Configure script access to encrypted data

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read

    • Execute a script to run the cryptographic module policy for a cryptographic purpose. Specific read (decrypt/unwrap) or write (encrypt, wrap) access can be defined based on the module access policy operation granularity.

    Before you begin

    Role required: sn_kmf.cryptographic_manager

    About this task

    Examples of uses are for Business Rules and Script Includes. This procedure uses a script for Business Rules.

    Procedure

    1. Create a cryptographic module with the symmetric data encryption/decryption algorithm.
      Refer to Create a cryptographic module for details. Specific access to the data or attachment is controlled with a module access policy with the following characteristics:
      • Symmetric encryption: The script is able to encrypt data but unable to decrypt the data.
      • Symmetric decryption: The script is able to decrypt uploaded encrypted data or attachment but unable to encrypt data or attachments.
      • Symmetric encryption and decryption: The script is able to both encrypt and decrypt data or attachments.
    2. Navigate to System Definition > Business Rules.
    3. Click New.
      New Business Rule record.
    4. Complete the form on the When to run tab and enter the script on the Advanced tab:
      Table 1. Business Rule fields
      Field Description
      Name Enter a name for the business rule.
      Table Select Incident [incident]from the drop-down list.
      Application Global is selected by default.
      Active Mark the rule as Active.
      Advanced Select the check box to display advanced options.
      When to run tab On the When to run tab, enable Insert and Update fields.
      Advanced tab On the Advanced tab, paste the following script text at line 3: 
      //
var gc = global.GlideCryptoModule.getModule('global.acme_mod');
var value = 'test';
var encrypted = gc.encryptData(value);
gs.info('value: ' + value);
gs.info('Encrypted: ' + encrypted);
var decrypted = gc.decryptData(encrypted);
gs.info('Decrypted: ' + decrypted);
gs.info(decrypted == value);
      Note:
      Refer to the "Business Rules Advanced Tab" image for details.

      Business Rule Advanced tab.

    5. Click Submit.
    6. Navigate to Key Management > Module Access Policies > All.
      Note:
      For additional information, refer to Create a module access policy.
    7. Click New.
    8. Complete the form.Target script selection.
      Module Access Policies fields
      Table 2.
      Field Description
      Policy name Enter a name for the policy.
      Crypto module Click the search icon to select a module with the symmetric data encryption/decryption algorithm.
      Type Select Script to control access by script.
      Script Table Select a value from the script table drop-down list. For this example, select Business Rule [sys_script].
      Target Script Select the script document for the policy. Select the Table name and then the related document for the policy. For this example, select the Business Rule that you created in previous steps.
      Active Select to activate the policy.
      Result To give the script access to the module, select Track in the Result field.
    9. Click Submit.
      The Module Access Policy for the script is now available in the system.