# Privacera
### Overview
The Veza integration for Privacera provides visibility into your Privacera environment, including users, groups, roles, resource policies, and their associated permissions.
### Configuring Privacera
This integration uses the Privacera Cloud API to collect identity and authorization data. You will need to create an integration user and generate an API key for the user.
Required API Permissions:
1. Read user profiles (`GetUserProfile`)
2. List users (`GetUsers`)
3. List groups (`GetGroups`)
4. List roles (`GetRoles`)
5. List resource policies (`GetResourcePolicies`)
#### Create a Privacera User and API key
1. Sign in to Privacera Cloud using your account ID or alias.
2. From **Access Management > Users/Groups/Roles** create a new user with sufficient permissions to access the required APIs. Note the username and password for the user.
3. Go to **Settings > API Keys** to generate a new API Key. Save the API key value securely after generation as it cannot be viewed again in the Privacera UI.
4. Note your **Privacera Account ID**. This value appears at the top right of the Privacera UI. It must be a 14-digit numerical identifier, not an account alias.
### Create a Privacera integration on Veza
To enable the Privacera integration in Veza you will need the following:
1. In Veza, open the **Integrations** page.
2. Click **Add New** and select Privacera as the type of integration to add
3. Enter the required information and **Save** the configuration
Required Configuration Fields:
| Field | Description |
| ---------------- | ------------------------------------------------------------------------------------------------------------ |
| `Username` | The username for authenticating with Privacera |
| `Password` | The password for authenticating with Privacera |
| `API Key` | API key for accessing Privacera services |
| `Account ID` | The Privacera account identifier |
| `URL` | (Optional) The Privacera API endpoint (Defaults to "" if not specified) |
| `CA Certificate` | (Optional) Custom CA certificate for API communication (only if using a custom endpoint with private CA) |
### Notes
* The `URL` field is optional. If not provided, the integration will use the default Privacera Cloud API endpoint.
* If a custom `URL` is provided and requires a CA Certificate, both must be provided together.
* The integration uses both basic authentication (username/password) and API key authentication.
* Extraction issues such as unknown roles or unmapped users will result in a warning message (max 10 warnings)
### Supported Entities
The integration currently supports the following Privacera entities and attributes:
#### Privacera Instance
The root entity representing your Privacera environment. Contains users, groups, roles, and resource policies.
| Attribute | Notes |
| ------------ | ------------------------------------------------ |
| `account_id` | The unique identifier for your Privacera account |
#### Privacera User
An individual account within the Privacera platform. Users can be members of groups, have roles assigned directly, and can be granted or denied permissions through resource policies.
| Attribute | Notes |
| --------------- | ------------------------------------------------------------- |
| `name` | The display name of the user |
| `email` | Used for connecting user to external IdP in Veza if available |
| `description` | Brief description or purpose of the user account |
| `is_active` | Indicates if the user account is currently active |
| `is_visible` | Determines if the user profile is visible to other users |
| `created_at` | Timestamp of when the user account was created |
| `updated_at` | Timestamp of the last update to the user account |
| `role_list` | List of roles assigned to the user |
| `identity_type` | Identifies if the user is human or non-human |
#### Privacera Group
A collection of Privacera Users. Groups can have roles assigned and can be granted or denied permissions through resource policies.
| Attribute | Notes |
| -------------- | ------------------------------------------------- |
| `name` | The display name of the group |
| `description` | Brief description or purpose of the group |
| `created_at` | Timestamp of when the group was created |
| `updated_at` | Timestamp of the last update to the group |
| `is_visible` | Determines if the group is visible to other users |
| `group_type` | The type classification of the group |
| `group_source` | Indicates where the group originated from |
#### Privacera Role
A set of permissions and access rights that can be assigned to users and groups. Roles can be nested within other roles and can be granted or denied permissions through resource policies.
| Attribute | Notes |
| ---------------- | -------------------------------------------------------- |
| `name` | The display name of the role |
| `description` | Brief description or purpose of the role |
| `is_enabled` | Indicates if the role is currently active and assignable |
| `is_system_role` | Identifies if this is a built-in Privacera role |
| `created_at` | Timestamp of when the role was created |
| `updated_at` | Timestamp of the last update to the role |
#### Resource Policy
Defines access control rules for resources. Policies can grant or deny permissions to users, groups, and roles.
| Attribute | Notes |
| ----------------- | ---------------------------------------------------- |
| `name` | The display name of the policy |
| `description` | Brief description of the policy's purpose |
| `service_type` | The type of service this policy applies to |
| `service` | The specific service instance this policy applies to |
| `policy_priority` | The priority level of this policy |
| `zone_name` | The security zone this policy applies to |
| `policy_labels` | Tags or labels associated with the policy |
| `is_enabled` | Indicates if the policy is currently active |
| `version` | The version number of the policy |
#### Policy Resource Definition
Defines the specific resources that a policy applies to within a service. For Hive services, this captures the hierarchical relationship between databases, tables, and columns.
| Attribute | Notes |
| ------------------------- | ------------------------------------------------------------------- |
| `name` | The display name of the resource definition |
| `service_type` | The type of service these resources belong to (e.g., "hive") |
| `resource_type_hierarchy` | Hierarchical path of resource types (e.g., "database.table.column") |
**Supported Resource Hierarchies**
The integration currently supports the following resource type hierarchies:
**Hive Resources:**
* Database → Table → Column
* Database → UDF (User Defined Function)
* Global
* Service
* URL
For Hive resources, the policy resource definition maps the relationships between:
* Databases and their tables
* Tables and their columns
* Databases and their UDFs
The resource hierarchy is used to determine the scope of permissions. For example, permissions granted at the database level cascade down to all tables within that database, unless explicitly overridden by a more specific policy.
#### Grant Assignment
Represents permissions granted to users, groups, or roles through a resource policy.
| Attribute | Notes |
| ------------- | --------------------------------- |
| `permissions` | List of permissions being granted |
#### Deny Assignment
Represents permissions explicitly denied to users, groups, or roles through a resource policy.
| Attribute | Notes |
| ------------- | -------------------------------- |
| `permissions` | List of permissions being denied |
#### Permission Mapping
Privacera permissions are mapped to effective permissions for consistent authorization visualization across systems:
| Privacera Permission | Veza Abstract Permission |
| -------------------- | ------------------------------------- |
| `all` | All Permissions |
| `alter` | Metadata Read & Write |
| `create` | Metadata Create |
| `data_admin` | All Permissions |
| `drop` | Data Delete & Metadata Delete |
| `index` | Metadata Create, Read, Write & Delete |
| `lock` | Non-Data |
| `read` | Data Read |
| `refresh` | Non-Data |
| `repladmin` | Data Read & Metadata Read |
| `select` | Data Read |
| `serviceadmin` | Metadata Read & Non-Data |
| `tempudfadmin` | Metadata Read & Create Data |
| `update` | Data Write |
| `write` | Data Write |
Note: These mappings are specific to Hive resources and are based on [Apache Ranger's Hive Commands to Permission Mapping](https://cwiki.apache.org/confluence/display/RANGER/Hive+Commands+to+Ranger+Permission+Mapping).\*
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/privacera.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.