jacmarpet1 Absent Member.
Absent Member.
1324 views

Driver traces and GDPR

Hello,

Now that GDPR is here, I got to think about IDM driver logs and files in general on the IDM Metadirectory server and the UA server.

Many IDM systems use social security numbers for different things, such as the onboarding process. These numbers are in the driver traces and sometimes also in the catalina.out log, when people have typed them in a workflow.

Is there any way of getting around this? I guess you could do the following:

1. Set driver trace to 0 on drivers that have this information. However this will make debugging on these drivers much harder
2. Delete catalina.out maybe once a day - I don't know how else to be sure it wont have it
3. On delimited text drivers you end out with .bak files - i guess you could periodically delete these - again debugging will be harder
4. What about supressing specific attributes in the driver trace? The engine does this automatically with passwords. Is there a way to suppress your own attributes?

Thanks in advance,

Jacob
Labels (1)
0 Likes
15 Replies
jacmarpet1 Absent Member.
Absent Member.

Re: Driver traces and GDPR

0 Likes
Knowledge Partner
Knowledge Partner

Re: Driver traces and GDPR

On 10/22/2018 8:54 AM, jacmarpet wrote:
>
> Seems like there is some implementation of supressing sensitive
> attributes:
>
> https://www.netiq.com/documentation/identity-manager-47/driver_admin/data/t45clgjllttj.html
> https://www.netiq.com/communities/cool-solutions/whats-new-idm-4-5-part-2/


So in theory you can append teh XML Attribute of is-sensitive=true to
your events, but it will still be shown once.

Looking at the bug refernced in your second link, my article, I cannot
find the list of sensitive attributes they are using. I vaguely remember
it but cannot find where that might be set.



0 Likes
Knowledge Partner
Knowledge Partner

Re: Driver traces and GDPR

On 10/22/2018 1:37 PM, Geoffrey Carman wrote:
> On 10/22/2018 8:54 AM, jacmarpet wrote:
>>
>> Seems like there is some implementation of supressing sensitive
>> attributes:
>>
>> https://www.netiq.com/documentation/identity-manager-47/driver_admin/data/t45clgjllttj.html
>>
>> https://www.netiq.com/communities/cool-solutions/whats-new-idm-4-5-part-2/
>>

>
> So in theory you can append teh XML Attribute of is-sensitive=true to
> your events, but it will still be shown once.
>
> Looking at the bug refernced in your second link, my article, I cannot
> find the list of sensitive attributes they are using. I vaguely remember
> it but cannot find where that might be set.


The issue is, if the shim does it, or the engine does it, it never shows
up in trace at all.

If you do it in Policy, then the first event shows the value, then the
is-sensitive kicks in and hides it.


0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Driver traces and GDPR

On 2018-10-22 14:44, jacmarpet wrote:
> 4. What about supressing specific attributes in the driver trace? The
> engine does this automatically with passwords. Is there a way to
> suppress your own attributes?


add @is-sensitive=true

see
https://www.netiq.com/documentation/identity-manager-47/driver_admin/data/t45clgjllttj.html

--
Norbert
--
Norbert
0 Likes
Knowledge Partner
Knowledge Partner

Re: Driver traces and GDPR

jacmarpet wrote:

>
> Hello,
>
> Now that GDPR is here, I got to think about IDM driver logs and files in
> general on the IDM Metadirectory server and the UA server.
>
> Many IDM systems use social security numbers for different things, such
> as the onboarding process. These numbers are in the driver traces and
> sometimes also in the catalina.out log, when people have typed them in a
> workflow.
>


Try to lock down access/permissions to these traces/logs as much as realistic.
Pretty sure if you have contractual need, you can justify that you need to have
something written to a log file to assist in troubleshooting (as long as you
have severely restricted the audience). Again, check with a lawyer.

Hiding such info may make it impossible to perform troubleshooting by an
authorised party.

--
If you find this post helpful, and are viewing this using the web, please show
your appreciation by clicking on the star below
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Driver traces and GDPR

I had requested to didn't show "full" EIN information. Created simple obfuscate function that replaces real EIN info (123456789) with ******789.
Maybe something similar will work for you.

You have to get directions/requirements from the business.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Driver traces and GDPR

jacmarpet;2489166 wrote:
Hello,

Now that GDPR is here, I got to think about IDM driver logs and files in general on the IDM Metadirectory server and the UA server.

Many IDM systems use social security numbers for different things, such as the onboarding process. These numbers are in the driver traces and sometimes also in the catalina.out log, when people have typed them in a workflow.

Is there any way of getting around this? I guess you could do the following:

1. Set driver trace to 0 on drivers that have this information. However this will make debugging on these drivers much harder
2. Delete catalina.out maybe once a day - I don't know how else to be sure it wont have it
3. On delimited text drivers you end out with .bak files - i guess you could periodically delete these - again debugging will be harder
4. What about supressing specific attributes in the driver trace? The engine does this automatically with passwords. Is there a way to suppress your own attributes?

Thanks in advance,

Jacob


If you mark the attribute for encrypted storage, the engine will add the suppressed flag to it, so you won't see it in trace.
0 Likes
jacmarpet1 Absent Member.
Absent Member.

Re: Driver traces and GDPR

Wow nice! I have just been testing the solutions above and it works. However I am having a bit of trouble. For example it works when a modify event is in the driver trace. But before it becomes a modify event in my trace, I do a src query on the sensitive attribute. That is an instance event and for some reason that is not triggered by the add-xml policy.

But encrypted attribute sounds interesting. It would mean that I won't need to edit all the drivers that use the sensitive attributes. Are there any things i need to be aware of, when creating or changing an attribute to be encrypted?
0 Likes
Knowledge Partner
Knowledge Partner

Re: Driver traces and GDPR

jacmarpet wrote:

> Are
> there any things i need to be aware of, when creating or changing an
> attribute to be encrypted?


Drivers will only sync those attributes over "secure" connections, so make sure
everything is TLS (or equivalent) secured and test all involved drivers.

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner
Knowledge Partner

Re: Driver traces and GDPR

jacmarpet;2489187 wrote:
Wow nice! I have just been testing the solutions above and it works. However I am having a bit of trouble. For example it works when a modify event is in the driver trace. But before it becomes a modify event in my trace, I do a src query on the sensitive attribute. That is an instance event and for some reason that is not triggered by the add-xml policy.

But encrypted attribute sounds interesting. It would mean that I won't need to edit all the drivers that use the sensitive attributes. Are there any things i need to be aware of, when creating or changing an attribute to be encrypted?


Post a trace, sanitized as necessary?
0 Likes
Knowledge Partner
Knowledge Partner

Re: Driver traces and GDPR

On 2018-10-22 14:44, jacmarpet wrote:
>
> Hello,
>
> Now that GDPR is here, I got to think about IDM driver logs and files in
> general on the IDM Metadirectory server and the UA server.
>
> Many IDM systems use social security numbers for different things, such
> as the onboarding process. These numbers are in the driver traces and
> sometimes also in the catalina.out log, when people have typed them in a
> workflow.
>
> Is there any way of getting around this? I guess you could do the
> following:
>
> 1. Set driver trace to 0 on drivers that have this information. However
> this will make debugging on these drivers much harder
> 2. Delete catalina.out maybe once a day - I don't know how else to be
> sure it wont have it
> 3. On delimited text drivers you end out with .bak files - i guess you
> could periodically delete these - again debugging will be harder
> 4. What about supressing specific attributes in the driver trace? The
> engine does this automatically with passwords. Is there a way to
> suppress your own attributes?
>
> Thanks in advance,
>
> Jacob
>
>

Lock down access to the logfiles the same way you have locked down
access to your eDirectory.
I.e. don't give unauthorized people access 🙂

Also purge old log files you don't need.

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.