1 of 1

Privacera

Configuring the Veza integration for Privacera

Overview

The Veza integration for Privacera provides visibility into your Privacera environment, including users, groups, roles, resource policies, and their associated permissions.

Configuring Privacera

This integration uses the Privacera Cloud API to collect identity and authorization data. You will need to create an integration user and generate an API key for the user.

Required API Permissions:

Read user profiles (GetUserProfile)
List users (GetUsers)
List groups (GetGroups)
List roles (GetRoles)
List resource policies (GetResourcePolicies)

Create a Privacera User and API key

Sign in to Privacera Cloud using your account ID or alias.
From Access Management > Users/Groups/Roles create a new user with sufficient permissions to access the required APIs. Note the username and password for the user.
Go to Settings > API Keys to generate a new API Key. Save the API key value securely after generation as it cannot be viewed again in the Privacera UI.
Note your Privacera Account ID. This value appears at the top right of the Privacera UI. It must be a 14-digit numerical identifier, not an account alias.

Create a Privacera integration on Veza

To enable the Privacera integration in Veza you will need the following:

In Veza, open the Integrations page.
Click Add New and select Privacera as the type of integration to add
Enter the required information and Save the configuration

Required Configuration Fields:

Field

Description

Username

The username for authenticating with Privacera

Password

The password for authenticating with Privacera

API Key

API key for accessing Privacera services

Account ID

The Privacera account identifier

URL

(Optional) The Privacera API endpoint (Defaults to "https://api.privaceracloud.com/api/" if not specified)

CA Certificate

(Optional) Custom CA certificate for API communication (only if using a custom endpoint with private CA)

Notes

The URL field is optional. If not provided, the integration will use the default Privacera Cloud API endpoint.
If a custom URL is provided and requires a CA Certificate, both must be provided together.
The integration uses both basic authentication (username/password) and API key authentication.
Extraction issues such as unknown roles or unmapped users will result in a warning message (max 10 warnings)

Supported Entities

The integration currently supports the following Privacera entities and attributes:

Privacera Instance

The root entity representing your Privacera environment. Contains users, groups, roles, and resource policies.

Attribute

Notes

account_id

The unique identifier for your Privacera account

Privacera User

An individual account within the Privacera platform. Users can be members of groups, have roles assigned directly, and can be granted or denied permissions through resource policies.

Attribute

Notes

name

The display name of the user

email

Used for connecting user to external IdP in Veza if available

description

Brief description or purpose of the user account

is_active

Indicates if the user account is currently active

is_visible

Determines if the user profile is visible to other users

created_at

Timestamp of when the user account was created

updated_at

Timestamp of the last update to the user account

role_list

List of roles assigned to the user

identity_type

Identifies if the user is human or non-human

Privacera Group

A collection of Privacera Users. Groups can have roles assigned and can be granted or denied permissions through resource policies.

Attribute

Notes

name

The display name of the group

description

Brief description or purpose of the group

created_at

Timestamp of when the group was created

updated_at

Timestamp of the last update to the group

is_visible

Determines if the group is visible to other users

group_type

The type classification of the group

group_source

Indicates where the group originated from

Privacera Role

A set of permissions and access rights that can be assigned to users and groups. Roles can be nested within other roles and can be granted or denied permissions through resource policies.

Attribute

Notes

name

The display name of the role

description

Brief description or purpose of the role

is_enabled

Indicates if the role is currently active and assignable

is_system_role

Identifies if this is a built-in Privacera role

created_at

Timestamp of when the role was created

updated_at

Timestamp of the last update to the role

Resource Policy

Defines access control rules for resources. Policies can grant or deny permissions to users, groups, and roles.

Attribute

Notes

name

The display name of the policy

description

Brief description of the policy's purpose

service_type

The type of service this policy applies to

service

The specific service instance this policy applies to

policy_priority

The priority level of this policy

zone_name

The security zone this policy applies to

policy_labels

Tags or labels associated with the policy

is_enabled

Indicates if the policy is currently active

version

The version number of the policy

Policy Resource Definition

Defines the specific resources that a policy applies to within a service. For Hive services, this captures the hierarchical relationship between databases, tables, and columns.

Attribute

Notes

name

The display name of the resource definition

service_type

The type of service these resources belong to (e.g., "hive")

resource_type_hierarchy

Hierarchical path of resource types (e.g., "database.table.column")

Supported Resource Hierarchies

The integration currently supports the following resource type hierarchies:

Hive Resources:

Database → Table → Column
Database → UDF (User Defined Function)
Global
Service
URL

For Hive resources, the policy resource definition maps the relationships between:

Databases and their tables
Tables and their columns
Databases and their UDFs

The resource hierarchy is used to determine the scope of permissions. For example, permissions granted at the database level cascade down to all tables within that database, unless explicitly overridden by a more specific policy.

Grant Assignment

Represents permissions granted to users, groups, or roles through a resource policy.

Attribute

Notes

permissions

List of permissions being granted

Deny Assignment

Represents permissions explicitly denied to users, groups, or roles through a resource policy.

Attribute

Notes

permissions

List of permissions being denied

Permission Mapping

Privacera permissions are mapped to effective permissions for consistent authorization visualization across systems:

Privacera Permission

Veza Abstract Permission

all

All Permissions

alter

Metadata Read & Write

create

Metadata Create

data_admin

All Permissions

drop

Data Delete & Metadata Delete

index

Metadata Create, Read, Write & Delete

lock

Non-Data

read

Data Read

refresh

Non-Data

repladmin

Data Read & Metadata Read

select

Data Read

serviceadmin

Metadata Read & Non-Data

tempudfadmin

Metadata Read & Create Data

update

Data Write

write

Data Write

Note: These mappings are specific to Hive resources and are based on Apache Ranger's Hive Commands to Permission Mapping.*

Privacera

Configuring the Veza integration for Privacera

Overview

The Veza integration for Privacera provides visibility into your Privacera environment, including users, groups, roles, resource policies, and their associated permissions.

Configuring Privacera

This integration uses the Privacera Cloud API to collect identity and authorization data. You will need to create an integration user and generate an API key for the user.

Required API Permissions:

Read user profiles (GetUserProfile)
List users (GetUsers)
List groups (GetGroups)
List roles (GetRoles)
List resource policies (GetResourcePolicies)

Create a Privacera User and API key

Sign in to Privacera Cloud using your account ID or alias.
From Access Management > Users/Groups/Roles create a new user with sufficient permissions to access the required APIs. Note the username and password for the user.
Go to Settings > API Keys to generate a new API Key. Save the API key value securely after generation as it cannot be viewed again in the Privacera UI.
Note your Privacera Account ID. This value appears at the top right of the Privacera UI. It must be a 14-digit numerical identifier, not an account alias.

Create a Privacera integration on Veza

To enable the Privacera integration in Veza you will need the following:

In Veza, open the Integrations page.
Click Add New and select Privacera as the type of integration to add
Enter the required information and Save the configuration

Required Configuration Fields:

Field

Description

Username

The username for authenticating with Privacera

Password

The password for authenticating with Privacera

API Key

API key for accessing Privacera services

Account ID

The Privacera account identifier

URL

(Optional) The Privacera API endpoint (Defaults to "https://api.privaceracloud.com/api/" if not specified)

CA Certificate

(Optional) Custom CA certificate for API communication (only if using a custom endpoint with private CA)

Notes

The URL field is optional. If not provided, the integration will use the default Privacera Cloud API endpoint.
If a custom URL is provided and requires a CA Certificate, both must be provided together.
The integration uses both basic authentication (username/password) and API key authentication.
Extraction issues such as unknown roles or unmapped users will result in a warning message (max 10 warnings)

Supported Entities

The integration currently supports the following Privacera entities and attributes:

Privacera Instance

The root entity representing your Privacera environment. Contains users, groups, roles, and resource policies.

Attribute

Notes

account_id

The unique identifier for your Privacera account

Privacera User

An individual account within the Privacera platform. Users can be members of groups, have roles assigned directly, and can be granted or denied permissions through resource policies.

Attribute

Notes

name

The display name of the user

email

Used for connecting user to external IdP in Veza if available

description

Brief description or purpose of the user account

is_active

Indicates if the user account is currently active

is_visible

Determines if the user profile is visible to other users

created_at

Timestamp of when the user account was created

updated_at

Timestamp of the last update to the user account

role_list

List of roles assigned to the user

identity_type

Identifies if the user is human or non-human

Privacera Group

A collection of Privacera Users. Groups can have roles assigned and can be granted or denied permissions through resource policies.

Attribute

Notes

name

The display name of the group

description

Brief description or purpose of the group

created_at

Timestamp of when the group was created

updated_at

Timestamp of the last update to the group

is_visible

Determines if the group is visible to other users

group_type

The type classification of the group

group_source

Indicates where the group originated from

Privacera Role

A set of permissions and access rights that can be assigned to users and groups. Roles can be nested within other roles and can be granted or denied permissions through resource policies.

Attribute

Notes

name

The display name of the role

description

Brief description or purpose of the role

is_enabled

Indicates if the role is currently active and assignable

is_system_role

Identifies if this is a built-in Privacera role

created_at

Timestamp of when the role was created

updated_at

Timestamp of the last update to the role

Resource Policy

Defines access control rules for resources. Policies can grant or deny permissions to users, groups, and roles.

Attribute

Notes

name

The display name of the policy

description

Brief description of the policy's purpose

service_type

The type of service this policy applies to

service

The specific service instance this policy applies to

policy_priority

The priority level of this policy

zone_name

The security zone this policy applies to

policy_labels

Tags or labels associated with the policy

is_enabled

Indicates if the policy is currently active

version

The version number of the policy

Policy Resource Definition

Defines the specific resources that a policy applies to within a service. For Hive services, this captures the hierarchical relationship between databases, tables, and columns.

Attribute

Notes

name

The display name of the resource definition

service_type

The type of service these resources belong to (e.g., "hive")

resource_type_hierarchy

Hierarchical path of resource types (e.g., "database.table.column")

Supported Resource Hierarchies

The integration currently supports the following resource type hierarchies:

Hive Resources:

Database → Table → Column
Database → UDF (User Defined Function)
Global
Service
URL

For Hive resources, the policy resource definition maps the relationships between:

Databases and their tables
Tables and their columns
Databases and their UDFs

Grant Assignment

Represents permissions granted to users, groups, or roles through a resource policy.

Attribute

Notes

permissions

List of permissions being granted

Deny Assignment

Represents permissions explicitly denied to users, groups, or roles through a resource policy.

Attribute

Notes

permissions

List of permissions being denied

Permission Mapping

Privacera permissions are mapped to effective permissions for consistent authorization visualization across systems:

Privacera Permission

Veza Abstract Permission

all

All Permissions

alter

Metadata Read & Write

create

Metadata Create

data_admin

All Permissions

drop

Data Delete & Metadata Delete

index

Metadata Create, Read, Write & Delete

lock

Non-Data

read

Data Read

refresh

Non-Data

repladmin

Data Read & Metadata Read

select

Data Read

serviceadmin

Metadata Read & Non-Data

tempudfadmin

Metadata Read & Create Data

update

Data Write

write

Data Write

Note: These mappings are specific to Hive resources and are based on Apache Ranger's Hive Commands to Permission Mapping.*