Eugene Roytfeld (EugeneR7)
Deutsche Bank
Vice President
Deutsche Bank
EugeneR7 Member since 2013 30 posts
Deutsche Bank
Posted: February 23, 2018
Last activity: September 27, 2018
Posted: 23 Feb 2018 11:13 EST
Last activity: 27 Sep 2018 15:27 EDT

Field level auditing for passwords (or customizing audit message)

As described in the article:

you can customize the audit messages for changes, adds and deletions. However, there may be cases where it is necessary to have a property level message, which is not supported at the current time.

For example:

case (1): I need to track my user ID changes. With existing approach, my audit message would be "Changed username from Jim to Bob" (as defined in ChangeTrack_Change field value rule). --> works OK

case(2): I need to track my password changes: With existing approach, my audit message would be "Changed password from {pr}123455 to {pr}abcdefg" which exposes sensitive data, as this is now part of clear text audit and can be decrypted. It would be a good idea to be able to specify in data transform to NOT record previous / current values, and only indicate that field was modified, where message can be something like "Changed password".

It may be possible to add some flag at the data transform level, where the step may be something like: [SET] pyPassword -> {pr:ignoreValues}password

and within various java functions (or something part of pzAddHistoryMemoForScalar) include a condition if (ignoreValues== true), use ChangeTrack_ChangeNoValues field value.

The same should apply to "Add" and "Remove" operations.

***Updated by moderator: Lochan to add enhancement request ID***

Reporting Security