How to hide attribute values in Management History, Events and Reports

People often ask how they can be sure that some security sensitive information such as Social Insurance Number will be removed from less-secured sources such as change history, logs, reports and etc.

It's quite easy to accomplish.

Let's start from creating stored virtual attribute with DyrectoryString syntax and assign it to a user class. Then open attribute's Advanced Properties and locate property edsaAttributeFlags. In our case the value of this property will be "8".

There are some known values for this property:

  • non-stored custom virtual attribute – 2
  • stored custom virtual attribute – 8
  • value is secret (this is what we need) – 16
  • Read-only – 64
  • Always Readable (rights are not required to read attribute) - 128

We have to put sum of required values into edsaAttributeFlags attribute – 8+16=24.

After that we can modify our attribute's value and check how it looks like in Change History and events.