Why does data masking at proxy level disable masking at org level?

While experimenting with Data Masking at org and proxy level, I noticed that when I specify a data mask at my proxy level, the org level mask no longer works. Docs imply I can set both. I've seen the tidbits here.

I'm masking header params. If I set this mask for org:

POST {{MGMTSVR}}/v1/o/{{ORG}}/maskconfigs

<MaskDataConfiguration name="default">
  <Variables>
	<Variable>request.header.specialKey</Variable>
  </Variables>
</MaskDataConfiguration>

I see specialKey is masked in trace.

However, when I add this mask at the proxy level:

POST {{MGMTSVR}}/v1/o/{{ORG}}/apis/helloworld-v1/maskconfigs

<MaskDataConfiguration name="default">
  <Variables>
	<Variable>request.header.specialId</Variable>
  </Variables>
</MaskDataConfiguration>

I see that specialId is masked but specialKey is no longer masked.

Bug or by design?

If by design, docs should be updated @wwitman.

Solved Solved
1 4 278
1 ACCEPTED SOLUTION

adas
Participant V

@Kurt Kanaskie Its by design. While retrieving the masks for a given proxy, we don't combine all the applicable masks. What I mean by that is this: if the org level mask says mask variable "v1" and the proxy level mask says mask variable "v2" we would only mask "v2" since that's the hierarchy. You are expecting both v1 and v2 to be masked. That's not how its designed.

If a specific mask configuration (proxy level) is found, it is applied else the global (org level) mask is applied. This is as per design.

View solution in original post

4 REPLIES 4

@Kurt Kanaskie -- thanks for the heads up. I'll investigate and straighten out the doc as needed.

adas
Participant V

@Kurt Kanaskie Its by design. While retrieving the masks for a given proxy, we don't combine all the applicable masks. What I mean by that is this: if the org level mask says mask variable "v1" and the proxy level mask says mask variable "v2" we would only mask "v2" since that's the hierarchy. You are expecting both v1 and v2 to be masked. That's not how its designed.

If a specific mask configuration (proxy level) is found, it is applied else the global (org level) mask is applied. This is as per design.

OK, I understand, thanks for clarifying. I think we should update the docs to reflect this @wwitman.

Thanks!

I just want to mention that it is still not mentioned in documents that the masks does not works as someone might think they should.