Obfuscating Personally Identifiable Information (PII)
Generally, enterprises that handle personal data must abide by the data protection and privacy regulations of the jurisdictions in which they operate. For example, companies operating in the European Union must abide by the General Data Protection Regulation (GDPR) within that jurisdiction.
One way to protect the privacy of individuals is to obfuscate Personally Identifiable Information (PII). This approach limits the exposure of designated PII, and is supported by the system APIs. PII can be obfuscated by either nullifying or masking. PII is nullified when its value is returned null. PII is masked when a portion of its value is returned with placeholder characters, such as 'XXXXXXX-3213' as a return value for an account number.
You can nullify the return value of PII by modifying the mapper for the relevant resource property. This can be done in a resource extension. For more information on general schema configuration, see Configuring schemas.
You can mask the return value of PII by writing a Gosu method and modifying the mapper for the relevant resource property to use that method. For details on implementing Gosu code, see the Configuration Guide. The mapper can be modified through a resource extension. For more information on general schema configuration, see Configuring schemas.
Changing the masking pattern
To change the masking pattern applied to a resource property, you can either revise the existing masking Gosu method or write a new one.
Conversely, you can unmask PII that has been masked in the base configuration. This can be
necessary when you need to expose the PII to a specific internal role, such as
administrator. In such circumstances, Guidewire recommends that you create a new schema
extension for the masked property. For example, if you wish to unmask the
taxId property, you would create a
schema property that is mapped directly to the
TaxID entity field. In such
a case, Guidewire recommends that you also allowlist the extended property to make it
visible only to authorized roles. For details on creating resource extensions, see Configuring schemas. For details on
allowlisting fields, see the section on API role files in Cloud API Authentication Guide.
taxIdas a filterable parameter or sortable, it can be included as part of the URL in a request and is more likely to appear in application logs.