Application Integration generates log messages for each integration execution. These logs can contain information that is used to determine the status of each integration step, or to troubleshoot failed integrations, tasks, or events. These logs can also include sensitive or personally identifiable information (PII) that you don't want to be visible in the log output.
Now with Application Integration, you can have controls to mask these sensitive data in the log output so that this information is not visible when you review the logs.
Masking sensitive data in logs provides the following benefits:
To mask sensitive data in logs, you must enable masking for all of the following resources:
Project Level Masking Control signifies the highest tier of the masking hierarchy, subsequently followed by Integration and Variable. Authorization for Project Masking is controlled via a Flag at the region level. To activate Project Level Masking, kindly enable masking for all regions associated with your projects. Subsequently, the enabling of the masking flag at both the Integration and Variable levels is performed. For the effective functioning of masking for the variable, the activation of all three resources associated with that variable is necessary. Additionally, if a project has multiple regions and you have enabled masking for only one region then end to end masking will work only for that region and all integrations built within that region. The example provided below will offer further clarification.
The availability of multiple masking hierarchies provides organizations with a high degree of flexibility in managing various use cases, including test versus production environment configurations. For instance, in a non-production environment, users can configure both integration and variable-level masking but disable them at the project + region level. This enables testing since the data involved is typically non-sensitive and the user can view them in the log output. Once testing is complete, users can migrate the integration to production and simply enable the masking flag at the project + region level. End-to-end masking will be functional since the Project takes the highest priority. This approach resolves the significant challenge of maintaining masking at the integration and variable level separately for the production environment. Similar flexibility is provided for integration Level masking where users can be selective to activate masking for which integration flows and disable for others in that project.
Limitation and Workaround:
Present solutions have a limitation when the desire is to mask only certain fields from a JSON variable. This level of granularity is not currently offered; however, we recognize the need for such fine-grained control among users.
So, the workaround:
Use this temporary workaround till we are working to introduce such flexibility in our future release.
The example provided below will offer further clarification.
For instance, think of your customer sales data as a whole stack of Data: It has different sections–contact information, order history, pricing agreements, Customer payments, etc. Masking lets you selectively cover up sensitive parts of the whole stack.
Using multiple controls by Application Masking feature you can protect your data log visibility:
For complete protection, cover everything. Leaving any level unmasked creates a point of access for unauthorized eyes.
Sometimes you need to share selectively. You might have a marketing system that needs to see order history but shouldn't view pricing flow. You can disable masking for just that integration (Order History) while maintaining masking/security (Customer Payment) for the rest of your data by keeping the Masking flag enabled for Customer payment flow along with Variables within this integration flow for Customer payments.
Now, lets see how we can configure Variable Masking for Application Integration by picking a very simple use case of email trigger
Step 1 : Enable Masking for the Project via Region flag
On Left hand Navigation, Navigate to Region of your selected project on your Application Integration Page and select the region want to active the masking rule for and select on Edit region as shown below on 3 dots.
Enable toggle of Variable Masking - “Enable Variable Masking in logs” to enable Variable masking at Region Level
Step 2 : Enable Masking at the Integrations
Select the integrations for which you want to enable masking and go inside the integrations. Then select the settings button on top right corner of the screen as shown below
Enable toggle of Variable Masking - “Enable Variable Masking in logs” to enable Variable masking at Integration Level. Doing this will enable you to mask at the individual variable level.
Step 3: Enable Masking at the Variable.
Edit the Variable which you want to mask by Clicking on 3 dots to the variables and click on View Details. Then select the checkbox to “Mask the variable in logs” as shown below. Then click on save button
Step 4: Variable is masked at the Log Output: Once you run the execution, the output log for the selected variable is masked