Issue
Even when operator-related data is masked, it gets exposed to unauthorized users when viewing insights.
Symptoms and Impact
Exposure of Personally Identifiable Information (PII) to unauthorized users.
Steps to reproduce
- Create an Insight exposing operator-related properties (e.g. Create Operator Name).
- Create a read Access Control Policy on the property in the class to mask operator-related properties for certain users.
- View the Insight as a user who is only authorized to see the masked data, not the actual data beneath it.
Root Cause
This is a known product limitation.
pxCreateOperator is used internally in RD filters. So, it should not be utilized in access control.
Suggested Approach
Avoid setting pxCreateOperator in the access control configuration.
An enhancement request has been entered for this issue but has not yet been assigned to a specific release. This known Issue will be updated with release details when the enhancement for this issue is available.