https://docs.protegrity.com/cloud-protect/4.0.0/docs/azure/api/appendix/Recent content in Appendices onHugoenhttps://docs.protegrity.com/cloud-protect/4.0.0/docs/azure/api/appendix/install_with_ppc/Mon, 01 Jan 0001 00:00:00 +0000https://docs.protegrity.com/cloud-protect/4.0.0/docs/azure/api/appendix/install_with_ppc/<p> <p>This guide describes how to configure the Protegrity Policy Agent and Log Forwarder to connect to a Protegrity Provisioned Cluster (PPC), highlighting the differences from connecting to ESA.</p> <h2 id="key-differences-ppc-vs-esa">Key Differences: PPC vs ESA</h2> <table> <thead> <tr> <th>Feature</th> <th>ESA 10.2</th> <th>PPC (this guide)</th> </tr> </thead> <tbody> <tr> <td>Datastore Key Fingerprint</td> <td>Optional/Recommended</td> <td><strong>Required</strong></td> </tr> <tr> <td>CA Certificate on Agent</td> <td>Optional/Recommended</td> <td><strong>Optional/Recommended</strong></td> </tr> <tr> <td>CA Certificate on Log Forwarder</td> <td>Optional/Recommended</td> <td><strong>Not supported</strong></td> </tr> <tr> <td>Client Certificate Authentication from Log Forwarder</td> <td>Optional/Recommended</td> <td><strong>Not supported</strong></td> </tr> <tr> <td>IP Address</td> <td>ESA IP address</td> <td><strong>PPC address</strong></td> </tr> </tbody> </table> <h2 id="prerequisites">Prerequisites</h2> <ul> <li>Access to PPC and required credentials.</li> <li>Tools: <code>curl</code>, <code>kubectl</code> installed.</li> </ul> <h2 id="policy-agent-setup-with-ppc">Policy Agent Setup with PPC</h2> <div class="alert alert-warning" role="alert"> <h4 class="alert-heading">Important</h4> When connecting to PPC, the Policy Agent <strong>requires</strong> the <code>PTY_DATASTORE_KEY fingerprint</code>. For ESA 10.2, the fingerprint is optional but recommended. See <a href="https://docs.protegrity.com/cloud-protect/4.0.0/docs/azure/api/installation/agent/">Policy Agent Installation</a> for general setup steps. </div> <p>Follow these instructions as a guide for understanding specific inputs for Policy Agent integrating with PPC:</p>https://docs.protegrity.com/cloud-protect/4.0.0/docs/azure/api/appendix/usename_regex_configuration/Mon, 01 Jan 0001 00:00:00 +0000https://docs.protegrity.com/cloud-protect/4.0.0/docs/azure/api/appendix/usename_regex_configuration/<h2 id="configuring-regular-expression-to-extract-policy-username">Configuring Regular Expression to Extract Policy Username</h2> <p>Cloud Protect Function exposes USERNAME_REGEX configuration to allow extraction of policy username from user in the request.</p> <ul> <li> <p><strong>USERNAME_REGEX Function Environment configuration</strong></p> <p>The USERNAME_REGEX environment variable can be set to contain regular expression with one capturing group. This group is used to extract the username. Examples below show different regular expression values and the resulting policy user.</p> </li> </ul> <table><thead><tr><th> <p>USERNAME_REGEX</p> </th><th> <p>User in the request</p>https://docs.protegrity.com/cloud-protect/4.0.0/docs/azure/api/appendix/jwt_auth/Mon, 01 Jan 0001 00:00:00 +0000https://docs.protegrity.com/cloud-protect/4.0.0/docs/azure/api/appendix/jwt_auth/<h2 id="getting-jwt-for-service-account-in-azure-active-directory">Getting JWT for Service Account in Azure Active Directory</h2> <p>Protect Function App can use Microsoft identity platform endpoint for identity-as-a-service, available in Azure Active Directory, to implement OpenID Connect and OAuth 2.0 authorization. This section describes how to get JWT using OAuth 2.0 client credentials grant flow in Azure Active Directory and authorize the Client ID in Protegrity Policy.</p> <div class="alert alert-info" role="alert"> <h4 class="alert-heading">Note</h4> Protect Function App and Azure Active Directory support more authorization methods, and the correct procedure should be chosen based on the use case. </div> <p>Suggested reading: <a href="https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow">https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow</a></p>https://docs.protegrity.com/cloud-protect/4.0.0/docs/azure/api/appendix/protection_methods/Mon, 01 Jan 0001 00:00:00 +0000https://docs.protegrity.com/cloud-protect/4.0.0/docs/azure/api/appendix/protection_methods/<h2 id="protection-methods">Protection Methods</h2> <p>For more information about the protection methods supported by Protegrity, refer to the <a href="https://docs.protegrity.com/protectors/10.1/docs/pmr/">Protection Methods Reference</a>.</p> <table><thead><tr><th> <p>Tokenization Type</p> </th><th> <p>Supported Input Data Types</p> </th><th> <p>Notes</p> </th></tr></thead><tbody><tr><td> <p>Numeric</p> <p>Credit Card</p> <p>Alpha</p> <p>Upper-case Alpha</p> <p>Alpha-Numeric</p> <p>Upper Alpha-Numeric</p> <p>Lower ASCII</p> <p>Printable</p> <p>Decimal</p> <p>Unicode</p> <p>Unicode Base64</p> <p>Unicode Gen2</p> <p>Email</p> </td><td> <p>STRING</p> <p>NULL</p> </td><td> </td></tr><tr><td> <p>Integer</p> </td><td> <p>NUMBER</p> <p>NULL</p> </td><td> </td></tr><tr><td> <p>Date</p> <p>Datetime</p> </td><td> <p>STRING</p> <p>NULL</p> </td><td> <p>For information about supported formats, refer to the <a href="https://docs.protegrity.com/protectors/10.1/docs/pmr/">Protection Methods Reference</a>.</p>https://docs.protegrity.com/cloud-protect/4.0.0/docs/azure/api/appendix/arm_template_installation_permission_req/Mon, 01 Jan 0001 00:00:00 +0000https://docs.protegrity.com/cloud-protect/4.0.0/docs/azure/api/appendix/arm_template_installation_permission_req/<h2 id="arm-template-installation---required-permissions">ARM Template Installation - Required Permissions</h2> <p>Permissions below are required to install Protegrity service using ARM template.</p> <p>All permissions in the table must be granted with the Resource group scope.</p> <table id="permissions-table"><thead><tr><th> <p>Permissions</p> </th><th> <p>Description</p> </th><th> <p>Built-In Azure Role</p> </th></tr></thead><tbody><tr><td> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>Microsoft.Insights/components/read </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>Microsoft.OperationalInsights/workspaces/read </span></span></code></pre></div></td><td> <p>Read access to monitoring data and settings</p> </td><td> <p>Monitoring Reader</p> </td></tr><tr><td> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>Microsoft.Insights/components/write </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>Microsoft.OperationalInsights/workspaces/write </span></span></code></pre></div></td><td> <p>Write and manage access to monitoring data and settings</p> </td><td> <p>Monitoring Contributor</p> </td></tr><tr><td> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>Microsoft.Web/serverFarms/write </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>Microsoft.Web/sites/write </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>Microsoft.Web/sites/host/listkeys/action </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>Microsoft.Web/serverFarms/join/action </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>Microsoft.Web/register/action </span></span></code></pre></div></td><td> <p>Write and manage access to web apps</p>https://docs.protegrity.com/cloud-protect/4.0.0/docs/azure/api/appendix/agent_ip_address_config/Mon, 01 Jan 0001 00:00:00 +0000https://docs.protegrity.com/cloud-protect/4.0.0/docs/azure/api/appendix/agent_ip_address_config/<h2 id="associating-esa-data-store-with-cloud-protect-agent">Associating ESA Data Store With Cloud Protect Agent</h2> <p>ESA controls which policy is deployed to protector using concept of data store. A data store may contain a list of IP addresses identifying servers allowed to pull the policy associated with that specific data store. Data store may also be defined as default data store, which allows any server to pull the policy, provided it does not belong to any other data stores. Node registration occurs when the policy server (in this case the policy agent) makes a policy request to ESA, where the agent&rsquo;s IP address is identified by ESA.</p>