Manage personally identifiable information (PII) masking in proxy and sharedflow bundles

You're viewing Apigee Edge documentation.
Go to the Apigee X documentation. info

Manage PII masking in proxy and sharedflow bundles

As part of the synchronization process, API hub connector integration uploads your API proxy bundles to API hub. These bundles may contain sensitive data, or Personally Identifiable Information (PII), within policy configurations. This feature allows you to mask identified PII fields before the bundles are uploaded to API hub.

Masking approach

PII masking is applied using XPath expressions to target specific elements within policy configurations in the XML-formatted proxy and sharedflow bundles, but not to other general XML elements within the bundle. This feature is divided into two parts:

Default masks

Apigee Edge includes a pre-defined, built-in list of XPath expressions that automatically target common PII fields. These masks are applied automatically during the upload process.

List of default masks:

Policy Name	Field (or Value) Description	XPath Expression(s)
`AccessEntity`	Entity identifier	`//AccessEntity/EntityIdentifier`
`AccessEntity`	Secondary identifier	`//AccessEntity/SecondaryIdentifier`
`BasicAuthentication`	User field value	`//BasicAuthentication/User`
`BasicAuthentication`	Password field value	`//BasicAuthentication/Password`
`ConnectorCallout`	JSON request body to send to the extension	`//ConnectorCallout/Input`
`FlowCallout`	Values of Parameters passed to flow callout	`//FlowCallout/Parameter` `//FlowCallout/Parameters/Parameter`
`HMAC`	Secret key used for HMAC calculation	`//HMAC/SecretKey`
`HMAC`	Message content to be signed	`//HMAC/Message`
`HMAC`	HMAC verification value	`//HMAC/VerificationValue`
`JavaCallout`	Properties passed (sensitive configuration/data)	`//JavaCallout/Properties/Property`
`Javascript`	Inline source	`//Javascript/Source`
`Javascript`	Property values	`//Javascript/Properties/Property`
`GenerateJWS`	Private key value	`//GenerateJWS/PrivateKey/Value`
`GenerateJWS`	Private key password	`//GenerateJWS/PrivateKey/Password`
`GenerateJWS`	Private key ID	`//GenerateJWS/PrivateKey/Id`
`GenerateJWS`	Secret key value	`//GenerateJWS/SecretKey/Value`
`GenerateJWS`	Secret key ID	`//GenerateJWS/SecretKey/Id`
`VerifyJWS`	JWKS public keys	`//VerifyJWS/PublicKey/JWKS`
`VerifyJWS`	Public key value	`//VerifyJWS/PublicKey/Value`
`VerifyJWS`	Secret key value	`//VerifyJWS/SecretKey/Value`
`GenerateJWT`	Critical header values	`//GenerateJWT/CriticalHeaders`
`GenerateJWT`	Private key value used to sign the JWT	`//GenerateJWT/PrivateKey/Value`
`GenerateJWT`	Private key password	`//GenerateJWT/PrivateKey/Password`
`GenerateJWT`	Private key ID	`//GenerateJWT/PrivateKey/Id`
`GenerateJWT`	Secret key value	`//GenerateJWT/SecretKey/Value`
`GenerateJWT`	Secret key ID	`//GenerateJWT/SecretKey/Id`
`VerifyJWT`	Public key	`//VerifyJWT/PublicKey/Value`
`VerifyJWT`	Secret key	`//VerifyJWT/SecretKey/Value`
`KeyValueMapOperations`	Values for initial entries and PUT operations	`//KeyValueMapOperations/InitialEntries/Entry/Value` `//KeyValueMapOperations/Put/Value`
`Ldap`	User name and password field values	`//Ldap/Authentication/UserName` `//Ldap/Authentication/Password`
`OAuthV1`	Tokens	`//OAuthV1/Tokens/Token`
`OAuthV1`	Access token	`//OAuthV1/AccessToken`
`OAuthV1`	Attribute values	`//OAuthV1/Attributes/Attribute`
`OAuthV1`	Verifier code	`//OAuthV1/VerifierCode`
`OAuthV1`	App user ID	`//OAuthV1/AppUserId`
`OAuthV1`	Request token	`//OAuthV1/RequestToken`
`OAuthV2`	Attribute values	`//OAuthV2/Attributes/Attribute`
`GetOAuthV2Info`	Access token	`//GetOAuthV2Info/AccessToken`
`GetOAuthV2Info`	Authorization code	`//GetOAuthV2Info/AuthorizationCode`
`GetOAuthV2Info`	Client ID	`//GetOAuthV2Info/ClientId`
`GetOAuthV2Info`	Refresh token	`//GetOAuthV2Info/RefreshToken`
`RevokeOAuthV2`	App ID	`//RevokeOAuthV2/AppId`
`RevokeOAuthV2`	End user ID	`//RevokeOAuthV2/EndUserId`
`SetOAuthV2Info`	Access token	`//SetOAuthV2Info/AccessToken`
`SetOAuthV2Info`	Attribute values	`//SetOAuthV2Info/Attributes/Attribute`
`DeleteOAuthV2Info`	Access token value	`//DeleteOAuthV2Info/AccessToken`
`DeleteOAuthV2Info`	Authorization code value	`//DeleteOAuthV2Info/AuthorizationCode`
`StatisticsCollector`	Statistic value	`//StatisticsCollector/Statistics/Statistic`
`VerifyAPIKey`	Hardcoded API key	`//VerifyAPIKey/APIKey`

Manage custom masks

A dedicated API allows you to submit a customized list of XPath expressions to mask specific fields you identify as PII, ensuring your unique data privacy needs are met.

You can manage your organization's custom PII masks using the /v1/organizations/<var>ORG_NAME/uapim/proxymasks Edge management API endpoint. You must have the orgadmin role to perform these operations.

The API operates on a single list of XPaths named proxymasks for a given organization.

Method	Resource	Summary	Description
`GET`	`/v1/organizations/ORG_NAME/uapim/proxymasks`	Retrieve the 'proxymasks' XPath list	Gets the full list of XPath expressions for 'proxymasks' for the given organization.
`PUT`	`/v1/organizations/ORG_NAME/uapim/proxymasks`	Create or Replace the 'proxymasks' XPath list	Creates the 'proxymasks' list if it doesn't exist, or completely replaces its content if it does.
`DELETE`	`/v1/organizations/ORG_NAME/uapim/proxymasks`	Delete the 'proxymasks' XPath list	Deletes all XPaths in the 'proxymasks' list for the organization.
`POST`	`/v1/organizations/ORG_NAME/uapim/proxymasks/append`	Append XPaths to the 'proxymasks' list	Adds one or more XPath strings to the end of the existing 'proxymasks' list.
`POST`	`/v1/organizations/ORG_NAME/uapim/proxymasks/deleteItems`	Delete specific XPaths from the 'proxymasks' list	Removes specific XPath strings from the 'proxymasks' list. Matches exact strings.

All requests and successful responses for creating, replacing, getting, appending, or deleting items from the XPath list use the following JSON schema:

{
  "xpaths": [
    "//Path/To/Element"
  ]
}

Field	Type	Description
`xpaths`	array of strings	A list of XPath expression strings to be masked. This field is required.

1. Create or replace the custom XPath list (PUT)

Use the PUT method to either create a new custom list or completely replace an existing list's contents. Any existing XPaths are overwritten.

curl -X PUT https://api.enterprise.apigee.com/v1/organizations/ORG_NAME/uapim/proxymasks \
  -H "Authorization: Bearer OAUTH_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "xpaths": [
      "//StatisticsCollector/Statistics/Statistic[@name='caller']",
      "//AssignMessage/AssignVariable[Name='password']/Value"
    ]
  }'

When the update completes, a 201 Created or 200K response displays with the following message: Success response (201 Created or 200 OK)

{
  "xpaths": [
    "//StatisticsCollector/Statistics/Statistic[@name='caller']",
    "//AssignMessage/AssignVariable[Name='password']/Value"
  ]
}

2. Retrieve the custom XPath list (GET)

Use the GET method to retrieve the current list of custom XPath expressions.

curl -X GET https://api.enterprise.apigee.com/v1/organizations/ORG_NAME/uapim/proxymasks \
  -H "Authorization: Bearer OAUTH_TOKEN"

When the retrieve completes, a 200K response displays with the following message:Success response (200 OK):

{
  "xpaths": [
    "//StatisticsCollector/Statistics/Statistic[@name='caller']",
    "//AssignMessage/AssignVariable[Name='password']/Value"
  ]
}

3. Append XPaths to the list (POST append)

Use the POST method to append one or more XPath expressions to the existing list without overwriting the current content.

curl -X POST https://api.enterprise.apigee.com/v1/organizations/ORG_NAME/uapim/proxymasks/append \
  -H "Authorization: Bearer OAUTH_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "xpaths": [
      "//New/Appended/XPath"
    ]
  }'

When the append completes, a 200K response displays with the following message: Success response (200 OK):

{
  "xpaths": [
    "//StatisticsCollector/Statistics/Statistic[@name='caller']",
    "//AssignMessage/AssignVariable[Name='password']/Value",
    "//New/Appended/XPath"
  ]
}

4. Delete specific XPaths from the list (POST deleteItems)

Use the POST method to remove specific XPath expressions from the existing list. The request must contain the exact XPath strings to be removed.

curl -X POST https://api.enterprise.apigee.com/v1/organizations/ORG_NAME/uapim/proxymasks/deleteItems \
  -H "Authorization: Bearer OAUTH_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "xpaths": [
      "//New/Appended/XPath"
    ]
  }'

When the delete completes, a 200K response displays with the following message: Success response (200 OK):

{
  "xpaths": [
    "//StatisticsCollector/Statistics/Statistic[@name='caller']",
    "//AssignMessage/AssignVariable[Name='password']/Value"
  ]
}

5. Delete the entire custom XPath list (DELETE)

Use the DELETE method to completely remove the custom XPath list. This will remove only the custom masks; default masks will still be applied.

curl -X DELETE https://api.enterprise.apigee.com/v1/organizations/ORG_NAME/uapim/proxymasks \
  -H "Authorization: Bearer OAUTH_TOKEN"

When the delete completes, a 204 No Content response displays with the following message: Success response (204 No Content):

HTTP/1.1 204 No Content

Updating masked bundles

When you modify your custom PII masking configuration, API proxy bundles that were previously uploaded with an older mask configuration need to be reprocessed with the latest masks. To update the bundles with the latest masking settings, please file a support ticket to initiate the necessary reprocessing.