Managing Protected Custom Attributes

Protected custom attributes (PCAs) allow administrators to secure sensitive data in TeamDynamix by controlling who can view and edit specific custom attributes on tickets, assets, configuration items, issues, or risks. This article covers what PCAs are, their limitations, and how to configure and manage them.

In this article, we'll cover:

What Are Protected Custom Attributes?

Custom attributes on tickets, assets, configuration items, issues, or risks can be marked as "Protected," which restricts their content from unauthorized viewing. When you enable the Protected flag on a custom attribute, it becomes a Protected Custom Attribute (PCA).

PCAs provide enhanced security through:

  • Permission-based visibility – Only users in authorized groups can view the attribute
  • Audit logging – Every view and edit is logged with timestamp, user, IP address, and value at time of access
  • Partial masking – Option to show only part of the value (e.g., last 4 digits of an SSN)
  • PIN authentication – Optional additional security requiring users to enter their PIN before viewing

Limitations

Before implementing PCAs, understand these security-driven restrictions:

Reporting and Analysis

  • PCAs cannot be included in Reports or Dashboards
  • PCAs cannot be used as search filters
  • PCAs are excluded from the TeamDynamix Web API

Configuration

  • PCAs cannot be the driver for attribute dependencies
  • Only new custom attributes can be protected; existing attributes cannot be converted to PCAs
  • Protected attributes cannot be unprotected once created
  • PCAs cannot be deleted once created

Operations

  • PCAs are excluded from email notifications
  • PCAs are excluded from AI Ticket Summaries
  • PCAs cannot be added to Ticket Templates
  • PCAs cannot be imported using ticket or asset import tools
  • Changes to PCAs are not shown in detail in the feed; updates only show "Edited this [item]"

How Users Interact with PCAs

Viewing Protected Attributes

When a technician views an item containing PCAs:

  • Each PCA value is hidden behind an eye icon
  • Clicking the eye icon reveals the value (if the user has permission)
  • The system logs the view event with user details, timestamp, IP address, and the value viewed
  • Users without permission will not see the eye icon at all

Editing Protected Attributes

When editing or updating items with PCAs:

  • Protected fields remain hidden until the user clicks the eye icon
  • After viewing, the field becomes editable
  • Making a change creates two log entries: one for viewing and one for editing
  • Users without permission cannot view or edit the attribute

Partial Masking

PCAs support partial masking to show limited information while keeping the full value protected. For example:

  • Show only the last 4 digits of a Social Security Number
  • Display the first letter of a sensitive code

When viewing items with PCAs:

  • Users without full permissions see only the unmasked portion
  • Users with full permissions see the complete value

PIN Authentication

For highly sensitive data, you can require PIN authentication:

  • Users must enter their PIN before viewing the attribute
  • This adds an extra verification layer beyond group membership
  • If a user forgets their PIN, an administrator can reset it via the user's Actions menu

Granting Global Admin Permissions

To configure protected custom attributes, a user must be an organization administrator.

To assign permission to configure PCAs:

  1. In TDAdmin, click the organization name at the very top of the left navigation (the item above "Organization Settings").
  2. Click the Administrators tab.
  3. Click the name of the user whose permissions need to be edited.
  4. Check the Can Create/Modify Attribute Protections checkbox.
  5. Click Save.

Creating a Protected Custom Attribute

PCAs can only be defined when creating a new attribute; existing attributes cannot be protected after the fact.

Note that once created, protected custom attributes cannot be deleted.

  1. In TDAdmin, navigate to the appropriate Attributes screen:
    • Tickets: Applications > [Ticketing App] > Attributes
    • Assets/CIs: Applications > [Asset App] > Asset Attributes or Configuration Item Attributes
    • Issues: Projects > Issue Attributes
    • Risks: Projects > Risk Attributes
  2. On the Attributes screen, click +New.
  3. Fill in the standard attribute fields (name, label, type, etc.).
  4. At the bottom of the form, check the Protected checkbox. This makes the attribute a PCA. The Client Visible checkbox will be disabled (see the next section for client visibility options).
  5. Click Save.

Configuring Protection Settings

After saving, additional options and tabs will appear.

On the General tab, scroll down to the Protected Configuration section and configure the protection settings

  • Always allow requestor to view data in Client Portal – Enables the requestor to view this attribute in the client portal, even if they wouldn't normally have permission.
  • Require technician to enter PIN to access data – Forces users to enter a PIN before viewing the value. For more information on PIN settings, click here
  • Masking Options
    • Number of characters to unmask – The number of characters that automatically display to all users (e.g., "4" for last 4 digits), even if they are not in the permissioned groups.
    • Number of seconds to display values – The number of seconds an unmasked value remains visible before automatically masking again.

Click Save after configuring these settings.

Setting Group Permissions

Protected custom attributes are only visible to users who belong to authorized groups. Without group permissions, the PCA remains masked to everyone.

  1. On the attribute's edit page, click the Permissions tab
  2. Click the Add Associated Groups field to select the group(s) that should have access
  3. Click Add

Important: You must associate at least one group, or the PCA will remain completely masked—even when attempting to unlock it with a PIN. The PIN eye icon only appears when group permissions are set.

Screenshot of Permissions tab of a protected attribute

Adding Protected Custom Attributes to Forms

Protected custom attributes are added to Forms in the same way as regular custom attributes, with these considerations:

  • When you add a PCA to a form, the Protected icon () displays next to the icon
  • Clicking the icon will provide a summary of the PCA’s settings, including which groups can view it.
  • PCAs cannot be marked as "Hidden" or "Read-Only" for TDNext users

Screenshot of "protected field" warning on form builder

Access Logs and Audit Trail

The Access Log tab on a PCA's edit page shows:

  • Who viewed the attribute
  • When they viewed it
  • The value they saw at that time
  • The user's IP address
  • Whether the user edited the value

This audit trail is maintained separately in TDAdmin and provides complete accountability for sensitive data access.

The Configuration Log tab tracks changes to the PCA's settings themselves (permissions, masking rules, PIN requirements, etc.).

100% helpful - 2 reviews
Print Article

Related Articles (3)

About Protected Custom Attributes
An Overview of Protected Custom Attributes (PCAs) and how to create and manage them as an Administrator.
Managing Ticketing Custom Attributes
Create and manage custom ticket attributes in the Admin UI.