When RTV or BBR queries search server for a session to replay, Search Server examines the user groups to which the requesting user belongs. If a set of replay rules has been assigned to one of the user's groups, Search Server opens the data for the requested session and applies the set of replay rules to the session. Then, the session is delivered to the requesting application for replay to the user.
Masking on-demand enables you to apply privacy rules based upon a user's group membership. You can configure and apply separate sets of privacy rules for each user group. Through Search Server configuration, you may assign privacy rules to all users through a global configuration file and privacy rules to individual user groups based on separate configuration files.
Example use
Fields that have been encrypted using privacy rules in the PCA or Windows™ pipelines cannot be decrypted in the Portal. These encrypted fields can be decrypted only during replay.
As an option, you can leave the configured fields in unencrypted state in the session data and then define Masking on-demand privacy rules specifically to be applied during session replay, permitting the display of the unencrypted data in the Portal, as needed.
Authentication required
Masking on-demand works in conjunction with the enabled and configured method of authentication. Tealeaf supports two primary methods of authentication:
- Portal authentication - User requests of the Tealeaf system are authorized by the Portal application.
- NT authentication - User requests of the Tealeaf system are initially authorized by the Windows domain controller associated with the Portal application.
Portal authentication and RTV
If you use Portal authentication and the RTV application, you must configure the username and password of the Tealeaf user who queries Search Server for sessions within RTV. In the RTV menu, select Tools > Options and click the cxImpact tab.
Multiple group membership
Privacy is applied to all groups for which masking on-demand privacy configurations have been configured in Search Server configuration.
- Privacy rules are applied to user groups in alphabetical order by group name. For example, if User 1 is a member of Group A and Group B, both of which have privacy rules specified for them, the rules of Group A are applied to session replay before Group B's rules, since that group appears first in alphabetical order.
- If a user is a member of a group that does not have privacy applied and a group that does have privacy applied, privacy is applied to the user's replay data. For example, suppose User 2 is a member of Group C, Group D and Group E, and Group D has a set of privacy rules while the other two groups do not. In this case, the privacy rules of Group D are applied.
Event data is stored in the request of the page on which they were triggered. Based on the presence of a specific event, you may apply replay rules to any data on the page.