1. Adding Custom Data to the Oracle Solaris 11.4 StatsStore and System Web Interface
  2. Defining Custom Statistics
  3. Authorizing Access to Resources and Statistics
  4. Restricting Access to Sensitive Data

Restricting Access to Sensitive Data

To restrict access to sensitive data, mark the data sensitive by specifying the sensitive property with the value true. Statistics and events that have the sensitive property set to true require a user to have the solaris.sstore.read.sensitive authorization to read the data and have the solaris.sstore.capture.sensitive authorization to capture the data. A user that has the solaris.sstore.read.sensitive authorization can export data values of any statistic in the statistics store. A user that has the solaris.sstore.capture.sensitive authorization can record data values of any statistic in the statistics store except statistics that are expensive to capture as described in Restricting Capture of Data that is Expensive to Capture.

To enable access by other users who need to read or record this data, specify an alternative authorization that is more targeted to this data, or specify particular users that are authorized to access this data.

To specify an alternative authorization that enables a user to access particular sensitive data, specify the sau_read_sensitive_auth property or the sau_capture_sensitive_auth property with the alternative authorization as the value. The value of these properties can be a list of authorizations.

To enable a specified user to access particular sensitive data even if the user has none of the required authorizations, specify the sau_read_sensitive_username property or the sau_capture_sensitive_username property with the user name as the value. The value of these properties can be a list of user names.

Note:

Even if you specify alternative authorizations or authorized users, you must still set the sensitive property to true.

Example 2-1 Specifying Which Users Can Read Particular Sensitive Data

The following partial metadata for a sensitive statistic enables the following users to export values of this statistic:

  • Any user that has the solaris.sstore.read.sensitive authorization

  • Any user that has the solaris.system.sysevent.read authorization

  • The authorizeduser1 user

  • The authorizeduser2 user 

{
  "sensitive" : true,
  "sau_read_sensitive_auth" : "solaris.system.sysevent.read",
  "sau_read_sensitive_username" : "authorizeduser1" "authorizeduser2"
}

Example 2-2 Specifying Which Users Can Record Particular Sensitive Data

The following partial metadata for a sensitive statistic enables the following users to record values of this statistic:

  • Any user that has the solaris.sstore.capture.sensitive authorization

  • Any user that has the solaris.system.sysevent.write authorization

  • The authorizeduser1 user 

{
  "sensitive" : true,
  "sau_capture_sensitive_auth" : "solaris.system.sysevent.write",
  "sau_capture_sensitive_username" : "authorizeduser1"
}