Sensitive Attribute

Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.

Sensitive Attributes provide a means of declaring one or more attributes to contain sensitive data so that the server can enforce additional protection for operations attempting to interact with them.

Access control and other forms of protection in the server will still be enforced, so this configuration may be used to prevent access that would otherwise be allowed, but it cannot grant access that would not otherwise be available.

Support for different sensitive attributes per client requires the use of multiple Client Connection Policies on the Directory Server with different sensitive attribute configurations. Similar policies with the same name must be configured on the Directory Proxy Server. When a client request is processed by a Directory Proxy Server, the request forwarded to the Directory Server includes the name of the policy associated with the original client connection (provided the forward-to-backend-server property is set to true in the Directory Proxy Server configuration for the policy). The Directory Server looks for a policy in its own configuration with the same name as the one associated with the client connection in the Directory Proxy Server, and uses this policy rather than the one associated with the Directory Proxy Server's connection to the Directory Server.

Relations to This Component Properties dsconfig Usage

Relations to This Component

The following components have a direct aggregation relation to Sensitive Attributes:

Properties

The properties supported by this managed object are as follows:


Basic Properties: Advanced Properties:
 description  None
 attribute-type
 include-default-sensitive-operational-attributes
 allow-in-returned-entries
 allow-in-filter
 allow-in-add
 allow-in-compare
 allow-in-modify

Basic Properties

description

Description
A description for this Sensitive Attribute
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

attribute-type

Description
The name(s) or OID(s) of the attribute types for attributes whose values may be considered sensitive.
Default Value
None
Allowed Values
The name or OID of an attribute type defined in the server schema.
Multi-Valued
Yes
Required
Yes
Admin Action Required
None. Modification requires no further action

include-default-sensitive-operational-attributes

Description
Indicates whether to automatically include any server-generated operational attributes that may contain sensitive data. At present, this includes the ds-sync-hist operational attribute, which is used to contain historical information for replication conflict resolution, and may include former values for any attribute in the entry.
Default Value
true
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

allow-in-returned-entries

Description
Indicates whether sensitive attributes should be included in entries returned to the client. This includes not only search result entries, but also other forms including in the values of controls like the pre-read, post-read, get authorization entry, and LDAP join response controls.
Default Value
secure-only
Allowed Values
allow - Sensitive attributes may be returned over both secure and insecure connections.

suppress - Sensitive attributes will be excluded from entries returned, regardless of whether the client is using a secure or insecure connection.

secure-only - Sensitive attributes may be returned only over a secure connection, but will be excluded from entries returned over an insecure connection.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

allow-in-filter

Description
Indicates whether clients will be allowed to include sensitive attributes in search filters. This also includes filters that may be used in other forms, including assertion and LDAP join request controls.
Default Value
secure-only
Allowed Values
allow - Requests including sensitive attributes in a filter will be allowed over both secure and insecure connections.

reject - Requests including sensitive attributes in a filter will be rejected over both secure and insecure connections.

secure-only - Requests including sensitive attributes in a filter will be allowed over secure connections but rejected over insecure connections.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

allow-in-add

Description
Indicates whether clients will be allowed to include sensitive attributes in add requests.
Default Value
secure-only
Allowed Values
allow - Add requests including sensitive attributes will be allowed over both secure and insecure connections.

reject - Add requests including sensitive attributes will be rejected over both secure and insecure connections.

secure-only - Add requests including sensitive attributes will be allowed over secure connections but rejected over insecure connections.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

allow-in-compare

Description
Indicates whether clients will be allowed to target sensitive attributes with compare requests.
Default Value
secure-only
Allowed Values
allow - Compare requests targeting sensitive attributes will be allowed over both secure and insecure connections.

reject - Compare requests targeting sensitive attributes will be rejected over both secure and insecure connections.

secure-only - Compare requests targeting sensitive attributes will be allowed over secure connections but rejected over insecure connections.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

allow-in-modify

Description
Indicates whether clients will be allowed to target sensitive attributes with modify requests.
Default Value
secure-only
Allowed Values
allow - Modify requests targeting sensitive attributes will be allowed over both secure and insecure connections.

reject - Modify requests targeting sensitive attributes will be rejected over both secure and insecure connections.

secure-only - Modify requests targeting sensitive attributes will be allowed over secure connections but rejected over insecure connections.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To list the configured Sensitive Attributes:

dsconfig list-sensitive-attributes
     [--property {propertyName}] ...

To view the configuration for an existing Sensitive Attribute:

dsconfig get-sensitive-attribute-prop
     --attribute-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Sensitive Attribute:

dsconfig set-sensitive-attribute-prop
     --attribute-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new Sensitive Attribute:

dsconfig create-sensitive-attribute
     --attribute-name {name}
     --set attribute-type:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Sensitive Attribute:

dsconfig delete-sensitive-attribute
     --attribute-name {name}