The Privacy session agent provides a rule-based means of blocking, encrypting or replacing sensitive data in captured Web requests and responses. The Privacy session agent can be deployed on the CX server, a CX Passive Capture Application server, or individual Web servers.
Tealeaf currently supports two Privacy session agent session agents: [Privacy]
and [PrivacyEx]
. The latter extends the functionality of the former. [Privacy]
is an earlier version with a reduced feature set. When you enable Privacy session agent in your pipeline, you should use [PrivacyEx]
.
The Privacy session agent can block, encrypt, or replace sensitive data, drop hits (or just response data from hits), as well as add, modify, or remove name/value pairs in the request.
- Blocked Data is permanently replaced with a specified strike character, which is repeated to match the length of the blocked data. The default strike character is
X
.Note: This replacement is a non-reversible operation. Only block sensitive data that never needs to be retrieved. - Encryption is performed using a privacy key, which is assigned to a specific NT group. Each privacy action can specify a key or group for encryption. After the data is encrypted, the original data is blocked using a different strike character to indicate that it has been encrypted. The encrypted data is saved in the
[Privacy]
section in the request.- The default strike character for encryption is
@
. - You can assign privacy keys using TMS.
- When a session with data encrypted by Privacy session agent is replayed, the CX RealiTea Viewer or Browser Based Replay retrieves the privacy keys for groups to which the current user belongs and decrypts only those data items encrypted with the authorized keys.
Note: Fields that have been encrypted using privacy rules in the CX Passive Capture Application or Windows™ pipelines cannot be decrypted in the Portal.
- These encrypted fields can be decrypted only during replay.
- As an alternative, you can leave the configured fields in unencrypted state in the session data and then define privacy rules specifically to be applied during session replay, permitting the display of the unencrypted data in the Portal, as needed.
- The default strike character for encryption is
- Replace Data: When data is replaced, a pre-configured replacement string is inserted, or the data is removed, if no replacement string is specified. This operation is non-reversible.
- Edit name/value pairs: You can also use the Privacy session agent to add, modify or remove name/value pairs (a field name and its value) in the request. This feature provides powerful options for manipulating the metadata used to process hits.