AcademyDesign SystemFeedback

Bank Account Search

Objective:

To implement a secure bank account search service in Mukta that masks Personally Identifiable Information (PII) in the response based on the user’s role and predefined security policies. PII data - Branch name, Account number, IFSC

The response would be based on the config set in MDMS-V2 which masks the above fields in appropriate patterns.

Key Components

1. Masking Methodology

  • Masking is applied to sensitive attributes such as accountHolderName, accountNumber, and ifscCode.

  • A regular expression-based masking technique is used, replacing parts of the sensitive values with asterisks (*).

  • Example: For a pattern - (?=.{4}), the value 12345678 would be masked as ****5678.

2. Security Policy:

  • Role-Based Access Control (RBAC):

    • Defines which roles can access attributes in plain text.

    • Example roles: BILL_ACCOUNTANT, MUKTA_ADMIN.

  • Attribute Visibility Levels:

    • PLAIN: The attribute is fully visible.

    • MASKED: Attribute is partially masked.

Policy Configuration Example:

{
  "model": "BankAccountSearch",
  "attributes": [
    {
      "name": "accountHolderName",
      "jsonPath": "accountHolderName",
      "patternId": "001",
      "defaultVisibility": "MASKED"
    },
    {
      "name": "accountNumber",
      "jsonPath": "accountNumber",
      "patternId": "001",
      "defaultVisibility": "MASKED"
    },
    {
      "name": "ifscCode",
      "jsonPath": "bankBranchIdentifier/code",
      "patternId": "009",
      "defaultVisibility": "MASKED"
    }
  ],
  "roleBasedDecryptionPolicy": [
    {
      "roles": ["BILL_ACCOUNTANT", "MUKTA_ADMIN"],
      "attributeAccessList": [
        {
          "attribute": "accountHolderName",
          "firstLevelVisibility": "PLAIN",
          "secondLevelVisibility": "PLAIN"
        },
        {
          "attribute": "accountNumber",
          "firstLevelVisibility": "PLAIN",
          "secondLevelVisibility": "PLAIN"
        },
        {
          "attribute": "ifscCode",
          "firstLevelVisibility": "PLAIN",
          "secondLevelVisibility": "PLAIN"
        }
      ]
    }
  ]
}

3. Masking Pattern Configuration:

  • Patterns define how sensitive attributes are masked.

Example configuration:

[
  {
    "patternId": "001",
    "pattern": ".(?=.{4})"
  },
  {
    "patternId": "009",
    "pattern": "(?<=.{4}).(?=.{2})"
  }]

Pattern Example:

  • Pattern.(?=.{4}): Masks all characters except the last 4.

  • Pattern (?<=.{4}).(?=.{2}): Masks characters except the first 4 and last 2.

4. Implementation Details:

  • The service retrieves security policies and masking patterns from MDMS.

  • User roles are validated to determine access levels for each attribute.

  • Masking is applied dynamically to sensitive data if the user’s role lacks plain text access.

5. Code Highlights:

  • Role Access Check: Ensures attributes are visible in plain text only if the user’s role has access.

  • Masking Application: Masks attribute values using patterns fetched from the configuration.

  • Nested JSON Handling: Retrieves and updates attribute values dynamically using JSON paths

Curl:

curl 'https://mukta-uat.digit.org/mukta-services/bankaccount/v1/_search?_=1734091757871' \
  -H 'authority: mukta-uat.digit.org' \
  -H 'accept: application/json, text/plain, */*' \
  -H 'accept-language: en-GB,en-US;q=0.9,en;q=0.8' \
  -H 'content-type: application/json' \
  -H 'cookie: _gid=GA1.2.1202491491.1734070501; _ga_V2CPZCVTXQ=GS1.1.1734070500.1.0.1734070502.0.0.0; _ga=GA1.1.829748430.1733136966; _ga_H9YC8FEN6F=GS1.1.1734069891.2.1.1734072381.60.0.0; _ga_3LN58ZJ5KN=GS1.1.1734072575.3.1.1734072581.54.0.0; _ga_4FTREDCS0G=GS1.1.1734072575.3.1.1734072581.0.0.0; _ga_FS7DJ7SGKL=GS1.1.1734072575.3.1.1734072581.0.0.0; _ga_EHCDQF6VQ5=GS1.1.1734072575.3.1.1734072581.0.0.0' \
  -H 'origin: https://mukta-uat.digit.org' \
  -H 'referer: https://mukta-uat.digit.org/works-ui/employee/masters/view-wageseeker?tenantId=od.testing&individualId=IND-2024-12-06-004156' \
  -H 'sec-ch-ua: "Chromium";v="118", "Google Chrome";v="118", "Not=A?Brand";v="99"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "Linux"' \
  -H 'sec-fetch-dest: empty' \
  -H 'sec-fetch-mode: cors' \
  -H 'sec-fetch-site: same-origin' \
  -H 'user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36' \
  --data-raw '{"bankAccountDetails":{"tenantId":"od.testing","serviceCode":"IND","referenceId":["7e302cf3-6eb4-4392-89e7-42ab75b13672"]},"RequestInfo":{"apiId":"Rainmaker","authToken":"fdaaf53d-b05d-4659-aa86-45f0ae305f40","userInfo":{"id":271,"uuid":"81b1ce2d-262d-4632-b2a3-3e8227769a11","userName":"MUKTAUAT","name":"MUKTAUAT","mobileNumber":"9036146615","emailId":"[email protected]","locale":null,"type":"EMPLOYEE","roles":[{"name":"Organization viewer","code":"ORG_VIEWER","tenantId":"od.testing"},{"name":"MB_VERIFIER","code":"MB_VERIFIER","tenantId":"od.testing"},{"name":"MB_VIEWER","code":"MB_VIEWER","tenantId":"od.testing"},{"name":"MDMS Admin","code":"MDMS_ADMIN","tenantId":"od.testing"},{"name":"MUKTA Admin","code":"MUKTA_ADMIN","tenantId":"od.testing"},{"name":"BILL_ACCOUNTANT","code":"BILL_ACCOUNTANT","tenantId":"od.testing"},{"name":"WORK_ORDER_VIEWER","code":"WORK_ORDER_VIEWER","tenantId":"od.testing"},{"name":"ESTIMATE VERIFIER","code":"ESTIMATE_VERIFIER","tenantId":"od.testing"},{"name":"ESTIMATE VIEWER","code":"ESTIMATE_VIEWER","tenantId":"od.testing"},{"name":"WORK ORDER APPROVER","code":"WORK_ORDER_APPROVER","tenantId":"od.testing"},{"name":"OFFICER IN CHARGE","code":"OFFICER_IN_CHARGE","tenantId":"od.testing"},{"name":"BILL_VIEWER","code":"BILL_VIEWER","tenantId":"od.testing"},{"name":"PROJECT VIEWER","code":"PROJECT_VIEWER","tenantId":"od.testing"},{"name":"BILL_APPROVER","code":"BILL_APPROVER","tenantId":"od.testing"},{"name":"MB_CREATOR","code":"MB_CREATOR","tenantId":"od.testing"},{"name":"MUSTER ROLL VERIFIER","code":"MUSTER_ROLL_VERIFIER","tenantId":"od.testing"},{"name":"ESTIMATE APPROVER","code":"ESTIMATE_APPROVER","tenantId":"od.testing"},{"name":"WORK ORDER CREATOR","code":"WORK_ORDER_CREATOR","tenantId":"od.testing"},{"name":"ESTIMATE CREATOR","code":"ESTIMATE_CREATOR","tenantId":"od.testing"},{"name":"Employee Common","code":"EMPLOYEE_COMMON","tenantId":"od.testing"},{"name":"MDMS STATE VIEW ADMIN","code":"MDMS_STATE_VIEW_ADMIN","tenantId":"od.testing"},{"name":"Localisation admin","code":"LOC_ADMIN","tenantId":"od.testing"},{"name":"TECHNICAL SANCTIONER","code":"TECHNICAL_SANCTIONER","tenantId":"od.testing"},{"name":"Dashboard Viewer","code":"DASHBOARD_VIEWER","tenantId":"od.testing"},{"name":"BILL_CREATOR","code":"BILL_CREATOR","tenantId":"od.testing"},{"name":"Revision of rates","code":"REVISION_OF_RATES","tenantId":"od.testing"},{"name":"BILL_VERIFIER","code":"BILL_VERIFIER","tenantId":"od.testing"},{"name":"MUSTER ROLL APPROVER","code":"MUSTER_ROLL_APPROVER","tenantId":"od.testing"},{"name":"MB_APPROVER","code":"MB_APPROVER","tenantId":"od.testing"},{"name":"MDMS CITY ADMIN","code":"MDMS_CITY_ADMIN","tenantId":"od.testing"},{"name":"PROJECT CREATOR","code":"PROJECT_CREATOR","tenantId":"od.testing"},{"name":"Employee Organization Admin","code":"EMP_ORG_ADMIN","tenantId":"od.testing"},{"name":"WORK ORDER VERIFIER","code":"WORK_ORDER_VERIFIER","tenantId":"od.testing"},{"name":"HRMS Admin","code":"HRMS_ADMIN","tenantId":"od.testing"}],"active":true,"tenantId":"od.testing","permanentCity":"Testing"},"msgId":"1734091757871|en_IN","plainAccessRequest":{}}}' \
 --compressed

PreviousMUKTA ServicesNextIndividual Search

Last updated

Was this helpful?