Data masking is a technique whereby sensitive data is obscured in some way to render it safe and
to protect the actual data while having a functional substitute for occasions when the real data is
not required.
This policy is used to mask sensitive data at the application level. At the application level you
must have an Identify and Access policy configured to identify the application for which the masking
is applied. If no application is specified then it is applied for all the other responses. Fields
can be masked or filtered in the response messages to be sent. You can configure the masking
criteria as required for the XPath, JSONPath, and Regex expressions based on the content-types. This
policy can also be applied at the API scope level.
Note: Data masking can not be performed for:
- Payloads that are sent as streams.
- Native API's response headers.
The table lists the content-type and masking criteria mapping.
| Content-type |
Masking Criteria |
| application/xml text/xml text/htm |
XPath |
| application/json application/json/badgerfish |
JSONPath |
| text/plain |
Regex |
The table lists the masking criteria properties that you can configure to mask the data in the
response messages:
| Parameter |
Description |
| Consumer Applications |
Optional. Specifies the applications for which the masking criterion has to be applied.
Start typing the application name, select the application from the type-ahead search results
displayed, and click Add to add one or more applications.
For example: If there is a
DataMasking(DM1) criteria created for application1 a second DataMasking(DM2) for application2 and a
third DataMasking(DM3) with out any application, then for a request that comes from consumer1 the
masking criteria DM1 is applied, for a request that comes from consumer2 DM2 is applied. If a
request comes with out any application or from any other application except application1 and
application2 DM3 is applied.
You can use the delete icon  to delete the added
applications from the list.
|
| XPath. Specifies the masking criteria for XPath expressions in the response messages. |
|
| Masking Criteria |
Click Add masking criteria and provide the following information and
click Add
- Query expression. Specify the query expression that has to be masked or
filtered. For example: /pet/details/status, /user/details/card/ccnumber.
- Masking Type. Specifies the type of masking required. You select either
Mask or Filter. Selecting Mask
replaces the value with the given value (the default value being ********). Selecting
Filter removes the field completely.
- Mask Value Appears if you have select the Masking
Type selected is Mask. Provide a mask value. You can add multiple
masking criteria.
As Query expression and Mask Value properties support variable framework, you
can use the available variables.
In case of query expression, if you provide variable syntax,
the XPath is applied on the payload using the value that is resolved from the variable
given.
For example, if you provide a query expression as
${request.headers.myxpath} and the corresponding mask value as
${request.headers.var1} , and if the incoming request header myxpath is configured
with value //ns:cardNumber, then the card number derived from the payload is masked
with the header value in var1.
For details about the variables available in
webMethods API Gateway, see Variable Framework .
- Namespace. Specifies the following Namespace information:
- Namespace Prefix. The namespace prefix of the payload expression to be
validated.
- Namespace URI. The namespace URI of the payload expression to be
validated
Note: You can add multiple namespace prefix and URI by clicking the Add
button.
|
| JSONPath. This is applicable only for REST API. Specifies the masking criteria for JSONPath
expressions in the response messages. |
|
| Masking Criteria |
Click Add masking criteria and provide the following information and
click Add.
- Query expression. Specify the query expression that has to be masked or
filtered. For example: $.pet.details.status.
- Masking Type. Specifies the type of masking required. You select either
Mask or Filter. Selecting Mask
replaces the value with the given value (the default value being ********). Selecting
Filter removes the field completely.
- Mask Value Appears if Masking Type selected is
Mask. Provide a mask value. You can add multiple masking criteria.
As Query
expression and Mask Value properties support variable framework, you can use the available
variables.
In case of query expression, if you provide variable syntax, the JSONPath is
applied on the payload using the value that is resolved from the variable given.
For example,
if you provide a query expression as ${request.headers.myjsonpath} and the
corresponding mask value as ${request.headers.var1} , and if the incoming request
header myjsonpath is configured with value $.cardNumber, then the card number
derived from the payload is masked with the header value in var1.
For details
about the variables available in webMethods API Gateway, see Variable Framework
|
| Regex. Specifies the masking criteria for regular expressions in the request
messages. |
|
| Masking Criteria |
Click Add masking criteria and provide the following information and
click Add.
- Query expression. Specify the query expression that has to be masked or
filtered. For example: [0-9]+.
- Masking Type. Specifies the type of masking required. You select either
Mask or Filter. Selecting Mask
replaces the value with the given value (the default value being ********). Selecting
Filter removes the field completely.
- Mask Value Appears if Masking Type selected is
Mask. Provide a mask value. You can add multiple masking criteria.
As Query
expression and Mask Value properties support variable framework, you can use the available
variables.
In case of query expression, if you provide variable syntax, the regex is applied
on the payload using the value that is resolved from the variable given.
For example, if you
provide a query expression as ${request.headers.myregex} and the corresponding mask
value as ${request.headers.var1}, then the regex is applied using the value
configured in the incoming request header myregex and the derived value is masked with the header
value in var1.
For details about the variables available in webMethods API Gateway, see
Variable Framework .
|
| Apply for transaction Logging |
Select this option to apply masking criteria for transactional logs. When you select this
option the transactional log for the response is masked on top of response sent to the client.
|
| Apply for payload |
Select this option to apply masking criteria for payload in the following scenarios:
- Response received from the native service.
- Response sent to the client.
Note: When you select this option it automatically masks the data in the transactional
log.
|