PII Security Configuration Files
How PII security polices are implemented in a MarkLogic Data Hub application.
MarkLogic Data Hub implements PII security policies using the Element Level Security (ELS) feature of MarkLogic. ELS enables you to identify protected paths in XML and JSON documents and then impose tighter access controls to those paths than to the containing documents.
When you generate PII security configuration files, Data Hub generates the following types of configuration files:
- Protected path configuration for each PII property
- Allows only users with the pii-reader security role to read the values of PII properties.
- Stored in PROJECT_DIR/src/main/ml-config/security/protected-paths/.
- Query roleset
- Prevents users without the pii-reader role from seeing the protected content in response to a query or XPath expression.
- Stored in PROJECT_DIR/src/main/ml-config/security/query-rolesets/.
The pii-reader security role is predefined by MarkLogic.
A user with the pii-reader role can access PII data, only if granted read access to the document that contains the PII data.
Example: If you have a Customer
entity model that designates its address
property as PII, then Data Hub generates a protected path configuration:
{
"path-expression" : "/envelope/instance/Customer/address",
"path-namespace" : [ ],
"permission" : {
"role-name" : pii-reader,
"capability" : "read"
}
}
The path to the protected address
property corresponds to the layout of the harmonized Customer
instance:
{
"envelope": {
"headers": {},
"triples": [],
"instance": {
"Customer": {
...
"address": "100 Main Street, Hometown, USA"
}
"info": { ... }
}, ...
}
}
/envelope/instance/*
) only, not in the original data. For full protection, you must customize your code to exclude the original source node from your envelope or define additional protected paths for the PII in the original source node. See Generating a PII Security Configuration Artifact.To learn more about ELS, see Element Level Security in the MarkLogic Security Guide.