About Data Masking
Data Masking lets you define rules that hide or redact categories of sensitive information from users who don't have a specific need to view it.
Cloud Guard applies the masking rules to sensitive information that would otherwise be displayed on the Problems page, in the problem details and history.
Overview
Different countries have different requirements as to how tightly access to sensitive information must be restricted. You are legally required to comply with the national requirements on data privacy for the country where Cloud Guard's reporting region is hosted. To look up the reporting region, see Viewing the Reporting Region.
The Cloud Guard reporting region is NOT the same thing as the OCI home region.
Data masking allows you to selectively redact sensitive problem information for unauthorized users. The objective is to restrict different categories of information to viewing only by users whose job function requires them to view that type of information. Each data masking rule specifies categories of sensitive problem information that are to be redacted for:
- A particular IAM user group,
- in a specified combination of Cloud Guard targets.
And you can apply data masking rules at two levels:
- Global - rules apply globally to your entire OCI tenancy.
- Target - rules apply only to specified Cloud Guard targets.
Best practice is to define masking rules at different levels like this:
- Target - rules that have the highest precedence. Set up the IAM groups of admin users that you want to allow to view different categories of sensitive information at this level, and redact only those categories that users' job functions in different groups don't require them to view.
- Global - rules that have the lowest precedence. Consider redacting all sensitive problem information at this level.
How you apply data masking rules at the different levels is detailed in Creating a Data Masking Rule.
How Conflicting Masking Rules at Same Level Are Resolved
You can be certain that a particular user belongs to multiple groups. And you can expect that two or more of those groups might have masking rules with conflicting settings for what's redacted for those groups.
Same Level Conflict: A conflict between rules at the same level (global, target) arises when the same user belongs to two groups, and masking rules defined at the same level for those groups redact categories differently: one group's rule redacts a category of sensitive information, and other group's rule doesn't. Whenever this type of conflict occurs, the more restrictive rule takes precedence and the category for that user is redacted.
How Conflicting Masking Rules at Different Levels Are Resolved
The intent of the data masking design is to allow you to create data masking rules at a lower level that override the rules at a higher level. So, at the global level, you might: specify in rules that all sensitive information id to be redacted for all users; then, at lower levels, specify that selected categories not be redacted for selected users.
Different Level Conflict: A conflict between rules at different levels (global, service type, target) arises when the same user belongs to two groups, and masking rules defined at different levels for those groups redact categories differently – one group redacts a category of sensitive information, and other doesn't. Whenever this type of conflict occurs, the rule assigned to the group at the lower level takes precedence – whether the category is redacted depends on the rule for the group at the lower level.
Data masking rule conflicts at the same-level are resolved before conflicts at different levels.