Handling confidential strings

AppMon uses confidential strings to restrict view of the sensitive data. To read confidential data, your user account must have the ReadConfidentialStrings permission. See Permissions Mapping and User Permissions and Authentication > Roles for more information about permissions.

To define confidential strings, select Settings > Dynatrace Server > Settings, and click the Confidential Strings tab.

Confidential Strings settings
Confidential Strings settings

The list of defined confidential data includes:

  • String arguments passed to methods.
  • String return values.
  • Exception messages.
  • Message content transported over middleware, such as JMS.
  • URI, query string, headers, parameters, request attributes, and Servlet call session attributes.
  • URI, query string, headers, parameters, cookies, session attributes, and ASP.NET call server variables.
  • SQL and SQL database call bind parameters.
  • Incident messages and descriptions triggered by the AppMon Server.

The confidential strings are masked in AppMon Client and AppMon Web, unless the user has the ReadConfidentialStrings permission. They can also be masked on export.

You can use two approaches to confidential strings:

In this case the confidential strings are captured and used in session analysis. However, only users with the ReadConfidentialStrings permission can view it. Users without the permission see asterisks (*) instead of confidential strings. In SQL strings, the first word is not replaced by the asterisk.

In the following example, with:

  • Confidential SQL string 1: SELECT * FROM abc
  • Confidential SQL string 2: SELECT * FROM bcd

The AppMon Server database analyzer analyzes the original data. The result contains two rows with a call count of one for each.
The user with insufficient permissions sees two SELECT ********** strings with separate call counts.
The user with the ReadConfidentialStrings permission sees the original data.

  • Confidential argument: test argument

The analyzer has the original data and uses it. The user with insufficient permissions sees result as *************.
The user with the ReadConfidentialStrings permission sees the original data.