Metadata Redacted View Restriction Access Policies (Anonymization)
Metadata Redacted View Restriction lets you anonymize user data to protect and restrict sensitive and private data. When applied, the endpoint name/ username is anonymized. Instead of displaying the actual endpoint/username, a unique token is applied to each user, as shown in the example.
The actual user's identity is hidden so the user's privacy is maintained but the token identifier allows you to continue investigations you need. You can filter by the token identifier as you would an endpoint name or user attribute for filters in Explorations, Rules, and Alerts.
In addition to maintaining the user's privacy, this feature makes sure investigations are objective, since the investigator does not have access to the actual user names.
To use this feature, assign the Metadata Attribute View Redaction Global Restriction policy to the user that you want to restrict. This user will see the anonymized endpoint//user attributes (the token identifier) instead of the actual data.
In Explorations, anonymized fields cannot be filtered as clear text fields.
When assigned to a user, the Metadata Attribute View Redaction Global Restriction policy takes priority over any other assigned policies. For example, a user may be assigned Activity Exploration policy, and then assigned the Metadata Attribute View Redaction Global Restriction policy, the user sees anonymized data.
In Explorations, anonymized fields cannot be filtered as clear text fields.
Creating a Metadata Attribute View Redaction Access Policy
You can create a Metadata Attribute View Redaction - Global Restriction with the parameters you want to anonymize.
-
From the Administration application, select User Management > Access Policies.
-
From the Access Policies page, select New Custom Access Policy.
-
In the General tab, complete the Alias, Name and Description (optional) fields.
-
In the Template tab, click Select next to Template Type.
-
From the list of templates, select Activity Metadata View.
-
Setup specific rules using Parameters or continue to the Assignment tab.
-
From the list of parameters, select those parameters you want to anonymize.
-
In the Assignment tab, assign this policy to the relevant users, groups and personas.
-
Click Save.
Assigning Metadata Attribute View Redaction Access Policy to a User
You can assign a policy to a user from the list of Users.
From the Administration application, select User Management > Users. From the list of Users, select the user you want to restrict
In the details panel, from Actions drop down, select Access Policies.
From Granular Access, select Metadata Attribute View Redaction Global Restriction.
Metadata Attribute View Redaction Global Restriction policy is now assigned to the selected user,
To remove anonymization, simply unassign the Metadata Attribute View Redaction Global Restriction policy.
Anonymized User Attributes
These are the restricted user attributes. Additional user attributes may be added.
| Parameter | Fields |
|---|---|
| endpoint.aliases | Endpoint > Alias |
| endpoint.fqdn | Endpoint > FQDN |
| endpoint.hostname | Endpoint > Hostname |
| executable.owner.user.name | Process/Application > Executable Owner User Name |
| messages.recipients.displayName | Messages > Recipient Display Name |
| messages.recipients.email | Messages > Recipient Email |
| messages.recipients.id | Messages > Recipient ID |
| messages.sender.displayName | Messages > Sender Display Name |
| messages.sender.email | Messages > Sender Email |
| messages.sender.id | Messages > Sender ID |
| process.effectiveUser | Process/Application > Effective User |
| process.user | Process/Application > User |
| resources._derivatives.direction.source.path | Files/Resources > _derivatives Direction Source Name |
| resources._derivatives.direction.target.path | Files/Resources >_ derivatives.direction.target.path |
| resources.container.name | Files/Resources > Container Name |
| resources.host | Files/Resources > Host |
| resources.links.access.href | Files/Resources > Links Access Href |
| resources.name | Files/Resources > Name |
| resources.owner.user.name | Files/Resources > Owner User Name |
| resources.path | Files/Resources > Path |
| resources.permissions.access.identities.alias | Files/Resources > Permissions Access Identities Alias |
| resources.permissions.access.identities.name | Files/Resources > Permissions Access Identities Name |
| user.aliases.name | User > Aliases |
| user.displayName | User > Display Name |
| user.email | User > Email |
| user.firstName | User > First Name |
| user.lastName | User > Last Name |
| user.name | User > User Name |
User attributes are listed in the Capability description of the Metadata ParameterAttribute View Redaction Global Restriction policy.
Select User Management > Access Policies.
From the list of Access Policies click Metadata Attribute View Redaction - Global Restriction.
Scroll down in the General window and click View Capabilities.
Filtering by the Token Identifier
Although a user sees anonymized endpoint//user attributes (the token identifier) instead of the actual data, it is possible to investigate user activity by filtering by token identifiers.
In the example, you want to investigate activity of 2 users.
In an Exploration, select Filter by User > User Name.
From Select Values, select the token identifiers you want to monitor.
Related Topics:
Predefined Access Policies Descriptions