Overview
Version
| FieBI Version | Functional Change |
|---|---|
6.0.6 | / |
| 6.1.1 | Allowed text fields after data desensitization to be counted/counted without duplication. The counting result is not subject to data desensitization. |
Application Scenario
Many banks, securities, and governments need to perform data desensitization when displaying data (such as names, ID numbers, phone numbers, accounts, and addresses) in dashboards.
Therefore, FineBI provides the Data Desensitization function.
1. You can create desensitization rules and substitute partial/all characters with *.
2. You can apply desensitization rules to text fields through the combination of the Data Desensitization function and data column permissions.
3. Data desensitization only affects viewing effects and does not affect calculation processes.
Example
The dashboard RFM Customer Analysis Model calls the data in RFM Analysis Table Detailed Data in Public Data.
The admin needs to assign the viewing and use permissions of this table and the viewing and export permissions of this dashboard to the sales director.
However, the CUSTOMERNAME field (in the RFM Analysis Table Detailed Data table) contains sensitive information and needs to be desensitized for display. That is, the original values of this field should be invisible to the sales director.
Rule Creation
The admin needs to create a data desensitization rule for application during the permission assignment.
Log in to the FineBI system as the admin, choose System Management > Security Management > Data Desensitization, and click Create Rule, as shown in the following figure.
Set Rule Name to Username Desensitization.
Set Desensitization Algorithm to Substitute Char and Retain First 1 and Last 1 Character(s), and Substitute Other Characters with * Character.
Set Applied Scope to View and Export (default setting).
Click Save. A data desensitization rule is added successfully, as shown in the following figure.
Permission Assignment
After completion, you can apply the rule during the data column permission assignment.
Log in to the FineBI system as the admin, choose System Management > Permission Management > Common Permission Configuration, and assign data permissions to Sale director (in Sales department).
1. Select Sales director, click Data Authorization, and assign the Component Data and Use permissions of RFM Analysis Table Detailed Data under Public Data > Analysis Data > Data Analysis Model.
2. Click the edit icon next to RFM Analysis Table Detailed Data, click Column Permissions, and set the created desensitization rule Username Desensitization for the text field CUSTOMERNAME, as shown in the following figure.
Log in to the FineBI system as the admin, choose System Management > Permission Management > Common Permission Configuration, and assign directory permissions to Sales director (in Sales department).
Select Sales director, click Directory Permission, and assign the View and Export permissions of RFM Customer Analysis Model under Platform Directory > Analysis Model.
Effect Display
Log in to the FineBI system as the sales director Lisa (username: Lisa; password: 1).
1. View the dashboard RFM Customer Analysis Model. Only the first and last characters are displayed for the values of the field CUSTOMERNAME (namely company names), with all other characters displayed as *.
2. View the table RFM Analysis Table Detailed Data in Public Data. Only the first and last characters are displayed for the values of the field CUSTOMERNAME, with all other characters displayed as *.
Function Description
Field Type Confirmation
Only text fields can be applied with the data desensitization rule. Date and value fields do not support the data desensitization function.
If text fields are converted into date/value fields, the desensitization rule will be invalid. After you restore date/value fields to text fields, the data desensitization rule is still valid.
Data Desensitization Rule Creation
To desensitize data, you need to first set desensitization rules.
Log in to the FineBI system as the admin, choose System Management > Security Management > Data Desensitization, and click Create Rule.
On the rule edit page, set Rule Name, Desensitization Algorithm, and Applied Scope, and click Save, as shown in the following figure.
The following table describes each setting item.
| Setting Item | Description |
|---|---|
Rule Name | Mandatory and unrepeatable. |
Desensitization Algorithm | Includes Substitute Char and Substitute All. 1. Substitute Char: Explanation: retains the first x and last x characters of a field value, with all other characters displayed as specified characters. Example: retains the first 3 and last 3 characters, with all other characters displayed as *. If the original value of a field is 18899998888, the desensitized value of the field is 188*****888. 2. Substitute All: Explanation: substitutes the specific character for the entire field value. Example: substitutes * for the entire field value. If the original value of a field is 18899998888, the desensitized value of the field is ***********. |
Applied Scope | Includes View and Export. View (optional): displays desensitized field values (which have applied the desensitization rule) when you view a dashboard. Export (mandatory): displays desensitized data for fields that have applied the desensitization rule in the exported Excel file after you export a dashboard. Note: |
The created rules are displayed on the data desensitization page. You can edit, rename, disable, and delete the existing rules, as shown in the following figure.
Note:
Data Desensitization Rule Application for Column Permissions
You need to apply the created data desensitization rule to the text field when configuring data column permissions.
1. Log in to the FineBI system as the admin and choose System Management > Permission Management > Common Permission Configuration, click Data Authorization.
2. Configure Data Permission for permission carriers.
3. Click the Edit icon next to the corresponding table to go to the column permission configuration page.
Note:For example, if the user Anna is in sales group 1 of the sales department, you must assign permissions to sales group 1, rather than the sales department.
Click Column Permissions, select the field to be viewed, select the data desensitization rule to be applied, and click OK, as shown in the following figure.
Note:1. The user without column permissions of this field cannot view any relevant data, no matter whether the desensitization rule is applied.
2. Only text fields can be applied with the data desensitization rule. Date and value fields do not support the data desensitization function.
If text fields are converted into date/value fields, the desensitization rule will be invalid. After you restore date/value fields to text fields, the data desensitization rule is still valid.
3. The user who has data management permissions can view relevant data of this field, no matter whether the desensitization rule is applied.
Effective Scope
Multiple permissions (in the user, department, and role levels) may exist in the same field and user. The precedence of these permissions is as follows:
Effective Rule | Description |
User First | If the data desensitization rule of a table field is configured for a user in User's Final Permission > Column Permission, the rules defined in User's Final Permission will take effect regardless of whether the desensitization rule is configured for the department and role of that user. |
Permission Union | If no data desensitization rule is configured in User's Final Permission, the column permission settings for the department and role are combined using a union. 1. If any of the roles/departments that the user belongs to are configured with data desensitization rules, the data will be displayed without data desensitization rules. For example, Alice is in department A and has role B. If a desensitization rule is set for a field in department A (while the rule is not set for the same field in role B), the rule does not take effect when Alice views the field. The union of multiple desensitization rules takes effect if all the roles/departments that the user belongs to are configured with multiple desensitization rules. For example, Alice is in department A and has role B. The desensitization rule set for a field in department A is to retain the first and last two characters and substitute other characters with the * Character. The desensitization rule set for the same field in role B is to retain the first and last four characters and substitute other characters with the $ Character. The final result when Alice views the field is 22**$$$$$$$$$$**22 or 22************22. |
Notes
The following sections introduce possible causes and solutions to the problem of the desensitization rule (which is applied during the permission assignment) being ineffective when you view the field. You can refer to the following sections for troubleshooting.
Incorrect Permission Carriers
Cause:
You must assign permissions to the direct department/position/role of a user, or the user himself/herself. Data desensitization rules do not take effect if you apply the rules to a user's parent department.
For example, suppose the user Anna is the salesman in sales group one under the sales department. In this case, you must assign permissions to the salesman Anna, rather than the sales department/sales group one.
Solution:
Choose System Management > User Management to view a user's direct department/position/role and assign permissions.
Changed Desensitization Rules
Cause:
If the admin edits, renames, disables or deletes the desensitization rules, the desensitization rules configured in Column Permission will be invalid.
Solution:
1. Do not edit/rename/disable/delete the created desensitization rule without careful consideration.
2. Check whether the data desensitization rule in column permissions is highlighted in red. If so, re-select a desensitization rule.
Field Being Performed with Formula Calculations
Cause
Field Being Edited
Cause:
The desensitization rule of a text field may not take effect due to some edit operations in some tables/components.
Solution:
The following table describes various edit operations (that may be performed in some tables/components) and these operations' impacts on the desensitization rule. You can troubleshoot your problems based on this table.
| Operation | Description | |
|---|---|---|
Desensitization for Text Fields in a Base Table | Row-Column Conversion | If you set desensitization rules and Row-Column Conversion for text fields in base tables, the rules for the fields will be invalid. |
Field Type Conversion | If you set desensitization rules for text fields and convert text fields into date/value fields in base tables, the rules for the fields will be invalid. | |
Self-Looping Column and Field Settings | This operation does not affect the validity of desensitization rules. | |
Desensitization for Text Fields in Self-Service Datasets | Select Field | This operation does not affect the validity of desensitization rules. |
Filter | The selectable content in the drop-down list is displayed as the effect after desensitization. For example, the field value 18899999888 is displayed as 188*****888 in the drop-down list after desensitization. Do not directly select the desensitized value from the drop-down list for data filtering (as the actual value is hidden, causing an inaccurate analysis). Instead, you should manually enter the actual value (such as 18899999888), which can be automatically matched with the desensitized value. Then the system can filter data accordingly. | |
Group Summary | 1. In the 6.1.1 version and later If the desensitized field is a group field, the original desensitization rule will be displayed. If the desensitized field is a summary field, and the summary method is set to be counted/counted without duplication, the summary value will be displayed normally without desensitization. 2. In the version 6.1.0 and earlier The entire field values (created by desensitized fields) are desensitized and displayed as ****. | |
Union All | If you perform Union All for desensitized fields, the entire field values will be displayed in the desensitization way after the operation. If you perform Union All for the desensitized field A and the non-desensitized field B, the union field will be displayed based on the desensitization rule of the field A. If you perform Union All for the desensitized field A and the desensitized field B, the union field will be displayed based on the desensitization rules of both the field A and the field B. | |
Add Column | The entire field values (created by desensitized fields) are desensitized and displayed as ****. | |
Group Assignment | The entire field values (created by desensitized fields) are desensitized and displayed as ****. | |
Summary Column | The entire field values (created by desensitized fields) are desensitized and displayed as ****. | |
Assignment Column | The entire field values (created by desensitized fields) are desensitized and displayed as ****. | |
Field Settings | This operation does not affect the validity of desensitization rules. | |
Sort | This operation does not affect the validity of desensitization rules. | |
Join | This operation does not affect the validity of desensitization rules. | |
Column from Other Tables | This operation does not affect the validity of desensitization rules. | |
Column to Row | This operation does not affect the validity of desensitization rules. | |
Row to Column | / | |
| Component | Converting Dimension Fields into Indicator Fields | After the desensitized dimension field is converted into the indicator field (counted without duplication), the summary value is displayed normally without desensitization. |
Dashboard | Geographic Dimension | Fields after desensitization cannot be matched with geographic locations. |
Filter | The selectable content in the drop-down list is displayed as the effect after desensitization. For example, the field value 18899999888 is displayed as 188*****888 in the drop-down list after desensitization. Do not directly select the desensitized value from the drop-down list for data filtering (as the actual value is hidden, causing an inaccurate analysis). Instead, you should manually enter the actual value (such as 18899999888), which can be automatically matched with the desensitized value. Then the system can filter data accordingly. | |
Customize Grouping Customize Sort Drill Linkage Jump | You cannot perform relevant operations for fields normally. | |
Node Expanding | This operation does not affect the validity of desensitization rules. | |
Share | This operation does not affect the validity of desensitization rules. |
