Monitor Sensitive Data

The Monitoring Sensitive Data add-on consists of three components:

1. Server-side microservice (Windows) or an external plugin (Linux): Creates a new POST logger REST API endpoint that logs data to the configured logs database.
   
2. Client-side plugin: Notifies the user if sensitive PII is viewed.
3. Server-side plugin: Intercepts JAQL requests to detect if sensitive PII is viewed.

Installation

Windows:

1. Download and extract the add-on .zip file.
2. Install the client-side plugin: Copy the folder ./monitoringSensitiveData into the Sisense plugins folder: C:\Program Files\Sisense\app\plugins
   • If the folder doesn’t exist, create it.
3. Configure the client-side add-on as described below.
4. Install the microservice: Run the PSE.Sisense.MonitoringSensitiveData.msi installer from the archive file.
5. Configure the microservice as described below.
6. Restart the windows service Sisense.MonitoringSensitiveData to apply configuration changes.
7. Install the Server-side plugin: Go to http://localhost:3030/ to open System Configuration.
   1. Click the Sisense top left logo five times to view advanced configurations.
      
   2. Click the api-gateway section.
   3. Under ServerSidePlugins, enable the server-side plugins.
   4. Locate the ./monitorSensativeDataInterceptors folder under serverSidePlugins.dirPath.
   5. Click  Save Changes.
8. Configure the server-side plugin as described below.
9. Restart the API-Gateway service by clicking Restart Services.
   
10. Refresh the dashboard.

Linux:

1. Download the add-on.
2. Install the client-side plugin: Copy the folder ./monitoringSensitiveData into the plugins folder /opt/sisense/storage/plugins/.
   • If the folder doesn’t exist, create it.
3. Configure the client-side add-on as described below.
4. Restart the plugins pod to apply configuration changes.
5. Install the external-plugin: Copy the external plugin files from ./monitoringSensitiveDataService/src/features/monitoringSensitiveData folder into /opt/sisense/storage/external-plugins/apiPlugins/plugins/.
6. Place the ./plugin/node_modules folder from the archive folder into /opt/sisense/storage/external-plugins/apiPlugins/plugins/monitoringSensitiveData/v1/
7. Configure the external-plugin as described below.
8. Restart the external-plugins pod to apply configuration changes.
9. Install the server-side add-on: Copy the folder ./monitorSensativeDataInterceptors into /opt/sisense/storage/serverSidePlugins.
10. Enable the server-side plugins:
    1. From the Admin tab, click System Management and then Configuration.
       
    2. Click the Sisense top left logo five times to view advanced configurations.
       
    3. Click the api-gateway section.
    4. Under ServerSidePlugins, enable the  server-side plugins.
    5. Click Save Changes.
11. Configure the server-side, as described below.
12. Restart the api-gateway pod.
13. Refresh the dashboard.

Configuration

Configuring the client-side add-on:

The configuration file is located under ./plugins/monitoringSensitiveData/config.js
Configure sensitiveDataConf to set the text presented to the user when viewing sensitive PII.

Configuration file example:

• message The message presented when the user navigates to a dashboard that contains sensitive PII
• dismiss  Dismiss sensitive data popup button text
• doNotShowAgain  “Do not show again” sensitive data popup button text
• linkUrl  URL to redirect to when clicking the link button (More details)
• linkName Link button name (More details)
• allowLink  true/false, to show or hide the link
• allowDoNotShowAgain  true/false. Set to true to permanently present the dismiss sensitive data viewed popup
• show true/false. Set to true to enable the sensitive data viewed popup

Configuring the Server-side plugin:

The Configuration file location is:

Windows: C:/Program Files/Sisense/app/monitoringSensitiveDataService/config.js

Linux: /opt/sisense/storage/external-plugins/apiPlugins/plugins/monitoringSensitiveData/v1/config.js

In the server-side configuration file, you can configure which data is considered sensitive PII, and which actions should be logged:

• dataForLogs: A list of all columns or tables that are considered sensitive PII and should be logged by their names
• dataDims: A list of all columns that are considered sensitive PII and should be logged by their value.
• monitoredActions: A list of user actions that should be logged in case of viewing sensitive PII.

Configuring the External-plugin/Microservice

The Configuration file location is :

Windows: C:/Program Files/Sisense/app/monitoringSensitiveDataService/config.js

Linux: /opt/sisense/storage/external-plugins/apiPlugins/plugins/monitoringSensitiveData/v1/config.js

• appConfig logger configuration
  • activeLogger: The active database logger, which uses MSSQL or MongoDB.
  • loggerFilePath: The absolute path to the log file.
  • maxLogFileSize: The maximum size of the log file. When the file size exceeds this value, a new log file is created with the incremented suffix number.
  • maxLogFilesDaysLifeTime: The allowed storage time. The log files will be automatically removed after this time expires.
• mongoConfig (optional): MongoDB configurations should be set in case the active log was set to mongodb
  • sourceDB: The log database name. The database must be created.
  • sourceTable. The log table name. The table will be created automatically if it does not already exist.
    
  • connectionString: The MongoDB connection string. Use the following guide to create a user for Sisense MongoDB authentication: https://documentation.sisense.com/latest/administration/application-database/access-sisense-application-database.htm
• mssqlConfig (optional). MSSQL configurations should be set in case the active log was set to MSSQL.
  • sourceDB: The log database name.  The database must be created.
  • sourceTable: The log table name. The table must be created.
    
  • connectionString: The MSSQL connection string.
  • encrypt true/false. Defines if the connection will be encrypted.

Notes:

• FieldToLog will be the actual name of the column from the ElastiCube. If there are multiple columns to log, they will all be specified in a table.
• Dashboard ID instead of the dashboard name is logged when exporting to Excel.
• Monitor Sensitive data supports only MSSQL or MongoDB as logs databases.

2021/02/05: Version 2.0.14: Support for version Linux L8.2.6 was added

2020/09/08: Version 2.0.7: A logger server-side component was added for security purposes. All logging of sensitive data is done on the server-side instead of the client-side.

4/8/2019: Issue fixed for conflict with background filters

25/8/2019: Solution was rewritten on NodeJS microservices. Added support for 7.4. The installation section was updated.

20/12/2019: Added compatibility with Sisense 8.1

14/01/2020: Added compatibility with Linux L8.1.0

24/02/2020

• Added support of Windows 8.1.1
• Fixed error in Admin Tab in case plugin is enabled.
• Fixed error in console once user opens dashboard with data to log.
• Fixed : View dashboard filter is not logged once user opens edit filter window.

22/4/2020: Added compatibility with Sisense 8.2

19/5/2020: Added compatibility with Sisense 8.2.1

16/6/2020: Added compatibility with Sisense 8.2.2

1/7/2020: Added compatibility with Sisense L8.0.5

28/7/2020: Added compatibility with Sisense 8.2.3

05/2/2021: Added compatibility with Sisense 8.2.0 – 8.2.5 and L8.2.6

10/4/2021: Added compatibility with Sisense L2021.1.1 and L2021.1.4

10/4/2021: Added compatibility with Sisense L2021.1.1 and L2021.1.4

18/5/2021: Fixed issue with missing logs in specific cases

22/7/2021: Added compatibility with Sisense 2021.6