Custom ticket, asset, configuration item, issue or risk attributes can be marked as Protected, which means their content will be protected from unauthorized viewing. An attribute with the Protected flag is referred to as a Protected Custom Attribute or PCA. Once they have been configured, a TDNext user can only view a PCA if they have permission for that specific attribute, and every view and edit of the attribute is logged. In order to ensure PCAs remain secure, they are excluded from Reporting and the API, and they cannot be drivers for attribute dependencies.
Viewing Protected Custom Attributes
When a technician views an item with PCAs, they will see each attribute’s value hidden by an eye icon (). When the technician clicks on the eye, if they are in a group with permission, the value will display. When they view an attribute, a log entry is created with who viewed the attribute, which attribute they saw, the value at the time, and their IP address. This log entry is kept separate within TDAdmin.
Technicians without permission to the PCA will not see the eye icon, so they cannot view the attribute. If the attribute is partially masked (see below), they will be able to see the unmasked part. Otherwise, the entire attribute will be hidden from them.
Note: Global TDX Admins have the ability to view PCA values if they have the Can Create/Modify Attribute Protections permission checked on their admin profile. Grant permissions accordingly!
Changing Protected Custom Attributes
When a technician edits or updates a work item with PCAs, the protected attribute fields will still be hidden, the same as when viewing the details page. Once they view the attribute, it will display in an editable field, and an update can be made. If an update is made, two log entries will be created; one for viewing the attribute, and another for changing it.
Partial Masking
PCAs can be configured to show partial values, such as masking all but the final 4 digits of a Social Security Number. This can allow some users to view only the unmasked part, and others to view the whole value.
PIN Authentication
PCAs can also be further protected with PIN authentication. This will require the user to validate that they are the correct person by entering their PIN before they can view a custom attribute. If a user forgets their PIN, an administrator can reset it for them using the Reset PIN option in the Actions menu on their user.
Video Overview
This video guide describes the steps required in order to set up a Protected Custom Attribute (PCA). Before we begin, you should be aware of the following security driven limitations on PCAs.
- PCAs cannot be included in Reports or Desktops.
- PCAs cannot be included as search filters.
- PCAs cannot be the driver for an attribute dependency.
- PCAs are excluded from the TDWebAPI.
- PCAs are excluded from Notifications.
- Changes to PCAs are not logged in the feed. If only PCAs change as part of an edit, the feed entry will read “Edited this [item].”
- Only new custom attributes can be protected and protected attributes cannot be un-protected.
- PCAs cannot be added in Ticket Template.