When working with sensitive files in a secure environment, you may at times want to grant access to users for troubleshooting, but don't want to give them access to certain file contents.
A prime example of this is a connection string in a .config file. When storing username and password credentials in a .config file, the weak link is who has access to the file on the file system. The moment someone sees that connection information, they have access to any sensitive information you store in your database.
Also, if you're in an industry that requires safe handling of personally identifiable information (PII), electronic protected health information (ePHI), cardholder information in a Payment Card Industry (PCI) compliant environment, or are just trying to be a good steward of your sensitive data, you will appreciate the challenge that exists here. You will at some point need to provide access to users outside of your operations or sys admin team for troubleshooting, but in doing so, you no longer have the barriers in place to ensure controls compliance.
With careful application of file masking strategies for hiding file contents and granting access through Stackify rather than direct login access, you can give access needed for troubleshooting, and no longer worry about whether users will have access to resources they shouldn't, let alone be able to take advantage of them without your knowledge.
By default, you will find a Connection String Passwords mask configured already. This serves two purposes. First, by default it prevents users from seeing passwords in configuration files right out of the box (if you want to allow this, you can always remove this mask by marking it Inactive). Second, it serves as a nice sample to show you how to configure this feature for other file types and content you wish to hide.
Adding a Mask
In the Regular Expression example above, all .config files with lines that contain word "password" will be masked until a quotation (") is found.
Once the File Masking configurations have properly been set, all specified text in the .config files will masked as shown above.
File Masking can work with different file types too. For file name, simply provide either a specific file name (e.g. web.config or hibernate.cfg.xml), or a wildcard (e.g. *.config, *.cfg.xml, *.properties) and make changes to the Regex accordingly.