_ATTRIBUTE_GROUPNAME_VALUE_EXTRACTFROMEMAIL

    Extract the group’s name from an email address (e.g. groupname@domain.com -> groupname). The default is false.

    false

    OKTA_ATTRIBUTE_GROUPNAME_VALUE_PREFIX

    Prefix to prepend to the group's name. The default is blank.

    OKTA_ATTRIBUTE_GROUPNAME_VALUE_POSTFIX

    Postfix to append to the group's name. The default is blank.

    OKTA_ATTRIBUTE_GROUPNAME_VALUE_TOLOWER

    Convert group's name to lowercase. The default is false.

    false

    OKTA_ATTRIBUTE_GROUPNAME_VALUE_TOUPPER

    Convert the group's name to uppercase. The default is false.

    false

    OKTA_ATTRIBUTE_GROUPNAME_VALUE_REGEX

    Attribute to replace group's name to matching regex. The default is blank.

  3. Run the following command:

    cd ~/privacera/privacera-manager 
    ./privacera-manager.sh update