Encrypt data from a record producer

Record producers allow end users to create task-based records, such as incident records, from the Service Catalog and Service Portal. If a record producer attempts to insert data into a field marked for encryption, an invalid insert message displays and the data is not saved to the field. To configure your Edge Encryption proxy server to allow inserts from a record producer, create encryption rules from the record producer record.

Before you begin

Role required: security_admin

Encrypting data from a record producer requires an encryption configuration defined for the target field. Check that you have created an encryption configuration for the target field and table before creating an encryption rule from a record producer. See Create an encryption configuration. To encrypt attachments from a record producer, Configure attachment encryption.

Procedure

  1. Log in to your instance through the Edge Encryption proxy server.
  2. Navigate to Service Catalog > Catalog Definitions > Record Producers.
  3. Create a record producer record or open an existing record producer record.
  4. Under Related Links, select Create Edge Encryption Rule.

    Two inactive encryption rules are automatically created to encrypt data sent from the record producer to the field marked for encryption.

    Encryption rule Description
    <RecordProducerName> Rule created to process POST parameters from the Service Catalog and map variables to fields in the instance.
    <RecordProducerName>Json Rule created to process a JSON payload from the Service Portal and map variables to fields in the instance.
  5. Activate the necessary encryption rules created by the record producer.
    1. Navigate to Edge Encryption Configuration > Rules > All.
    2. Depending on where the record producer will be used, open the associated encryption rule created by the record producer and select the Active flag.
      If using the record producer in the Service Catalog, activate the <RecordProducerName> encryption rule. If using the record producer in the Service Portal, activate the <RecordProducerName>Json encryption rule.
  6. If using the record producer in the Service Portal, add a sys_id URL parameter to the widget client script record producer function. Then, in the <RecordProducerName>Json encryption rule condition, add a check for the correct record producer sys_id.
    Checking for the record producer sys_id ensures that the correct record producer is associated with the rule.
    1. Open the widget that uses the record producer in the widget editor.
      To edit a base system widget, you must first clone the widget.
    2. Examine the client script and locate the record producer function. For example, if updating a clone of the SC Catalog Item widget, the postCatalogFormRequest() function calls the record producer.
    3. Add a statement to the function to add a sys_id URL parameter to the record producer.
      var url = spUtil.getURL('sc_cat_item') + "&sys_id=" + 
      $scope.data.sc_cat_item.sys_id;
    4. Save the widget.
    5. Open the <RecordProducerName>Json encryption rule.
    6. In the condition, add a check for the record producer sys_id.

      Replace <record_producer_sys_id> with the correct sys_id.

      function RecordProducerNameJsonCondition(request) {
      	if(request.path.indexOf("angular.do") > -1 && request.urlParams.sys_id == '<record_producer_sys_id>' && request.urlParams.type == 'sc_cat_item') {
      		return true;
      	}
      	return false;
      }
      
    The record producer sys_id is a unique identifier for the Edge Encryption rule condition. Adding this parameter guarantees that the correct Edge Encryption rule is executed, regardless of the underlying variable mappings.
  7. Examine the encryption rule Action field and replace 'FILL ME IN' with the target field for any scripted variables.

    If a record producer directly maps a variable to a field in a table, the encryption rule automatically maps the variable to the correct field. However, if a variable is indirectly mapped through scripts on the platform, you may need to update the rules to map each variable to the correct field. The variable sys_id is provided to ensure that the correct variable is mapped to the target field.

Result

The two encryption rules enable the record producer to insert values into fields marked for encryption from either the Service Catalog or Service Portal.