Skip navigation

Restrict view of DDD based on user role

score 60
You have not voted. Not Planned

After doing some research in the community I found the following Idea:

To have an option to control which discovered Node data a user can view when granting an access to ADDM appliance.

 

Unfortunately I can't access it, so I don't know any details nor the current status.

 

In the past I faced situations where I found sensitive data in files or process arguments. I added some more sensitive data filters to hide the sensitive data in the future.

 

This approach has the following disadvantages:

 

  1. Finding and fixing sensitive data is more or less based on randomness.
  2. Constructing a regular expression, which is effective, efficient and understandable, even after on year, is quite difficult. Furthermore I know situations where you can't simply escape the data by using a regex.
  3. It's reactive and not proactive, so I can't tell you who is also aware of the sensitive data
  4. DDD can not be deleted manually so the sensitive data is visible in clear until automatic DDD removal kicks in

 

As a solution I would suggest a role based restriction of the (directly discovered) node kinds.

 

This way a BMC Discovery admin can restrict the view for node kinds like DiscoveredFile or DiscoveredProcess. These node kinds are rarely of interest. Therefore not every user needs to have access to them.

 

I would like to know how other people solve the challenge of sensitive data being visible on clear text.

Comments

Vote history