Can we Mask Data of ServiceCallout.response?

ghassanbarghout · 10-07-2020 07:34 AM

Is it possible to mask tracing data in ServiceCallout.response? For example the returned email in the screenshot

dchiesa1

I think so, Have you tried setting the JSONPathsResponse in maskconfigs with the correct jsonpath ?

Show the maskconfigs you tried.

ghassanbarghout

Thanks for the reply. I think I tried. Here is my XML

<MaskDataConfiguration name="default">
	<JSONPathsResponse>
        	<JSONPathResponse>$.email</JSONPathResponse>
    	</JSONPathsResponse>
</MaskDataConfiguration>

kurtkanaskie

You need to use a variable in your mask config.

{
    "name": "default",
    "variables": [
        "ServiceCallout.response"
    ]
}

ghassanbarghout

Thank you for your answer.

This does work, however it's a little inconvenient. Especially if you need to apply it on an organizational level. Not all the data in the service response is sensitive, and not every service response contains sensitive data. You'd lose important tracing information if you did it like this. Is there no other way?

kurtkanaskie

Yes, you can create the mask config on the API proxy level, for example on a specific proxy.

The mask configs at the proxy level supersede the org level.

Don't forget to stop and start Trace after each config change.

Docs: https://docs.apigee.com/api-platform/security/data-masking#maskingsensitivedata-maskconfigurationapi