Encryption domains

Search for	Example	Results
A single word	`cat`	Topics that contain the word "cat". You will also find its grammatical variations, such as "cats".
A phrase. You can specify that the search results contain a specific phrase.	`"cat food"` (quotation marks)	Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase.

Search for	Operator	Example
Two or more words in the same topic	`AND` `and` `+` (plus symbol) `&` (ampersand)	`cat AND dog` `"cat food"+milk` `"cat food"&"dog food"`
Either word in a topic	`OR` `or` `\|` (pipe)	`cat OR dog` `cat \| dog`
Topics that do not contain a specific word or phrase	`NOT` `not` `!` (exclamation point)	`NOT cat` `! dog`
Topics that contain one string and do not contain another	`^` (caret)	`cat ^ mouse`
A combination of search types	`( )` parentheses	`cat + (dog \| mouse)` `cat \| dog + (! mouse)`

Service Management supports the ability to encrypt specific record type fields via the creation of encryption domains. This enables you to restrict access to sensitive information to selected users.

You can assign groups to an encryption domain; the members of each assigned group will have access to the fields encrypted in that domain. For each user who accesses the encrypted fields, a passcode and a verification code are required.

You can create multiple encryption domains. Each one operates independently. For example, you may want to encrypt sensitive data for changes using Encryption domain 1 and employee data using Encryption domain 2. Each encryption domain requires a separate verification code. (One passcode is valid for all encryption domains.)

After you encrypt a field of a record type, you can add it to a form. The data in the field will be visible only to members of the encryption domain who have been verified. It is also possible to encrypt attachments to records.

Encrypted fields cannot be added to business rules and should not be selected in reports. Global search does not support encrypted fields and you cannot filter or sort record type data by encrypted fields.

Encryption domains are not supported in the Dev2Prod functionality. Any encryption domains defined in your development environment must be manually redefined in your production environment.

For information on the available APIs related to encryption domains, see Encryption domain API.

Note

Encryption domains are not related to data domains.
Encryption domain administrator permission is required to create or update encryption domains.

How to create an encryption domain

From the main menu, select Administration > Master Data > People > Encryption domains.
Click New.
If you have previously defined a passcode, enter it and click Get access.

If you have not yet defined a passcode, enter a passcode 10 to 20 characters long containing at least one upper case character, at least one lower case character, and at least one number. Retype the passcode and click Create passcode.
In the Create encryption domain dialog box, enter a name and display label for the encryption domain, and click Create.

Important When you define a new encryption domain, Service Management generates four encryption keys for backup purposes. Copy these keys and save them in a secure location. In the event of an emergency where the encryption domain becomes inaccessible, contact HPE Support and provide the backup keys to gain access to the encryption domain. HPE has no access to the generated keys.
You are set as the Default owner of the encryption domain. After creating the domain, you can select a different default owner from the drop-down list. The default owner must be verified for the encryption domain.
Select a Backup owner for the encryption domain from the drop-down list.

Only the default owner and backup owner have permission to create verification codes for other users for this encryption domain.
In the Members list section, click Add and select a group from the drop-down list. You can add multiple groups.

The members of the selected groups will have access to the fields encrypted via this domain.

Note Encryption is supported for groups of up to 250 members only.
To access fields encrypted via this domain, the members need a verification code. To create verification codes for the encryption domain members, do one of the following:
- Click Create verification code for all domain members on the toolbar. This generates a single verification code for all members of the encryption domain.
- Click Create verification code next to the name of a group member. This generates a verification code for this user only.
In either case, pass the verification code to the relevant user(s) securely.

Caution Do not send a verification code by email.
Click Save to save the encryption domain.

How to encrypt a field

From the main menu, select Administration > Configuration > Records > Fields. Select the required record type.
Create a new custom field of type MEDIUM_TEXT, LARGE_TEXT, or RICH_TEXT.
Select the Encrypted check box. The Encryption domain property appears.
Select the encryption domain from the drop-down list.
(Optional) Click Set advanced options to open the encryption definition dialog box for the field. The default encryption domain you selected is displayed. Proceed as follows:
1. Click Add condition to add a condition row.
2. In the Condition box, enter an Expression Language phrase defining the required condition. For more information about the Expression Language, see Expression Language.
3. In the Encryption domain box, select the alternate encryption domain to be used when the condition is satisfied. If you select Not encrypted, the field will remain unencrypted when the condition is satisfied.
4. Optionally, click Add condition again to add another condition row. There is no limit to the number of conditions you can define for a field encryption.
5. Click OK. All the encryption domains used in the definition appear in the Encryption domains field.
Click Save to save the field.

Note The maximum length of encrypted fields is lower than the limit for unencrypted fields of the same type.
You can add the encrypted field to a form. When a user accesses a record of that type, the data in the field is hidden and the icon appears in its place. For information on adding a field to a form, see How to edit a form.

Note

Encryption domains are not supported for template fields (for instance, Change templates or Incident templates).
The Default values tab of a model (for instance, Change models or Incident models) cannot contain encrypted fields. It is possible to add fields that are defined as conditionally encrypted (using the Advanced options), but the fields will be unencrypted in the model.
Encryption domains are not supported for Service Portal users. Encrypted fields should not be added to forms that are available in the Service Portal.

How to encrypt attachments

From the main menu, select Administration > Configuration > Records > Fields. Select the required record type.
Select the out-of-the-box Attachments field.
Select the Encrypted check box. The Encryption domain property appears.
Select the encryption domain from the drop-down list.
Optionally, set the advanced options for the encryption, as you would for other encrypted fields.
Click Save to save the field.
When a user accesses a record of that type, a new button, Add encrypted attachments, appears next to the Add attachments button in the Attachments section of the records. The user can add both encrypted and unencrypted attachments.

Note

It is possible to configure Service Management to display only the Add encrypted attachments button for record types for which encrypted attachments are defined. The user will not be able to add unencrypted attachments for these record types. To enable this feature, submit a request to HPE Support.
In the Service Portal, the Add encrypted attachments button is never displayed. Encrypted attachments added to a record in Service Management are not accessible in the Service Portal.

How to view and edit encrypted data

If you expect to work with encrypted data, it is recommended to enter your credentials after you log in.
1. Click your login name to open the Profile page.
2. Click the Security Settings link to open a dialog box and enter your passcode.
3. All of your encryption domains are displayed. You can enter a verification code for each one.
Once you are verified for an encryption domain, all fields associated with that domain will appear decrypted. A icon appears next to each decrypted field.

The system retains your passcode for a period of one hour while there is user activity. If you continue working beyond that period, or if there is no user activity for 10 minutes, you are prompted to re-enter your passcode. You only need to enter your verification code once per domain.

Note If you enter an incorrect passcode 3 times, the passcode is locked for 15 minutes. After the next incorrect attempt, it is locked for 30 minutes, then for one hour, and so on.
If you did not enter your credentials at login, when you attempt to access record data, the data of an encrypted field is hidden and the icon appears in its place on the record page. When you click the icon, a dialog box pops up and prompts you to enter your credentials. Enter your passcode and verification code.

If you are not a member of this encryption domain, the field data is hidden and the icon appears in its place. This indicates that you cannot access the field data.
If you forgot your passcode, click the Forgot your passcode? link to open a dialog box where you can create a new passcode.
You will be prompted to create a new passcode before the old one expires. If your passcode expires, you must create a new one and re-verify all of your encryption domains.
If you do not have a verification code for this encryption domain, click the Ask for verification code link. A message appears stating that a verification code request was sent to the encryption domain owner. The domain owner or backup owner will pass you the code securely.
If you want to change your passcode, click the Security Settings link on the Profile page and click the Change passcode link.
If an administrator made changes to an encryption domain before you saved changes to a record, you will be prompted to re-enter your credentials if you are still a member of the encryption domain. If you were removed from the domain, you will be unable to save your changes.