Prepare to Configure Data PrivacyPrepare to Configure Data Privacy
This topic provides general guidelines for planning and configuring data privacy policies in the NetWitness network. Before beginning configuration, you must understand the data that needs to be protected on your network and develop a plan. You will need to:
- Identify the meta keys that hold privacy-sensitive data and need to be protected. This decision is based on requirements specific to your site.
- Decide which users need access to privacy-sensitive metadata and raw content. The first decision is whether to separate the DPO and administrator roles for your site by configuring a custom administrators system role on Decoder and Log Decoders and removing the
dpo.managepermission. By default, administrators have all permissions including the ability to configure the salted hash transform used to obfuscate data; some sites may want to reserve this access for data privacy officers. "Service User Roles and Permissions" in the Hosts and Services Getting Started Guide has more details on exactly what permissions each role has and the purpose of the permissions.
- Plan the configuration changes you need to make in your NetWitness deployment to support adequate data privacy.
- Assess how your configuration may impact out-of-the-box and custom content. For example, by default content available through Live for Reporting Engine is not geared toward obfuscated meta values.
In a single deployment, certain data-privacy configurations in the Core services must be the same. The following table lists these settings and uses a checkmark to identify the services for which the configuration must be the same. In the heading, the following abbreviations are used: D = Decoder, LD = Log Decoder, A = Archiver, C = Concentrator, and B = Broker.
|Configuration must be the same for these services:|
|Hash algorithm and salt for privacy-sensitive data|
|Language key data privacy attributes in the custom index file (includes configuring keys as protected)|
|Transient meta keys (not persisted on disk) per service and parser|
|Meta data and raw content visibility per system user group. (The meta keys must exist in the custom index file.)|
|User who has the
* When trying to access data on an aggregate service, the Log Collector or Broker requests authentication. When prompted to enter user name and password, you must authenticate as a user who is assigned the
Aggregation service role. "Services Security View - Aggregation Role" in the Hosts and Services Getting Started Guide provides detailed information about this role. Follow the instructions in "Add, Replicate or Delete a Service User" in the Hosts and Services Getting Started Guide to create a user and assign the new user the Aggregation service user role.