PingOne DaVinci

Handling sensitive data

Use these best practices to protect sensitive data from internal or external exposure.

Use an appropriate logging level

Logging tracks various system events and requires a certain amount of system resources. More verbose logging provides additional information but consumes more system resources, which impacts the flow’s overall performance.

DaVinci supports multiple logging levels:

  • Error (default): Gathers basic information about the flow start and any errors encountered.

  • None: Performs no logging.

  • Info: Gathers information about every node that runs.

  • Debug: Gathers detailed information about every node that runs.

You should leave flow logging set to Error unless you’re actively attempting to diagnose an issue, and you should set flow logging back to Error as soon as you’re done.

You can update the log level by opening the flow and clicking More options ( ) > Flow Settings, then clicking the Logging tab. Learn more in Editing flow settings.

Manage DaVinci access

Administrative users in DaVinci are created through PingOne. When you add admin users, only give these users the necessary permissions for their roles, and only for the necessary environments. This prevents users from accidentally or intentionally making changes to flows or environments beyond the scope of their responsiblities.

Regularly review the list of admin users to ensure no admin user has unnecessary access.

Use sensitive fields to keep sensitive data out of analytics

By default, DaVinci removes the values of known sensitive fields from analytics. Learn more about the fields that are automatically scrubbed in Viewing flow analytics.

If you want to add additional sensitive fields, update the flow settings to scrub their values using the Scrub Sensitive Information and Sensitive Information Fields fields. Learn more in Editing flow settings.

Use secret variables for sensitive information

Some values, such as API keys, client secrets, and access tokens, are required for some flows to function but shouldn’t be readily visible. You should store these values in secret variables.

Secret variables are a type of company context variable. Their values can be used in the HTTP connector’s Make REST API call capability, in the Headers and Body Parameters sections. Their values are not visible in logs, analytics, API queries, flow JSON files, or to other DaVinci administrators. Administrators can replace the value for a secret variable, but they cannot view the current value after it’s been saved. Saving sensitive values in secret variables makes them more secure and simplifies administration by putting all of the values in one place rather than in multiple connector configurations.

Learn more in Variables and Adding a variable.

Exclude variables from exported flows

When you export a flow as JSON, deselect the Include Variable Values so that the JSON does not include the values of company or flow variables that are used in the flow. Learn more in Exporting a flow.