This article provides instructions on how to configure different vendors with your Policy Orchestration Points (POP) and how to locate the Vendor Policy ID according to each vendor. Users will need to modify and add the credential objects as listed in the POP API Documentation according to their preferred vendor. These credentials are acquired from the vendors and are used as parameters in the POP APIs.
Power BI
This section outlines the parameters required for integrating Power BI with your system. It provides a detailed explanation of the general parameters necessary for authentication and access, as well as the optional Discovery Scope Parameters used to customize user permissions and Workspace or Dataset discovery.
General Parameter Table:
| Parameter | Description | Value |
|---|---|---|
authenticationMethod |
Authentication Method | "service_principal" |
clientID |
Power BI Client ID | string |
clientSecret |
Power BI Client Secret | string |
secretKey |
The Secret Key of the External Secret Store. Replaces clientSecret. Only for use with External Secret Stores. Note: If opting to use a Secret Key, ensure that your Client Secret is set in your External Secret Store. |
string |
secretStore |
The Store ID of the External Secret Store as set in Managing Secret Stores. | string |
tenant |
Power BI Tenant ID | string |
discoveryScopeRule |
Optional parameter that allows users to specify user permissions and definitions during Discovery based on Workspaces and Datasets. See the Discovery Scope Parameter Table below for specific parameter information. |
JSON Array |
Discovery Scope Parameter Table:
| Parameter | Description | Value |
|---|---|---|
hierarchyScopeKey |
Defines where the Discovery is based Valid values: - workspace - dataset |
string |
operator |
Defines the operator for the Discovery. Valid Values: - IN - NOT_IN- EQUALS- NOTEQUALS |
string |
value |
Specifies the name of the Workspace or Dataset on which the Discovery is based. When using a Dataset, ensure it is formatted as follows, with the Workspace name: ["workspace.dataset"] |
array |
Power BI Credentials Examples
Workspace Example:
...
{
"popConnectionCredentials": {
"authenticationMethod": "service_principal",
"credentials": {
"clientID": "84f8n492-f2ce-446b-bace-6df750c2e8c9",
"clientSecret": null, //For use with PlainID Internal Store.
"secretKey": "john-powerbi", //replaces clientSecret when using External Secret Stores.
"secretStore": "azure", //Store ID
"tenant": "0d417611-5b17-425e-a5b9-7b98e1aa24b8",
"discoveryScopeRule": {
"OR": [
{
"AND": [
{
"hierarchyScopeKey": "workspace",
"operator": "EQUALS",
"value": ["workspace1"]
}
]
}
]
}
}
}
}
...
Dataset Example
...
{
"popConnectionCredentials": {
"authenticationMethod": "service_principal",
"credentials": {
"clientID": "84f8n492-f2ce-446b-bace-6df750c2e8c9",
"clientSecret": null, //For use with PlainID Internal Store.
"secretKey": "john-powerbi", //replaces clientSecret //replaces clientSecret when using External Secret Stores.
"secretStore": "azure", //Store ID
"tenant": "0d417611-5b17-425e-a5b9-7b98e1aa24b8",
"discoveryScopeRule": {
"OR": [
{
"AND": [
{
"hierarchyScopeKey": "dataset",
"operator": "EQUALS",
"value": ["workspace.dataset"]
}
]
}
]
}
}
}
}
...
Zscaler
| Parameter | Description | Value |
|---|---|---|
authenticationMethod |
Authentication Method | "client_credentials" |
API Key |
Zscaler API Key | string |
API Key Secret |
Zscaler API Secret | string |
Customer ID |
Zscaler Customer ID | string |
Customer based URI |
Zscaler URI | string |
Zscaler Credentials Example
...
"popConnectionCredentials": {
"authenticationMethod": "client_credentials",
"credentials": {
"API Key": "NzIwNTkwMjQyNjIwMzc1Nzg0OTIwOGFjMmUtYjE1OS00NDg4LTllZmQtYTExY2IzZjI0ZWIw",
"API Key Secret": null,
"Customer ID": "72059024269137504",
"Customer based URI": "https://config.zpabeta.net"
}
},
...
Snowflake
| Parameter | Description | Value |
|---|---|---|
authenticationMethod |
Authentication Method. This is automatically set to "key_pair_authentication".Refer to the Snowflake documentation on Using key-pair authentication for information on how to set up Key Pair authentication and retrieve the private key to use in the POP Connection Credentials. |
"key_pair_authentication" |
computeWarehouse |
Compute Warehouse | string |
port |
Snowflake Server Port | integer |
secretKey |
The Secret Key of the External Secret Store. Replaces privateKey. Only for use with External Secret Stores. Note: If opting to use a Secret Key, ensure that your Client Secret is set in your External Secret Store. |
string |
secretStore |
The Store ID of the External Secret Store as set in Managing Secret Stores. | string |
server |
Snowflake Account Server | string |
| Private Key | Private Secret Key. For encrypted Private Secret Keys, ensure you input the key passphrase below. Note: This can only be used with Internal Secret Stores. |
string |
| Key Passphrase | Used to protect and decrypt an encrypted private key as part of Snowflake key-pair authentication (optional if using unencrypted private secret keys) | string |
Snowflake Credentials Examples
Key Pair Authentication Example:
...
"popConnectionCredentials": {
"authenticationMethod": "key_pair_authentication",
"credentials": {
"secretStore": "aws", //Store ID
"computeWarehouse": "compute_wh",
"port": 443,
"server": "en14622.us-central-99.snowflakecomputing.com",
"secretKey": "john-keypair-snowflake" //replaces privateKey when using External Secret Stores
"privateKey": ---BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCDKgwggSkAgEAAoIBAQDPXCe7Cr4FDSPml\n04JPDLMBCRHW2R+JIsivYUNUkI4SDF2CydeMw41lPhp4iLldVd7Zgwl4RGvvjxed+Q\nDUqQrWjeuGGW....3g\nHvIliGQqZkACN6n4GcaCZHJJudxZDisDQsIvOQlWuloZ9blkYp34Qnw+0umu1n1Y\nvHs5vuqB7DD2341Xpg+xNLVL\n-----END PRIVATE KEY-----\n"} //For use with PlainID Internal Store
}
}
...
Databricks
| Parameter | Description | Value |
|---|---|---|
authenticationMethod |
Authentication Method | "service_principal" |
Host |
Databricks Workspace Host URL | https://adb-1234567890123456.7.azuredatabricks.net/ |
Client ID |
Service Principal Client ID | abcd1234-5678-90ef-ghij-1234567890kl |
Client Secret |
Service Principal Client Secret | s3cr3tK3y9876543210exampleabcdef123456 |
secretKey |
The Secret Key of the External Secret Store. Replaces clientSecret. Only for use with External Secret Stores. Note: If opting to use a Secret Key, ensure that your Client Secret is set in your External Secret Store. |
string |
secretStore |
The Store ID of the External Secret Store as set in Managing Secret Stores. | string |
Warehouse ID |
SQL Warehouse Identifier | abc123ef456gh789ij01 |
Databricks Credentials Example
...
"popConnectionCredentials": {
"authenticationMethod": "service_principal",
"credentials": {
"Client ID": "31844d10-84af-4931-8c05-427f1894e598",
"Client Secret": "null", //For use with PlainID Internal Store
"Host": "https://adb-3194995835232616.16.azuredatabricks.net/",
"secretKey": "john-databricks", //replaces clientSecret when using External Secret Stores
"secretStore": "azure", //Store ID
"Warehouse ID": "36d1918d74ca0e82"
}
},
...
Google BigQuery
Google BigQuery uses a GCP Service Account JSON key file for authentication. The serviceAccountKey field accepts the full contents of the JSON key file downloaded from GCP IAM.
Parameter Table:
| Parameter | Description | Value |
|---|---|---|
authenticationMethod |
Authentication Method. Automatically set for Google BigQuery integration. | "service_account" |
serviceAccountKey |
The full contents of the GCP Service Account JSON key file. | JSON object |
Service Account JSON Key Structure
| Field | Description | Value |
|---|---|---|
type |
Identifies this as a Service Account credential. | "service_account" |
project_id |
The GCP Project ID associated with the Service Account. | string |
private_key_id |
The unique identifier for the private key within GCP. | string |
private_key |
The RSA private key used to sign authentication requests. Store securely. | string |
client_email |
The email address that uniquely identifies the Service Account. | string |
client_id |
The numeric ID of the Service Account. | string |
auth_uri |
The Google OAuth 2.0 authorization endpoint. Fixed value. | "https://accounts.google.com/o/oauth2/auth" |
token_uri |
The endpoint used to exchange credentials for an access token. Fixed value. | "https://oauth2.googleapis.com/token" |
Google BigQuery Credentials Example
...
"popConnectionCredentials": {
"authenticationMethod": "service_account",
"credentials": {
"serviceAccountKey": {
"type": "service_account",
"project_id": "acme-data-warehouse-prod",
"private_key_id": "...",
"private_key": "-----BEGIN PRIVATE KEY-----\n...",
"client_email": "plainid-pop@acme-data-warehouse-prod.iam.gserviceaccount.com",
"client_id": "...",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token"
}
}
},
...
Vendor Policy ID
Depending on the vendor, the location, and format of the Vendor Policy ID may vary:
Databricks, Snowflake, Zscaler, Google BigQuery
For these vendors, the Vendor Policy ID is displayed in the Policy Details panel. You can use this value directly when managing or troubleshooting vendor-side policies.
Power BI
For Power BI, the Vendor Policy ID is generated using a concatenation format:
role_<datasetID>_<roleId>
Example:
role_3e93e93w-8fs7-8sf8-83d8-9d8s6f6g7h82_19283
In this format:
roleis staticdatasetIDrefers to the unique identifier of the Power BI dataset.roleIdrefers to the specific role applied to that dataset.