Settings
Global application settings are available under the Settings item of the main navigation menu.
The Settings page has the following sections:
- Git Repository Settings
- SMTP Email Settings
- SSL Credentials
- Hostnames
- SAML Single Sign-On
- Global Keywords
- Locality
Note: Application settings can only be accessed when logged in as the DataMasque admin user.
Git Repository Settings
DataMasque allows you to manage ruleset YAML files by pushing them to and pulling them from a remote Git repository. Configure these settings and upload your SSH private key file to enable these functions.
Note: DataMasque only supports connecting to the remote Git repository over SSH.
You can configure your remote Git repository details by clicking the
button. You will be presented with a
form to provide your configuration (see Git Repository Parameters below for details):
Git Repository Parameters
| Repository URL | The remote Git SSH URL to push ruleset to or pull ruleset from. Example: git@hostname:path/to/repo.git |
| Branch Name | The target branch name to push ruleset to or pull ruleset from. |
| Directory Path | The directory path to push ruleset to or pull ruleset from. Leave it blank to specify the root directory of the repository. |
SMTP Email Settings
DataMasque can be configured to send emails over SMTP for the purposes of providing 'Forgotten Password' account recovery and critical system notifications. This will also be used to send support and usage information to DataMasque.
Note: Emails will be sent to usage@datamasque.com in addition to registered users. Please ensure the SMTP server is capable of sending emails to registered users, as well as outbound emails to usage@datamasque.com.
You can configure your SMTP server details by clicking the
button. You will be presented with a
form to provide your configuration (see SMTP Parameters below for details):
You may opt in to receive a copy of any automated outbound emails that are sent to DataMasque HQ. This can be done by enabling the setting shown below.
SMTP Parameters
| Sender | The email address that your DataMasque instance will send emails from* |
| Host Name | The hostname or IP address of your SMTP server (must be accessible from your DataMasque instance) |
| Port | The port used by your SMTP server |
| Security Protocol | The security protocol used by your SMTP server |
| SMTP Username | The username used to authenticate with your SMTP server (requires SSL or TLS) |
| SMTP Password | The password used to authenticate with your SMTP server (requires SSL or TLS) |
You can test saved SMTP server configurations by clicking the SEND TEST EMAIL button. This will send a test email to the email address associated with your user account to test connectivity to the specified SMTP server from DataMasque.
Note: Most non-relay SMTP servers that require SSL/TLS security protocol and SMTP credentials will rewrite the
Fromheader in messages to the corresponding SMTP account to secure the credentials of the sender. In that case, it is recommended to configure the SMTP credentials and DataMasqueSenderwith the same email address (for consistency).
SSL Credentials
By default, DataMasque is configured with an auto-generated self-signed SSL certificate. The self-signed certificate must be accepted in the browser by a user when accessing DataMasque.
To ensure a secure SSL connection, it is recommended to install a certificate that has been signed by a trusted CA whose root certificate is installed on client machines.
Active SSL Credentials
The SSL Credentials panel contains details of the SSL credentials currently in use by DataMasque, including the certificate and private key files and the SHA-1 fingerprint of the certificate:
Installing SSL Credentials
You are able to install your own SSL credentials using the "SSL Credentials" settings panel.
Note: DataMasque accepts X.509 SSL certificates in PEM format. Other formats are not supported.
Note: When generating an SSL certificate for DataMasque, it is recommended to correctly set the "Common Name" field to match the hostname of the DataMasque instance but also include SAN (Subject Alternative Name) entries that cover the potential IP addresses at which DataMasque may be accessed. In a Cohesity environment, this would include the IP address for each cluster node. This ensures that DataMasque can always be accessed using a secure connection.
New SSL certificate and private key files can be installed by clicking on each file and selecting replacements to upload. Before proceeding, ensure that any critical data stored in DataMasque is backed up. In the event that invalid or incorrect credentials are installed DataMasque may become inaccessible.
Once you are satisfied that you have backed up any important data, click the 'Save' button to update DataMasque with the selected credentials. After successful installation, your page will be refreshed to ensure that your browser is initialised with the new credentials.
If at any point you wish to revert to using the default self-signed SSL certificate, you may do so by clicking the "Reset Default" button.
Hostnames
DataMasque must be configured with the hostnames and IP addresses that will be used to access the application. It is strongly recommended to include the DataMasque instance IP address in this configuration as well as hostname to avoid losing access to the application. Currently, only IPv4 addresses are supported, in the following formats:
- Standard IPv4 address: x.x.x.x, where x ranges from 0 to 255.
- IPv4 with CIDR notation: x.x.x.x/y, where x ranges from 0 to 255 and y ranges from 0 to 32.
Hostnames can be added and deleted using this interface, however deleting the hostname that is currently in use to access DataMasque is disallowed.
Instance Secret
Each DataMasque instance has a randomly generated instance secret to protect against attackers replicating deterministic masking on a different instance (see the deterministic masking guide for details). You can rotate the instance secret from the Settings page by clicking the Rotate Instance Secret button. After rotating the instance secret, subsequent deterministic masking will be based on a new instance secret, and existing rulesets will produce different masking results.
SAML Single Sign-On
The SAML Single Sign-On settings panel can be used to configure DataMasque for single sign-on (SSO). See the SAML Single Sign-On user guide for details about how SAML SSO works with DataMasque.
The following parameters can be configured for SAML SSO:
| IdP metadata XML | The SAML metadata XML file obtained from your identity provider. |
| Disable local logins | When SAML SSO is configured, enabling this will disable login of all local users (except the DataMasque admin user). |
Global Keywords
You can provide DataMasque with Global Custom Data Classification keywords.
Column names are matched to Global Custom Data Classification keywords in addition to the built-in data discovery keywords.
Custom Data Classification keywords can be delimited by any number of spaces .
You can also provide DataMasque with Ignored keywords. Column names that match Ignored keywords are excluded from Sensitive Data Discovery reports.
Keywords can be added and deleted under the Global Keywords section on the Settings Page. You can also add keywords by uploading a CSV file. The system will detect whether the CSV data is row-based or column-based, and import the keywords accordingly. Note that the system does not support CSV files with multiple rows and columns.
Example: regex:^street|postal, which matches any column name beginning with street or postal.
For more information please refer to our user guide on regular expressions
Patterns such as schema.table.column or schema.table are also supported for Custom Data Classification keywords and Ignored keywords,
but are not supported when prefixed by regex as . can also be used in regular expressions.
Wildcards are also supported by using the * character, for example you can discover or ignore all columns in any table by specifying schema_name.table_name.*
Locality
DataMasque can be configured with a locality to influence the rulesets generated by the Ruleset Generator. Built-in localities are available, or a custom locality can be specified.
The locality setting determines the seed files selected for from_file masks in the generated rulesets.
These masks and seed files are used for masking data such as first name, last name, addresses, etc.
The selected seed files will be specific to the chosen locality, provided they exist.
If your locality is set to AU (for example), DataMasque will look for these seed files in order, stopping when one exists.
Custom_AU_firstNames_mixed.csv,DataMasque_AU_firstNames_mixed.csv,DataMasque_firstNames_mixed.csv
The Custom option allows you to input your own value for your desired locality.
Before selecting the Custom option and setting your locality,
you should upload seed files with file names in the same format as existing seed files (DataMasque_locality_* or Custom_locality_* replacing locality with the character code).
These new seed files will be selected by the ruleset generator when generating a ruleset.
The same logic for which seed file is selected, as described above, for the AU option also applies.
If any seed files don't exist for the locality the default(s) will be used.
These files require specific columns in order to work as intended, detailed in the table below. Where prefix can be either DataMasque or Custom.
| File Name | Required Columns | Default |
|---|---|---|
prefix_locality_firstNames_mixed.csv |
firstname-mixed | DataMasque_firstNames_mixed.csv |
prefix_locality_lastNames.csv |
lastnames | DataMasque_lastNames_v2.csv |
prefix_locality_fake_email_suffixes.csv |
email-suff | DataMasque_fake_email_suffixes.csv |
prefix_locality_mixed_countries_addresses.csv |
country | DataMasque_mixed_countries_addresses.csv |
prefix_locality_addresses.csv |
state_long, city, postcode, address | DataMasque_US_addresses.csv |
prefix_locality_occupations.csv |
occupation | DataMasque_occupations.csv |
prefix_locality_companies.csv |
company_name | DataMasque_US_companies.csv |
The default seed files can be used as a reference for creating your own custom locality seed files.
