Encryption at rest prevents data being accessed by DB Admins.
Is this available? this would be perfect for our usecase.
Yep. After considering the above use cases
- encryption at rest
- data segregation via custom roles and fine grained folder access
we realized that the advantage you get from SpecDataEncrypted and SpecificData would be minimal. And it would also pose a difficulty which we don’t know how to solve. Leaving aside the UI the user may have an attended robot plus access to Orchestrator. Orchestrator is built as being an API system. This being the case it means that the correct name would be SpecificDataObfuscated and not Encrypted. Aka, SpecificDataHiddenInUI but accessible via an API system. We may look again at this feature when we’ll create a proper authentication with different access token for the user’s bot and the user.
We are sending an email. Currently how we are handling is create a json file with all the items and store it in a shared drive. Only Business team would have access to it. JSON file path is added in Queue. There is no way we can mask or encrypt teh data from UI.
Becasue of GDPR and PCI compliance we are not allowed to store sensitive information any where outside of business zone/ BU.
Even with the Org Units or Folders, there would be an admin required from infra team right? Or can we create a business user role and no other role should have access to it. Not even admin
SO i think we would need to create an admin who is from business and another roles from Support and Infra who would not have access to view queue data. (I am not sure still if tenant admin can go through it or not). Do we recommend admin to be from business not CoE
Thinking around this, i have become more confused now… Arghh!!
Do you have any info on how other financial or banks are doing? After GDPR and PCI, it has become more challenging to convince to business.
I guess you may have three roles
- Business Admin (Global) - everything
- IT Admin (Global) - doesn’t have manage folders global permissions and transactions local permission
- Folder Admin (Folder) - everything for a specific folder, business user
Unfortunately in 19.10 modern folders you don’t have unattended but they will come in 20.4
I guess it will work.
Your approach is one of the way. But the way of encrypted and decrypted is correct or wrong …for what purpose we are using that encryption and decryption .
I’m interested to hear if you found an elegant solution as I am also under strict GDPR rules.
Our robot is Reading sensitivte input data from Excel, adding that to the Orchestrator, which in turn gives all users of that orchestrator folder / business unit access to the information.
It seems like the only current solution is to create one folder per queue, which is an architonic nightmare if you ask me…
Give this a go. Worked for my scenrio
Thank you very much, just the solution I was looking for :–) I have implemented it already and I like the solution.