Hi all,
We need to protect DOB in ISC , it comes from our authoritative HR source (JDBC) and is mapped as an identity attribute. Requirement: only certain authorized users should see it, not everyone who can view identities
Is there any way to mask or restrict visibility of a specific identity attribute (by user level or governance group)?
Hi @pguduri,
I don’t believe there is a way to enforce that restriction.
If that attribute is required, a better approach would be to mask the value before storing it on the identity and then unmask it wherever it needs to be used.
I think this is what you are looking for.
SailPoint Identity Security Cloud (ISC) currently does not support user attribute-level masking or user-level data segmentation.
The recently introduced Data Segmentation feature enables organizations to restrict access at the role and entitlement level.
With Data Segmentation, designated users can view and manage only the roles and entitlements within the segments they have been granted access to. This includes the ability to name, describe, create, configure, and maintain roles and entitlements that fall within their assigned scope. More details are available in the SailPoint Data Segmentation documentation: Data Segmentation Overview - SailPoint Identity Services.
This is not foolproof, but might work as a compromise between security and getting the work done
- Using JDBC Buildmap rule, encrypt the DOB. (Securely storing and using of encryption key in this step is crucial.)
- Same encrypted value is written to Identity attribute
- Create a Interactive Trigger Workflow that can call a Powershell script and pass the DOB identity attribute.
- Powershell script will decrypt the string and return the DOB (sing the same key as in Step 1)
- Limit the access to the Launcher to users who are authorised to view the DoB.