Portal Community
Policy Reference

Security Policies

A SecurityPolicy controls field-level data protection: which fields are redacted from diagnostic output and logs, and which require elevated permissions to access or configure.

Structure

public sealed class SecurityPolicy
{
    public bool MaskInLogs             { get; init; } = false;
    public bool MaskInOutput           { get; init; } = false;
    public bool RequiresElevatedAccess { get; init; } = false;
}

MaskInLogs

When true, the field's value is replaced with [REDACTED] in all structured log output — activity logs, diagnostic traces, error logs that serialise node input/output, and audit event payloads.

Always set MaskInLogs: true for
  • Passwords and API keys
  • Credential vault references (even integer IDs)
  • Bearer tokens, session tokens, OAuth secrets
  • Personally Identifiable Information in high-security contexts
  • Financial account numbers

MaskInOutput

When true, the field's value is removed or redacted from the node's output data before it is passed to downstream nodes or persisted. This is stronger protection than MaskInLogs — it prevents the sensitive value from ever leaving the node.

Use when the field is a secret that has been consumed by this node and must not propagate further into the workflow pipeline.

Contradiction to avoid Setting MaskInOutput: true on a field with EmitsToDownstream: true is contradictory — the field says it emits but security prevents it. MaskInOutput takes precedence. Avoid this combination.

RequiresElevatedAccess

When true, the platform's security gate requires that the current user or process has elevated permissions before reading the field's value in administrative interfaces, modifying its configuration, or viewing audit records containing it.

This flag integrates with the FlowSecurity 4-layer authorisation system. When set, the field's value is gated behind the RequiresElevatedAccess privilege layer.

Security Categories

Category 1 — Full Lockdown (Credentials, Secrets)

// Applied to: API keys, bot tokens, passwords, OAuth secrets, vault references
SecurityPolicy = new SecurityPolicy
{
    MaskInLogs             = true,
    MaskInOutput           = true,
    RequiresElevatedAccess = true
}
// Also combine with:
HilPolicy        = new HilPolicy { SendToHil = false, DisplayMode = HilDisplayMode.Concealed }
DataFlowPolicy   = new DataFlowPolicy { ExcludeFromInputMapping = true, ExcludeFromOutputMapping = true }

Category 2 — Log-Only Masking (Sensitive Business Data)

// Applied to: email addresses (high-privacy), SSNs, employee IDs in compliance contexts
SecurityPolicy = new SecurityPolicy
{
    MaskInLogs             = true,
    MaskInOutput           = false,   // value flows normally through workflow
    RequiresElevatedAccess = false
}

Category 3 — Elevated Access Only (Admin-Tier Config)

// Applied to: system-level configuration fields non-admin users should not modify
SecurityPolicy = new SecurityPolicy
{
    MaskInLogs             = false,
    MaskInOutput           = false,
    RequiresElevatedAccess = true
}

Category 4 — No Special Security (Default)

// Applied to: most regular business fields
SecurityPolicy = new SecurityPolicy()   // all defaults = false

Relationship to ICredentialResolver

All ExecutionNodes use ICredentialResolver for passwords and API keys — the node config stores an integer credentialId, never the raw secret. Security Policy adds a second defence layer on top:

MechanismWhat it protects
ICredentialResolverRaw secrets never stored in config — only an integer vault reference
MaskInLogs: trueEven the credentialId integer is redacted in logs
RequiresElevatedAccess: trueOnly authorised users can configure the credential binding
ExcludeFromInputMapping/OutputMappingCredential field is completely isolated from data flow

Compliance Checklist

← HIL Policies Next: Suspension Policies →