Secure storage of sensitive data

Discussion created by Michael_Lowry on Aug 11, 2016
Latest reply on May 10, 2017 by Michael_Lowry
Recently, I have encountered a few scenarios in which it is necessary to retrieve, store, and use a piece of sensitive information — information that should not be accessible to everyone, and really should be accessible only to the job or workflow that needs it. The most recent example involves the RA Web Services agent. The use case looks something like this:
  1. Submit a LOGIN request to the remote application via a REST API, using a user name and the user’sbase64-encoded password.
  2. Extract anauthentication tokenfrom the response from the remote application.
  3. Use this authentication token in the header of subsequent REST requests submitted to the remote application.
In this scenario, there are two pieces of sensitive information:
  • the base64-encoded password
  • the authentication token
Either one of these could be used to obtain access to the remote application. Thus, we would like to find a way to store these pieces of information securely. In order to protect these data, task details, activation logs, and other job logs would have to be protected from public view.

We currently allow all users read-only access to all objects in the Automation Engine system. (Write access is limited based on project, and this is enforced using user group membership and a strict object naming convention.) I suppose we could add a specific exception to the global read-only access, for objects with a certain keyword in the name. Any other ideas?