Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here

Skyhigh Security

Cloud Connector Config Custom Attributes

You can configure Custom Attributes using Active Directory or CSV

IMPORTANT: 

  • You must have the Skyhigh Cloud Connector user role to configure Cloud Connector. For details, see About User Roles and Access Levels
  • You must access the Skyhigh CASB and Cloud Connector from the same network. You cannot enable the feature or configure settings if you are on a different network. An error message displays, "AD settings cannot be accessed outside of your company's network. You need to be inside your company's network to turn on the feature."  

NOTE: Using the configured Custom Attributes, Skyhigh Cloud Connector can only retrieve user groups, not the nested user groups from your Active Directory server or a CSV-formatted file.

Configure Custom Attributes using Active Directory

To configure Custom Attributes using Active Directory, perform the following steps:

  1. Go to Settings > Infrastructure > Cloud Connector
  2. On the Custom Attributes tab, toggle ON. 
  3. Click Actions > Edit.
    custom att1.png 
  4. Select the data source Active Directory
    clipboard_e8c2cd137ca9b224472ebce0c92a26bce.png
  5. Fill in the required fields. 
Field Description
Custom Attributes Configuration Name Enter the name of the custom attribute. 
IP or Host Enter the Active Directory IP or Host.
Port Enter the port number used for Active Directory. 
Username Enter the Active Directory username. 
Password Enter the Active Directory password. 
AD Base Enter the Active Directory base. 
AD Filter Enter the Active Directory filter regex. 
Enable Secure LDAP for AD Select Yes to enable secure LDAP for AD. Select No to disable. 
Trust Store Path Enter the SSL settings path. 
Trust Store Password Enter the SSL settings password. 
Enable Secure LDAP for AD Select Yes to enable secure LDAP for AD. Select No to disable. (This property also appears on the Log Processing tab. You can use it on either tab.)
LDAP User Upload Endpoint Enter the endpoint to upload LDAP user details.
  1. Click Test Connection
  2. On the Evaluate Attributes page, review the default attributes list to make sure all the required attributes are available. If an attribute is missing, add it to the field Default Attributes to be synced. If attribute values are not as expected, you can use regex to remove unwanted values.
  3. Click the column header to set up the custom attribute values.  

cc_config_eval_attributes_4.3.1.png

  1. For the Custom Attributes value, enter:
    • Regex Match key. 
    • Regex Replace key.
    • Check to extract the common name before applying the regular expression matches. If this checkbox is enabled, the code extracts the common name before the regular expression match is performed. If the input string is not a canonical name, the value is not modified.
      cc_config_virtual_attributes_4.3.1.png
  2. Click Save
  3. Click Next
    cust2i.png

NOTE: The default value for customAttributes.facet.max.values is 500.

  1. On the Custom Attributes page, fill in the required fields. For multiple Cloud Connector instances, make sure the order of the Custom Attributes for Shadow IT is consistent across the CC instances. For details, see Map Shadow IT Custom Attributes.
Field Description
Define Unique Keys Define unique keys for Shadow or Sanctioned Services.  Click Add more to configure additional attributes. 
Configure User Details  Select additional attributes, and enter Custom Display Names. Click Add more to configure additional attributes. 
Enable Shadow Custom Attributes Tokenization Select Yes to enable Shadow Custom Attributes tokenization. Select No to disable. 
Sanctioned Upload Frequency Enter the Sanctioned upload frequency in milliseconds. The default value is 86400000, which is equal to 24 hours. 
Shadow Upload Frequency Enter the Shadow upload frequency in milliseconds. The default value is 86400000, which is equal to 24 hours. 
  1. Click Save

NOTE: This workflow applies to Sanctioned Attributes only. Save the current configuration to initiate immediate synchronization of the user attributes to Skyhigh CASB instead of initiating synchronization on the expiration of the configured timer interval. 

Ingest Shadow IT Custom Attributes

To ingest a Custom Display name for Shadow IT Custom Attributes, perform the following steps: custom attributes 2.png

  1. Go to Configure Custom Attributes page.
  2. Under Shadow, select Unique Keys.
  3. Under Select Additional Attributes to Configure User Details, select a value.
  4. Enter a Custom Display Name for the selected attribute value.
  5. Click Save

Map Shadow IT Custom Attributes 

For multiple Cloud Connector instances, Shadow IT Custom Attributes must be consistent and in the same order across all Cloud Connector instances. Entries are prepopulated based on the existing Custom Attributes configuration. If you connect to different Active Directory (AD) servers, the AD attribute names may differ, and data may not prepopulate if there is no match. So, you need to assign a unique Custom Display Name to identify the AD attributes that are ingested. 

To map a Custom Display name with existing AD attributes for Shadow IT Custom Attributes, perform the following steps:

  1. Go to Configure Custom Attributes page.
    map.png
  2. Under Shadow, select Unique Keys.
  3. Custom Display Names are prepopulated based on the existing Custom Attributes configuration.
  4. Under Select Additional Attributes to Configure User Details, select a relevant match for the Custom Display Name if not mapped.
  5. Click Save.

Configure Custom Attributes using CSV

  1. Go to Settings > Infrastructure > Cloud Connector
  2. On the Custom Attributes tab, toggle ON. 
  3. Click Actions > Edit.
  4. Select the data source CSV to import attributes from a local data source. 
    cc_config_csv_4.3.1.png
  5. Fill in the required fields. 
Field Description
Custom Attributes Configuration Name Enter the name of the custom attribute. 
Directory Enter the directory where the CSV file is located. 
File Name Pattern Enter the CSV file name pattern data source. 
Delimiter Enter the CSV data source delimiter. For example, a comma. 
Quote Enter the CSV data source quotation mark used. (For example, " or '.)
Header Enter the CSV data source header. 
  1. Click Test Connection
  2. On the Evaluate Attributes page, review the default attributes list to make sure all required attributes are available. If an attribute you need is missing, add it to the field Default Attributes to be Synced. If attribute values are not as expected, you can use regex to remove unwanted values.
  3. Click the column header to set up the custom attribute values.  
    evaluate Attributes.png
  4. For the Custom Attributes value, enter:
    • Regex Match key. 
    • Regex Replace key.
    • Check to extract the common name before applying the regular expression matches. If this checkbox is enabled, the code extracts the common name before the regular expression match is performed. If the input string is not a canonical name, the value is not modified.
  5. Click Next
    cc_config_csv_keys_4.3.1.png
  6. Fill in the required fields.
    Field Description
    Define Unique Keys Define unique keys for Shadow or Sanctioned Services. Click Add more to configure additional attributes. 
    Configure User Details  Select additional attributes, and enter Custom Display Names. Click Add more to configure additional attributes. 
    Enable Shadow Custom Attributes Tokenization Select Yes to enable Shadow Custom Attributes tokenization. Select No to disable. 
    Sanctioned Upload Frequency Enter the Sanctioned upload frequency. The default value is 86400000 milliseconds, which is equal to 24 hours.
    Shadow Upload Frequency Enter the Shadow upload frequency. The default value is 86400000 milliseconds, which is equal to 24 hours.
  7. Click Save

NOTE: This applies to Sanctioned Attributes only. Save the current configuration and initiate immediate synchronization of the user attributes to Skyhigh CASB instead of initiating synchronization on the expiration of the configured timer interval. 

  • Was this article helpful?