Function or script to anonymize attribute values

Hi all,

I'm quite new to Designer and IDM as I just (barely) created my first driver... :)

What it does is to take some actions at the very end of a User's lifecycle (event trigger = when the "Status" value from HR goes to a specific value).

So far I have some "cleaning" functions that operate as expected, but

we need to keep the User record for some time (audit/compliance) in the system, and we have been asked to anonymize some data.

I'm wondering if there is any function/library/script that would do that almost out-of-the-box based on whatever standard algorithm out there ?

Any hint much appreciated !

Tx.

Jacques Forster (IGA architect)

  • 0  

    Generally we just remove the data instead of anonymizing it.  Absence is the most anonymous thing of them all.

  • 0 in reply to   

    Indeed, and one of the functions of my driver is to delete some attributes (remove all values).

    However we are being asked to keep some attributes and anonymize them, the User record being kept in the system for about 2 years before being definitively deleted...

    It looks like this function would be quite difficult to implement in pure DirXML but some ECMAScript or equivalent might exist to "easily" add that capability to any policy; just asking in case someone knows about it Slight smile

    Jacques Forster (IGA architect)

  • 0  

    So far I have some "cleaning" functions that operate as expected, but

    we need to keep the User record for some time (audit/compliance) in the system, and we have been asked to anonymize some data.

    What about replacing specific attributes with randomly generated strings?

    I found some Java function and converted it to ECMAscript.

    (I'm sure that our Java experts can provide a better version of this function)

    function randomstring(length) {
    result = '';
    const characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
    const charactersLength = characters.length;
    counter = 0;
    while (counter < length) {
    result += characters.charAt(Math.floor(Math.random() * charactersLength));
    counter += 1;
    }
    return result;
    }

    Simple policy code:

    <rule>
    <description>01 Get Name info</description>
    <conditions>
    <and/>
    </conditions>
    <actions>
    <do-set-local-variable name="lvSurname" scope="policy">
    <arg-string>
    <token-op-attr name="Surname"/>
    </arg-string>
    </do-set-local-variable>
    <do-set-local-variable name="lvGivenName" scope="policy">
    <arg-string>
    <token-op-attr name="Given Name"/>
    </arg-string>
    </do-set-local-variable>
    </actions>
    </rule>

    <rule>
    <description>20 Get Given Name</description>
    <conditions>
    <and>
    <if-local-variable name="lvGivenName" op="available"/>
    <if-local-variable mode="nocase" name="lvGivenName" op="not-equal"/>
    </and>
    </conditions>
    <actions>
    <do-set-local-variable name="lvLength" scope="policy">
    <arg-string>
    <token-text xml:space="preserve">10</token-text>
    </arg-string>
    </do-set-local-variable>
    <do-set-src-attr-value name="Given Name">
    <arg-value type="string">
    <token-xpath expression="es:randomstring($lvLength)"/>
    </arg-value>
    </do-set-src-attr-value>
    </actions>
    </rule>

    <rule>
    <description>30 Get LastName</description>
    <conditions>
    <and>
    <if-local-variable name="lvSurname" op="available"/>
    <if-local-variable mode="nocase" name="lvSurname" op="not-equal"/>
    </and>
    </conditions>
    <actions>
    <do-set-local-variable name="lvLength" scope="policy">
    <arg-string>
    <token-text xml:space="preserve">8</token-text>
    </arg-string>
    </do-set-local-variable>
    <do-set-src-attr-value name="Surname">
    <arg-value type="string">
    <token-xpath expression="es:randomstring($lvLength)"/>
    </arg-value>
    </do-set-src-attr-value>
    </actions>
    </rule>

    Simulation:

    JSON-tests :Applying policy: %+C%14Canonymizer%-C.
    JSON-tests : Applying to instance #1.
    JSON-tests : Evaluating selection criteria for rule '01 Get Name info'.
    JSON-tests : Rule selected.
    JSON-tests : Applying rule '01 Get Name info'.
    JSON-tests : Action: do-set-local-variable("lvSurname",scope="policy",token-op-attr("Surname")).
    JSON-tests : arg-string(token-op-attr("Surname"))
    JSON-tests : token-op-attr("Surname")
    JSON-tests : Token Value: "Jones".
    JSON-tests : Arg Value: "Jones".
    JSON-tests : Action: do-set-local-variable("lvGivenName",scope="policy",token-op-attr("Given Name")).
    JSON-tests : arg-string(token-op-attr("Given Name"))
    JSON-tests : token-op-attr("Given Name")
    JSON-tests : Token Value: "Samuel".
    JSON-tests : Arg Value: "Samuel".
    JSON-tests : Evaluating selection criteria for rule '20 Get Given Name'.
    JSON-tests : (if-local-variable 'lvGivenName' available) = TRUE.
    JSON-tests : (if-local-variable 'lvGivenName' not-equal "") = TRUE.
    JSON-tests : Rule selected.
    JSON-tests : Applying rule '20 Get Given Name'.
    JSON-tests : Action: do-set-local-variable("lvLength",scope="policy","10").
    JSON-tests : arg-string("10")
    JSON-tests : token-text("10")
    JSON-tests : Arg Value: "10".
    JSON-tests : Action: do-set-src-attr-value("Given Name",token-xpath("es:randomstring($lvLength)")).
    JSON-tests : arg-string(token-xpath("es:randomstring($lvLength)"))
    JSON-tests : token-xpath("es:randomstring($lvLength)")
    JSON-tests : Token Value: "VQOlOTVTht".
    JSON-tests : Arg Value: "VQOlOTVTht".
    JSON-tests : Evaluating selection criteria for rule '30 Get LastName'.
    JSON-tests : (if-local-variable 'lvSurname' available) = TRUE.
    JSON-tests : (if-local-variable 'lvSurname' not-equal "") = TRUE.
    JSON-tests : Rule selected.
    JSON-tests : Applying rule '30 Get LastName'.
    JSON-tests : Action: do-set-local-variable("lvLength",scope="policy","8").
    JSON-tests : arg-string("8")
    JSON-tests : token-text("8")
    JSON-tests : Arg Value: "8".
    JSON-tests : Action: do-set-src-attr-value("Surname",token-xpath("es:randomstring($lvLength)")).
    JSON-tests : arg-string(token-xpath("es:randomstring($lvLength)"))
    JSON-tests : token-xpath("es:randomstring($lvLength)")
    JSON-tests : Token Value: "ksZ0bDFZ".
    JSON-tests : Arg Value: "ksZ0bDFZ".
    JSON-tests : Direct command from policy
    JSON-tests :
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product version="4.8.7.0000">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <modify class-name="User" dest-dn="\Users\Samuel">
    <association>1012</association>
    <modify-attr attr-name="Given Name">
    <remove-all-values/>
    <add-value>
    <value type="string">VQOlOTVTht</value>
    </add-value>
    </modify-attr>
    <modify-attr attr-name="Surname">
    <remove-all-values/>
    <add-value>
    <value type="string">ksZ0bDFZ</value>
    </add-value>
    </modify-attr>
    </modify>
    </input>
    </nds>
    JSON-tests : Direct command from policy result
    JSON-tests :
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product version="4.8.7.0000">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <output>
    <status level="success"></status>
    </output>
    </nds>
    JSON-tests :Policy returned:
    JSON-tests :
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product version="4.8.7.0000">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <instance class-name="User" src-dn="\Users\Samuel">
    <association>1012</association>
    <attr attr-name="Surname">
    <value type="string">Jones</value>
    </attr>
    <attr attr-name="cn">
    <value type="string">Samuel</value>
    </attr>
    <attr attr-name="Given Name">
    <value type="string">Samuel</value>
    </attr>
    </instance>
    </input>
    </nds>

    Alex

    P.S.

    For me, instead replace it with rundom string better to "encrypt" it, with option to decrypt it back, if it will be required, but "randomize" it also can be good enouph. (Depends from your requirements) 

  • 0 in reply to   

    Thanks Alex, much appreciated!

    I will pass to a developer for further elaboration and "packaging"

    Jacques Forster (IGA architect)