Metadata Redacted View Restriction Access Policies (Anonymization)

Metadata Redacted View Restriction lets you anonymize user data to protect and restrict sensitive and private data. When applied, the endpoint name/ username is anonymized. Instead of displaying the actual endpoint/username, a unique token is applied to each user, as shown in the example.

The actual user's identity is hidden so the user's privacy is maintained but the token identifier allows you to continue investigations you need. You can filter by the token identifier as you would an endpoint name or user attribute for filters in Explorations, Rules, and Alerts.

In addition to maintaining the user's privacy, this feature makes sure investigations are objective, since the investigator does not have access to the actual user names.

To use this feature, assign the Metadata Attribute View Redaction Global Restriction policy to the user that you want to restrict. This user will see the anonymized endpoint//user attributes (the token identifier) instead of the actual data.

In Explorations, anonymized fields cannot be filtered as clear text fields.

When assigned to a user, the Metadata Attribute View Redaction Global Restriction policy takes priority over any other assigned policies. For example, a user may be assigned Activity Exploration policy, and then assigned the Metadata Attribute View Redaction Global Restriction policy, the user sees anonymized data.

In Explorations, anonymized fields cannot be filtered as clear text fields.

Creating a Metadata Attribute View Redaction Access Policy

You can create a Metadata Attribute View Redaction - Global Restriction with the parameters you want to anonymize.

  1. From the Administration application, select User ManagementAccess Policies.

  2. From the Access Policies page, select New Custom Access Policy.

  3. In the General tab, complete the Alias, Name and Description (optional) fields.

  4. In the Template tab, click Select next to Template Type.

  5. From the list of templates, select Metadata Attribute View Redaction - Global Restriction.

  6. From the list of parameters, select those parameters you want to anonymize.

  7. In the Assignment tab, assign this policy to the relevant users, groups and personas.

  8. Click Save.

Assigning Metadata Attribute View Redaction Access Policy to a User

You can assign a policy to a user from the list of Users.

  1. From the Administration application, select User ManagementUsers. From the list of Users, select the user you want to restrict

  2. In the details panel, from Actions drop down, select Access Policies.

  3. From Granular Access, select Metadata Attribute View Redaction Global Restriction.

    Metadata Attribute View Redaction Global Restriction policy is now assigned to the selected user,

To remove anonymization, simply unassign the Metadata Attribute View Redaction Global Restriction policy.

Parameters for Redaction

You can redact any or all of the following parameters.

User Attributes

  • User Name

  • Email

  • First Name

  • Last Name

  • Display Name

  • Aliases

  • Identifiers Combinations Field_value

  • User

  • Effective User

  • it.agent.activity.event.executable.owner.user.name._.name.short

  • Owner Name

  • Sender ID

  • Sender Email

  • Sender Display Name

Window Attributes

  • Window Title

Endpoint Attributes

  • Alias

  • Hostname

  • FQDN

  • Name

Activity Service Resource Attributes

  • Name

  • Source Name

  • _derivatives Direction Target Name

Activity Service Resource Path Attributes

  • Path

  • Resource URL

  • Source Path

  • Target Path

  • Tracking Origin Resource URL

  • Permissions Access Identities Alias

  • Permissions Access Identities Name

  • Container/Site

  • Links Access Href

  • Resource URL Domain

  • Path

  • URL

  • URL Domain

Activity Service Recipient User Attributes

  • Recipient ID

  • Recipient Email

  • Recipient Display Name

Anonymized User Attributes

User attributes are listed in the Capability description of the Metadata ParameterAttribute View Redaction Global Restriction policy.

  1. Select User ManagementAccess Policies.

  2. From the list of Access Policies click Metadata Attribute View Redaction - Global Restriction.

  3. Scroll down in the General window and click View Capabilities.

Filtering by the Token Identifier

Although a user sees anonymized endpoint//user attributes (the token identifier) instead of the actual data, it is possible to investigate user activity by filtering by token identifiers.

In the example, you want to investigate activity of 2 users.

  1. In an Exploration, select Filter by UserUser Name.

  2. From Select Values, select the token identifiers you want to monitor.

 

Related Topics:

Access Policies

Predefined Access Policies Descriptions

Custom Access Policies

Assigning Access Policies