Monitor Sensitive Data

By Sisense

Regulatory requirements in various countries require that the event of viewing personally identifying information (PII) - such as address, full name, or ID - should be logged and monitored for future audit.

This add-on enables the logging of information when any user views row-level data from specific tables and columns.

The level of logs can be modified to contain only the viewed field names or the viewed field values, as well.

The Monitoring Sensitive Data add-on consists of three components:

  1. Server-side microservice (Windows) or an external plugin (Linux): Creates a new POST logger REST API endpoint that logs data to the configured logs database.
  2. Client-side plugin: Notifies the user if sensitive PII is viewed.
  3. Server-side plugin: Intercepts JAQL requests to detect if sensitive PII is viewed.

Installation

Windows:

  1. Download and extract the add-on .zip file.
  2. Install the client-side plugin: Copy the folder ./monitoringSensitiveData into the Sisense plugins folder: C:\Program Files\Sisense\app\plugins
    • If the folder doesn’t exist, create it.
  3. Configure the client-side add-on as described below.
  4. Install the microservice: Run the PSE.Sisense.MonitoringSensitiveData.msi installer from the archive file.
  5. Configure the microservice as described below.
  6. Restart the windows service Sisense.MonitoringSensitiveData to apply configuration changes.
  7. Install the Server-side plugin: Go to http://localhost:3030/ to open System Configuration.
    1. Click the Sisense top left logo five times to view advanced configurations.
    2. Click the api-gateway section.
    3. Under ServerSidePlugins, enable the server-side plugins.
    4. Locate the ./monitorSensativeDataInterceptors folder under serverSidePlugins.dirPath.
    5. Click  Save Changes.
  8. Configure the server-side plugin as described below.
  9. Restart the API-Gateway service by clicking Restart Services.
  10. Refresh the dashboard.

Linux:

  1. Download the add-on.
  2. Install the client-side plugin: Copy the folder ./monitoringSensitiveData into the plugins folder /opt/sisense/storage/plugins/.
    • If the folder doesn’t exist, create it.
  3. Configure the client-side add-on as described below.
  4. Restart the plugins pod to apply configuration changes.
  5. Install the external-plugin: Copy the external plugin files from ./monitoringSensitiveDataService/src/features/monitoringSensitiveData folder into /opt/sisense/storage/external-plugins/apiPlugins/plugins/.
  6. Place the ./plugin/node_modules folder from the archive folder into /opt/sisense/storage/external-plugins/apiPlugins/plugins/monitoringSensitiveData/v1/
  7. Configure the external-plugin as described below.
  8. Restart the external-plugins pod to apply configuration changes.
  9. Install the server-side add-on: Copy the folder ./monitorSensativeDataInterceptors into /opt/sisense/storage/serverSidePlugins.
  10. Enable the server-side plugins:
    1. From the Admin tab, click System Management and then Configuration.
    2. Click the Sisense top left logo five times to view advanced configurations.
    3. Click the api-gateway section.
    4. Under ServerSidePlugins, enable the  server-side plugins.
    5. Click Save Changes.
  11. Configure the server-side, as described below.
  12. Restart the api-gateway pod.
  13. Refresh the dashboard.

Configuration

Configuring the client-side add-on:

The configuration file is located under ./plugins/monitoringSensitiveData/config.js
Configure sensitiveDataConf to set the text presented to the user when viewing sensitive PII.

Configuration file example:

  • message The message presented when the user navigates to a dashboard that contains sensitive PII
  • dismiss  Dismiss sensitive data popup button text
  • doNotShowAgain  “Do not show again” sensitive data popup button text
  • linkUrl  URL to redirect to when clicking the link button (More details)
  • linkName Link button name (More details)
  • allowLink  true/false, to show or hide the link
  • allowDoNotShowAgain  true/false. Set to true to permanently present the dismiss sensitive data viewed popup
  • show true/false. Set to true to enable the sensitive data viewed popup

Configuring the Server-side plugin:

The Configuration file location is:

Windows: C:/Program Files/Sisense/app/monitoringSensitiveDataService/config.js

Linux: /opt/sisense/storage/external-plugins/apiPlugins/plugins/monitoringSensitiveData/v1/config.js

In the server-side configuration file, you can configure which data is considered sensitive PII, and which actions should be logged:

  • dataForLogs: A list of all columns or tables that are considered sensitive PII and should be logged by their names
  • dataDims: A list of all columns that are considered sensitive PII and should be logged by their value.
  • monitoredActions: A list of user actions that should be logged in case of viewing sensitive PII.

Configuring the External-plugin/Microservice

The Configuration file location is :

Windows: C:/Program Files/Sisense/app/monitoringSensitiveDataService/config.js

Linux: /opt/sisense/storage/external-plugins/apiPlugins/plugins/monitoringSensitiveData/v1/config.js

  • appConfig logger configuration
    • activeLogger: The active database logger, which uses MSSQL or MongoDB.
    • loggerFilePath: The absolute path to the log file.
    • maxLogFileSize: The maximum size of the log file. When the file size exceeds this value, a new log file is created with the incremented suffix number.
    • maxLogFilesDaysLifeTime: The allowed storage time. The log files will be automatically removed after this time expires.
  • mongoConfig (optional): MongoDB configurations should be set in case the active log was set to mongodb
  • mssqlConfig (optional). MSSQL configurations should be set in case the active log was set to MSSQL.
    • sourceDB: The log database name.  The database must be created.
    • sourceTable: The log table name. The table must be created.
    • connectionString: The MSSQL connection string.
    • encrypt true/false. Defines if the connection will be encrypted.

Notes:

  • FieldToLog will be the actual name of the column from the ElastiCube. If there are multiple columns to log, they will all be specified in a table.
  • Dashboard ID instead of the dashboard name is logged when exporting to Excel.
  • Monitor Sensitive data supports only MSSQL or MongoDB as logs databases.
This is a premium Sisense add-on. For pricing details please get in touch with your CSM: Get the Add-On

2021/02/05: Version 2.0.14: Support for version Linux L8.2.6 was added

2020/09/08: Version 2.0.7: A logger server-side component was added for security purposes. All logging of sensitive data is done on the server-side instead of the client-side.

4/8/2019: Issue fixed for conflict with background filters

25/8/2019: Solution was rewritten on NodeJS microservices. Added support for 7.4. The installation section was updated.

20/12/2019: Added compatibility with Sisense 8.1

14/01/2020: Added compatibility with Linux L8.1.0

24/02/2020

  • Added support of Windows 8.1.1
  • Fixed error in Admin Tab in case plugin is enabled.
  • Fixed error in console once user opens dashboard with data to log.
  • Fixed : View dashboard filter is not logged once user opens edit filter window.

22/4/2020: Added compatibility with Sisense 8.2

19/5/2020: Added compatibility with Sisense 8.2.1

16/6/2020: Added compatibility with Sisense 8.2.2

1/7/2020: Added compatibility with Sisense L8.0.5

28/7/2020: Added compatibility with Sisense 8.2.3

05/2/2021: Added compatibility with Sisense 8.2.0 – 8.2.5 and L8.2.6

10/4/2021: Added compatibility with Sisense L2021.1.1 and L2021.1.4

TOP