PII Security Configuration Files

How PII security polices are implemented in a MarkLogic Data Hub application.

Note: You do not need to understand these details to use the feature. You might find them useful for debugging or when integrating PII protection into a larger security model.

MarkLogic Data Hub implements PII security policies using the Element Level Security (ELS) feature of MarkLogic. ELS enables you to identify protected paths in XML and JSON documents and then impose tighter access controls to those paths than to the containing documents.

When you generate PII security configuration files, Data Hub generates the following types of configuration files:

  • Protected path configuration for each PII property
    • Allows only users with the pii-reader security role to read the values of PII properties.
    • Stored in PROJECT_DIR/src/main/ml-config/security/protected-paths/.
  • Query roleset
    • Prevents users without the pii-reader role from seeing the protected content in response to a query or XPath expression.
    • Stored in PROJECT_DIR/src/main/ml-config/security/query-rolesets/.

The pii-reader security role is predefined by MarkLogic.

A user with the pii-reader role can access PII data, only if granted read access to the document that contains the PII data.

Example: If you have a Customer entity model that designates its address property as PII, then Data Hub generates a protected path configuration:

 {
  "path-expression" : "/envelope/instance/Customer/address",
  "path-namespace" : [ ],
  "permission" : {
    "role-name" : pii-reader,
    "capability" : "read"
  }
}
The path to the protected address property corresponds to the layout of the harmonized Customer instance:
 {
  "envelope": {
    "headers": {},
    "triples": [],
    "instance": {
      "Customer": {
        ...
        "address": "100 Main Street, Hometown, USA"
      }
      "info": { ... }
    }, ...
  }
}
Important: By default, a harmonized instance includes the original source document. The PII security configuration generated by Data Hub protects the PII in the instance node (/envelope/instance/*) only, not in the original data. For full protection, you must customize your code to exclude the original source node from your envelope or define additional protected paths for the PII in the original source node. See Generating a PII Security Configuration Artifact.

To learn more about ELS, see Element Level Security in the MarkLogic Security Guide.