Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.
Sensitive Attributes provide a means of declaring one or more attributes to contain sensitive data so that the server can enforce additional protection for operations attempting to interact with them.
Access control and other forms of protection in the server will still be enforced, so this configuration may be used to prevent access that would otherwise be allowed, but it cannot grant access that would not otherwise be available.
Support for different sensitive attributes per client requires the use of multiple Client Connection Policies on the Directory Server with different sensitive attribute configurations. Similar policies with the same name must be configured on the Directory Proxy Server. When a client request is processed by a Directory Proxy Server, the request forwarded to the Directory Server includes the name of the policy associated with the original client connection (provided the forward-to-backend-server property is set to true in the Directory Proxy Server configuration for the policy). The Directory Server looks for a policy in its own configuration with the same name as the one associated with the client connection in the Directory Proxy Server, and uses this policy rather than the one associated with the Directory Proxy Server's connection to the Directory Server.
The following components have a direct aggregation relation to Sensitive Attributes:
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| description | None |
| attribute-type | |
| include-default-sensitive-operational-attributes | |
| allow-in-returned-entries | |
| allow-in-filter | |
| allow-in-add | |
| allow-in-compare | |
| allow-in-modify |
| Description | A description for this Sensitive Attribute |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The name(s) or OID(s) of the attribute types for attributes whose values may be considered sensitive. |
| Default Value | None |
| Allowed Values | The name or OID of an attribute type defined in the server schema. |
| Multi-Valued | Yes |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
include-default-sensitive-operational-attributes
| Description | Indicates whether to automatically include any server-generated operational attributes that may contain sensitive data. At present, this includes the ds-sync-hist operational attribute, which is used to contain historical information for replication conflict resolution, and may include former values for any attribute in the entry. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether sensitive attributes should be included in entries returned to the client. This includes not only search result entries, but also other forms including in the values of controls like the pre-read, post-read, get authorization entry, and LDAP join response controls. |
| Default Value | secure-only |
| Allowed Values | allow - Sensitive attributes may be returned over both secure and insecure connections. suppress - Sensitive attributes will be excluded from entries returned, regardless of whether the client is using a secure or insecure connection. secure-only - Sensitive attributes may be returned only over a secure connection, but will be excluded from entries returned over an insecure connection. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether clients will be allowed to include sensitive attributes in search filters. This also includes filters that may be used in other forms, including assertion and LDAP join request controls. |
| Default Value | secure-only |
| Allowed Values | allow - Requests including sensitive attributes in a filter will be allowed over both secure and insecure connections. reject - Requests including sensitive attributes in a filter will be rejected over both secure and insecure connections. secure-only - Requests including sensitive attributes in a filter will be allowed over secure connections but rejected over insecure connections. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether clients will be allowed to include sensitive attributes in add requests. |
| Default Value | secure-only |
| Allowed Values | allow - Add requests including sensitive attributes will be allowed over both secure and insecure connections. reject - Add requests including sensitive attributes will be rejected over both secure and insecure connections. secure-only - Add requests including sensitive attributes will be allowed over secure connections but rejected over insecure connections. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether clients will be allowed to target sensitive attributes with compare requests. |
| Default Value | secure-only |
| Allowed Values | allow - Compare requests targeting sensitive attributes will be allowed over both secure and insecure connections. reject - Compare requests targeting sensitive attributes will be rejected over both secure and insecure connections. secure-only - Compare requests targeting sensitive attributes will be allowed over secure connections but rejected over insecure connections. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether clients will be allowed to target sensitive attributes with modify requests. |
| Default Value | secure-only |
| Allowed Values | allow - Modify requests targeting sensitive attributes will be allowed over both secure and insecure connections. reject - Modify requests targeting sensitive attributes will be rejected over both secure and insecure connections. secure-only - Modify requests targeting sensitive attributes will be allowed over secure connections but rejected over insecure connections. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured Sensitive Attributes:
dsconfig list-sensitive-attributes
[--property {propertyName}] ...
To view the configuration for an existing Sensitive Attribute:
dsconfig get-sensitive-attribute-prop
--attribute-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Sensitive Attribute:
dsconfig set-sensitive-attribute-prop
--attribute-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new Sensitive Attribute:
dsconfig create-sensitive-attribute
--attribute-name {name}
--set attribute-type:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing Sensitive Attribute:
dsconfig delete-sensitive-attribute
--attribute-name {name}