Configuring sensitive attributes
Use and configure sensitive attribute definitions to customize the level of client data access and encryption protection needed.
For a PingDirectory server instance, data encryption only applies to the on-disk storage. Although it doesn’t automatically protect information accessed or replicated between servers, the server offers mechanisms to provide that protection, such as SSL, StartTLS, and SASL.
All client communication using either SSL or StartTLS encryption and all replication traffic using SSL encryption helps ensure that the data is protected from unauthorized individuals who might eavesdrop on network communication. You can enable this communication security independently of data encryption.
If data encryption is enabled, you should use secure communication to protect network access to that data. |
Protecting client data access isn’t as simple as enabling secure communication. In some cases, you might want to allow insecure access to some data. In other cases, you might need to have additional levels of protection in place to ensure that some attributes are more carefully protected. To achieve varying levels of protection, use sensitive attribute definitions.
The following table explains the sensitive attribute definitions and their configuration properties.
Sensitive attribute | Configuration details |
---|---|
|
Specifies the set of attribute types whose values might be considered sensitive. You must provide at least one attribute type and define all specified attribute types in the server schema. |
|
Indicates whether the set of sensitive attributes that might contain sensitive information should automatically be updated to include any operational attributes maintained by the PingDirectory server itself. This includes the |
|
Indicates whether sensitive attributes can be used in filters. This applies not only to the filter used in search requests, but also to filters that can be used in other places, such as the assertion and join request controls. The value of this property must be one of the following:
|
|
Indicates whether sensitive attributes can be included in entries created by The value of this property must be one of the following:
|
|
Indicates whether sensitive attributes can be targeted by the assertion used in a compare operation. The value of this property must be one of the following:
|
|
Indicates whether sensitive attributes can be updated using modify operations. The value of this property must be one of following:
|
By default, |
Sensitive attributes and client connection policies
If a client connection policy references a sensitive attribute definition, any restrictions imposed by that definition are enforced for clients associated with this client connection policy. If multiple sensitive attribute definitions are associated with a client connection policy, the server uses the most restrictive combination of all of those sets.
Sensitive attributes and other security mechanisms
The sensitive attribute definitions work in conjunction with other security mechanisms defined in the server and can only be used to enforce additional restrictions on clients.
Never use sensitive attribute definitions to grant a client additional access to information that it didn’t have already through other means. For example, if the employeeSSN
attribute is declared a sensitive attribute and the allow-in-returned-entries
property has a value of Secure-only
, then the employeeSSN
attribute is only returned to those clients that have both permissions granted by the access control rules defined in the server and are communicating with the server over a secure connection.
The employeeSSN
attribute is stripped out of entries returned to clients normally authorized to see it if they are using insecure connections. It is also stripped out of entries for clients normally not authorized to see it even if they have established secure connections.
Creating a sensitive attribute
Creating sensitive attributes involves creating and associating definitions to set configuration properties and policies according to your business needs.
About this task
To create a sensitive attribute:
Steps
-
Create one or more sensitive attribute definitions using
dsconfig create-sensitive-attribute
.Example:
For example, to create a sensitive attribute definition that only allows access to the
employeeSSN
attribute by clients using secure connections, make the following configuration changes.$ bin/dsconfig create-sensitive-attribute \ --attribute-name "Employee Social Security Numbers" \ --set attribute-type:employeeSSN \ --set include-default-sensitive-operational-attributes:true \ --set allow-in-returned-entries:secure-only \ --set allow-in-filter:secure-only \ --set allow-in-add:secure-only \ --set allow-in-compare:secure-only \ --set allow-in-modify:secure-only
-
Associate the sensitive attribute definitions with the client connection policies that you want to enforce using
dsconfig set-client-connection-policy-prop
.Example:
$ bin/dsconfig set-client-connection-policy-prop --policy-name default \ --set "sensitive-attribute:Employee Social Security Numbers"