Question

Field level auditing for passwords (or customizing audit message)

As described in the article: https://pdn.pega.com/sites/pdn.pega.com/files/help_v719/procomhelpmain.htm#howto/howto2/enablesecurityaudit.htm

you can customize the audit messages for changes, adds and deletions. However, there may be cases where it is necessary to have a property level message, which is not supported at the current time.

For example:

case (1): I need to track my user ID changes. With existing approach, my audit message would be "Changed username from Jim to Bob" (as defined in ChangeTrack_Change field value rule). --> works OK

case(2): I need to track my password changes: With existing approach, my audit message would be "Changed password from {pr}123455 to {pr}abcdefg" which exposes sensitive data, as this is now part of clear text audit and can be decrypted. It would be a good idea to be able to specify in data transform to NOT record previous / current values, and only indicate that field was modified, where message can be something like "Changed password".

It may be possible to add some flag at the data transform level, where the step may be something like: [SET] pyPassword -> {pr:ignoreValues}password

and within various java functions (or something part of pzAddHistoryMemoForScalar) include a condition if (ignoreValues== true), use ChangeTrack_ChangeNoValues field value.

The same should apply to "Add" and "Remove" operations.

***Updated by moderator: Lochan to add enhancement request ID***

**Moderation Team has archived post**

This post has been archived for educational purposes. Contents and links will no longer be updated. If you have the same/similar question, please write a new post.

Comments

Keep up to date on this post and subscribe to comments

Mod
February 26, 2018 - 5:22am

Thank you for submiiting this product enhancement on PSC.

An enhancement request has been created on our internal portal. The request ID is attached to your post above (under Related Support Case Number field.)
Please refer this number to your Account Executive for next steps.

Regards,

 

Lochana | Community Moderator | Pegasystems Inc.

Pega
February 26, 2018 - 10:00am

You should not use field-level auditing to track password changes.  They are automatically tracked as events in the Security Events log.

February 26, 2018 - 1:13pm
Response to GUYOM

So where exactly should I configure tracking of changes to, for example, JMS Listener, requestor login credentials?  I've reviewed the Security Events configurator and it has no such option.  Adding a custom event requires adding a java step to an activity, so if you're asking to modify an OOB save activity(es), this will go against standard pega guardrails.  

I've additionally reviewed the security changes documentation and have added a custom Field Value (see attachment), which for some reason does not get utilized at runtime (maybe an defect?).

Pega
September 27, 2018 - 3:27pm
Response to EugeneR7

Sorry, thought you were talking about login credentials.  For other passwords like those in the JMS Listener, an enhancement to field-level auditing like you requested might be in order.

September 24, 2018 - 12:09am

HI,

to some extent this post is similar to your post.