1. Support Portal
  2. RadiantOne IDDM (Formerly Known As FID)
  3. Best Practices

How to Mask (Hide) PII Data and Sensitive Attributes from RadiantOne Log Files

Aashik Shetty
Updated

Overview

By default, RadiantOne logs may include attribute values that can contain PII (Personally Identifiable Information) or other sensitive data such as passwords, tokens, or identifiers. To avoid exposing this information in clear text, you can configure RadiantOne to mask selected attribute values in the logs using the Attributes Not Displayed in Logs setting.

Applies to:

  • Product: RadiantOne Identity Data Management
  • Components: RadiantOne service (VDS – Server)
  • Versions: 7.4 and later (Classic Control Panel UI)

Problem / Use case:

You need to prevent sensitive attribute values (for example, userPassword, mail, mobile, ssn, or API tokens) from appearing in clear text in RadiantOne log files for security, privacy, or compliance reasons. Instead, you want these values to be automatically redacted (masked) whenever they are written to the logs.

Cause:

RadiantOne logs can include attribute values when processing LDAP binds, searches, updates, or other operations, which may capture PII if no masking is configured. Without additional configuration, these values are written as-is into log files that might be accessed by administrators, support staff, or external tools.

Resolution:

Step 1 – Identify attributes to mask:

Identify all attributes that can contain PII or sensitive data in your environment, such as:

  • Authentication and secrets: userPassword, unicodePwd, pwdLastSet, tokens, API keys.
  • Contact data: mail, mobile, telephoneNumber, homePhone.
  • Personal identifiers: ssn, nationalId, employeeNumber, or any custom ID attributes.

Document this list so it can be centrally maintained and reviewed with your security/compliance teams.

Important: DO NOT mask RadiantOne operational attributes, as this could impact internal behavior and features such as caching, password policy processing, ACIs, and other core functions. Only mask business/PII attributes whose values you do not want to appear in logs.

Step 2 – Open the Front End settings:

  1. Log in to the Classic Control Panel with an administrative account.
  2. Go to Settings.
  3. Select Server Front End.
  4. Open the Attributes Handling section.

Step 3 – Configure “Attributes Not Displayed in Logs”:

  1. Locate the property Attributes Not Displayed in Logs.
  2. In the value field, enter the attribute names you want to mask, separated by a single space (no commas). For example: userPassword unicodePwd mail mobile ssn employeeNumber
  3. Click Save to persist the change.
  4. If prompted, apply the configuration or restart the RadiantOne service so the new setting takes effect on all nodes in the cluster.

Step 4 – Validate that masking is working

  1. Trigger an operation that would normally log the attributes you configured (for example, a search or update involving mail and mobile).
  2. Open the relevant RadiantOne log file (such as vds_server_access.log or vds_server.log) from the logs directory or via the Log Viewer.
  3. Confirm that the configured attributes no longer show their real values but appear as ***** in the logs.

If you still see clear-text values, double-check spelling, case sensitivity, and that you saved and applied the configuration on all cluster nodes.

How it works:

The Attributes Not Displayed in Logs property instructs RadiantOne to redact values at log-writing time for any attribute name listed in the setting. For those attributes, RadiantOne replaces the real value with ***** in all relevant log entries, while keeping the rest of the log intact for troubleshooting and auditing.

Best practices:

  • Cover all sensitive fields: Include all attributes that can contain secrets, identifiers, or personal contact information, including custom attributes specific to your environment.
  • Align with compliance: Review the list with your security, privacy, or legal teams to align with regulations such as GDPR, CCPA, or HIPAA.
  • Review periodically: As schemas evolve and new attributes are added, periodically review logs and update the list to ensure new PII fields are also masked.
  • Combine with other controls: Use this setting alongside access control on logs, log retention policies, and secure forwarding to SIEM/monitoring tools.

Notes:

  • This setting affects how attributes are displayed in RadiantOne logs only; it does not change how data is stored in backends or returned to clients over LDAP/REST.
  • For additional hardening recommendations around sensitive attributes and changelog exposure, see the RadiantOne hardening and logging documentation.

 

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.

Articles in this section

See more