Data masking

This policy hides sensitive fields by replacing their values with masked data.

This policy is used to mask sensitive data at the application level. At the application level you must have an Identify and Authorize policy configured to identify the application for which the masking is applied. If no application is specified then it is applied for all the other responses. Fields can be masked or filtered in the response messages to be sent. You can configure the masking criteria as required for the XPath, JSON Path, and Regex expressions based on the content-types.

In IBM API Studio, this policy is identified by the kind DataMasking.

For the DataMasking policy kind, configure these specifications:

Code view Form view Description
matchApplications Consumer applications

Specifies the applications for which the masking criteria must be applied.
applyForTransactionLogging Apply for transaction logging Specifies whether the data masking criteria is applied to transaction logging.
applyForPayload Apply for payload Specifies whether the data masking criterion is applied to the response payload.
transformations Masking criteria

You can configure the following under transformations in code view and Masking criteriain the form view.

  • transformations. You can apply the following transformations:

    • setMask. Defines how to transform the response payload for incoming requests by masking sensitive data.

      Each entry specifies the path of the element to mask, the value to replace it with, and optional namespace mappings. You can configure multiple masking rules.

      You can specify the path as an XPath, JSON path, or Regex, depending on the payload format.

      • maskValue. Defines the replacement value for the masked element.
      • namespaces. Lists the XML namespace mappings to use when the path is defined with xPath.
        • prefix. Specifies the namespace prefix.
        • URI. Specifies the namespace URI.

    • remove. Specifies which field to remove from the response.

Example of a Data masking policy in code view.

kind: DataMasking
apiVersion: api.ibm.com/v2
metadata:
  name: res_datamasking
  version: 1.0
  namespace: wm_project
spec:
  matchApplications:
    - 2d4e28ae-6209-44ec-ba4e-64c5fcc9b63d
    - 495d12eb-1712-46a0-9b23-142a3374e3a9
  transformations:
      set:
        - jpath: jpathexpression1
          maskValue: jpathmask1
        - xpath: xpathexpression1
          namespaces:
            - prefix: ps1
              URI: http://test.com
            - prefix: ps2
              URI: http://test2.com
          maskValue: xpathmask1
        - regex: regexexpression1
          maskValue: regexmask1
        - jpath: jpath
          maskValue: value1
        - xpath: xpath
          maskValue: value2
        - regex: regex
          maskValue: value3
      remove:
        - xpath: ${request-x}
        - jpath: ${request-j}
        - regex: ${request-r}
        - xpath: ${request-1}
        - jpath: ${request-2}
        - regex: ${request-3}
  applyForTransactionLogging: true
  applyForPayload: true