SaaS Management Vendors

Updated
  • Updated on Sep 14, 2025
  • Published on Jun 9, 2024
  • 4 minute(s) read
Prev Next

This article provides instructions on how to configure different vendors with your Policy Orchestration Points (POP) and how to locate the Vendor Policy ID according to each vendor. Users will need to modify and add the credential objects as listed in the POP API Documentation according to their preferred vendor. These credentials are acquired from the vendors and are used as parameters in the POP APIs.

Power BI

This section outlines the parameters required for integrating Power BI with your system. It provides a detailed explanation of the general parameters necessary for authentication and access, as well as the optional Discovery Scope Parameters used to customize user permissions and Workspace or Dataset discovery.

General Parameter Table:

Parameter Description Value
authenticationMethod Authentication Method "service_principal"
clientID Power BI Client ID string
clientSecret Power BI Client Secret string
secretKey The Secret Key of the External Secret Store. Replaces clientSecret.
Only for use with External Secret Stores.
Note: If opting to use a Secret Key, ensure that your Client Secret is set in your External Secret Store.		 string
secretStore The Store ID of the External Secret Store as set in Managing Secret Stores. string
tenant Power BI Tenant ID string
discoveryScopeRule Optional parameter that allows users to specify user permissions and definitions during Discovery based on Workspaces and Datasets.
See the Discovery Scope Parameter Table below for specific parameter information.		 JSON Array

Discovery Scope Parameter Table:

Parameter Description Value
hierarchyScopeKey Defines where the Discovery is based
Valid values:
- workspace
- dataset		 string
operator Defines the operator for the Discovery.
Valid Values:
- IN
- NOT_IN
- EQUALS
- NOTEQUALS		 string
value Specifies the name of the Workspace or Dataset on which the Discovery is based.
When using a Dataset, ensure it is formatted as follows, with the Workspace name:
["workspace.dataset"]		 array

Power BI Credentials Examples

Workspace Example:

...
{
    "popConnectionCredentials": {
        "authenticationMethod": "service_principal",
        "credentials": {
            "clientID": "84f8n492-f2ce-446b-bace-6df750c2e8c9",
            "clientSecret": null, //For use with PlainID Internal Store.
            "secretKey": "john-powerbi", //replaces clientSecret when using External Secret Stores.
            "secretStore": "azure", //Store ID
            "tenant": "0d417611-5b17-425e-a5b9-7b98e1aa24b8",
        "discoveryScopeRule": {
            "OR": [
                {
                    "AND": [
                        {
                            "hierarchyScopeKey": "workspace",
                            "operator": "EQUALS",
                            "value": ["workspace1"]
                        }
                    ]
                }
            ]
        }
    }
}
}
...



Dataset Example

...
{
    "popConnectionCredentials": {
        "authenticationMethod": "service_principal",
        "credentials": {
            "clientID": "84f8n492-f2ce-446b-bace-6df750c2e8c9",
            "clientSecret": null, //For use with PlainID Internal Store.
            "secretKey": "john-powerbi", //replaces clientSecret //replaces clientSecret when using External Secret Stores.
            "secretStore": "azure", //Store ID
            "tenant": "0d417611-5b17-425e-a5b9-7b98e1aa24b8",
        "discoveryScopeRule": {
            "OR": [
                {
                    "AND": [
                        {
                            "hierarchyScopeKey": "dataset",
                            "operator": "EQUALS",
                            "value": ["workspace.dataset"]
                        }
                    ]
                }
            ]
        }
    }
}
}
...

Zscaler

Parameter Description Value
authenticationMethod Authentication Method "client_credentials"
API Key Zscaler API Key string
API Key Secret Zscaler API Secret string
Customer ID Zscaler Customer ID string
Customer based URI Zscaler URI string

Zscaler Credentials Example

...
        "popConnectionCredentials": {
            "authenticationMethod": "client_credentials",
            "credentials": {
                "API Key": "NzIwNTkwMjQyNjIwMzc1Nzg0OTIwOGFjMmUtYjE1OS00NDg4LTllZmQtYTExY2IzZjI0ZWIw",
                "API Key Secret": null,
                "Customer ID": "72059024269137504",
                "Customer based URI": "https://config.zpabeta.net"
            }
        },
...

Snowflake

Parameter Description Value
authenticationMethod Authentication Method.
See examples for more information on how to set up Basic or Key Pair Authentication (recommended).		 "basic_authentication" or "key_pair_authentication"
computeWarehouse Compute Warehouse string
username Snowflake Account Username string
password If using the basic_authentication:
Authentication method: Snowflake Account Password		 string
privateKey If using the key_pair_authentication:
Private Secret Key		 string
port Snowflake Server Port integer
secretKey The Secret Key of the External Secret Store.
Replaces password/privateKey.
Only for use with External Secret Stores.
Note: If opting to use a Secret Key, ensure that your Client Secret is set in your External Secret Store.		 string
secretStore The Store ID of the External Secret Store as set in Managing Secret Stores. string
server Snowflake Account Server string
Using Key Pair Authentication

Refer to the Snowflake documentation on Using key-pair authentication for information on how to set up Key Pair authentication and retrieve the private key to use in the POP Connection Credentials.

Snowflake Credentials Examples

Basic Authentication Example:

...
"popConnectionCredentials": {
    "authenticationMethod": "basic_authentication",
    "credentials": {
        "computeWarehouse": "compute_wh",
        "password": null, //For use with PlainID Internal Store
        "port": 443,
         "secretKey": "john-snowflake",  //replaces password when using External Secret Stores
         "secretStore": "azure", //Store ID
        "server": "en14622.us-central-99.snowflakecomputing.com",
        "username": "username_1"
    }
}
...

Key Pair Authentication Example:

...
"popConnectionCredentials": {
    "authenticationMethod": "key_pair_authentication",
    "credentials": {
        "secretStore": "aws", //Store ID
        "computeWarehouse": "compute_wh",
        "port": 443,        
        "server": "en14622.us-central-99.snowflakecomputing.com",
        "username": "username_1"
        "secretKey": "john-keypair-snowflake" //replaces privateKey when using External Secret Stores
        "privateKey": ---BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCDKgwggSkAgEAAoIBAQDPXCe7Cr4FDSPml\n04JPDLMBCRHW2R+JIsivYUNUkI4SDF2CydeMw41lPhp4iLldVd7Zgwl4RGvvjxed+Q\nDUqQrWjeuGGW....3g\nHvIliGQqZkACN6n4GcaCZHJJudxZDisDQsIvOQlWuloZ9blkYp34Qnw+0umu1n1Y\nvHs5vuqB7DD2341Xpg+xNLVL\n-----END PRIVATE KEY-----\n"} //For use with PlainID Internal Store
    }
}
...

Databricks

Parameter Description Value
authenticationMethod Authentication Method "service_principal"
Host Databricks Workspace Host URL https://adb-1234567890123456.7.azuredatabricks.net/
Client ID Service Principal Client ID abcd1234-5678-90ef-ghij-1234567890kl
Client Secret Service Principal Client Secret s3cr3tK3y9876543210exampleabcdef123456
secretKey The Secret Key of the External Secret Store. Replaces clientSecret.
Only for use with External Secret Stores.
Note: If opting to use a Secret Key, ensure that your Client Secret is set in your External Secret Store.		 string
secretStore The Store ID of the External Secret Store as set in Managing Secret Stores. string
Warehouse ID SQL Warehouse Identifier abc123ef456gh789ij01

Databricks Credentials Example

...
        "popConnectionCredentials": {
            "authenticationMethod": "service_principal",
            "credentials": {
                "Client ID": "31844d10-84af-4931-8c05-427f1894e598",
                "Client Secret": "null", //For use with PlainID Internal Store
                "Host": "https://adb-3194995835232616.16.azuredatabricks.net/",
                "secretKey": "john-databricks", //replaces clientSecret when using External Secret Stores
                "secretStore": "azure", //Store ID
                "Warehouse ID": "36d1918d74ca0e82"
            }
        },
...

Vendor Policy ID

Depending on the vendor, the location and format of the Vendor Policy ID may vary:

Databricks, Snowflake, Zscaler

For these vendors, the Vendor Policy ID is displayed in the Policy Details panel. You can use this value directly when managing or troubleshooting vendor-side policies.

Power BI

For Power BI, the Vendor Policy ID is generated using a concatenation format:

role_<datasetID>_<roleId>

Example:

role_3e93e93w-8fs7-8sf8-83d8-9d8s6f6g7h82_19283

In this format:

  • role is static
  • datasetID refers to the unique identifier of the Power BI dataset.
  • roleId refers to the specific role applied to that dataset.