---

@jgregor4 wrote:

Hi, the correct roles and permissions are set - there are only a limited number of specialist users that can change the logging levels at resource level - however as this is a possibility when issues occur and full logging is turned on - the risk is that this data will then be exposed

---

If there are a limited number of users who have access to change logging levels, they likely also have access to the data within the Process/Data Item/Collection anyway. Setting logging levels in Production Processes to anything beyond "errors only" is not recommended and should be tightly controlled within your organization. Other customers have brought this up with us (in Support) in the past, and the main takeaway here is: 'If the user is in the Process, and the Data Item is in the Process, then by definition, the user has the data at their fingertips and they are the ones that most likely entered it and should have access to it.'

The only scenario in which full logging should be enabled at the resource level is troubleshooting, where dummy data in a lower environment should be used for process debugging, or full-logging data in Production would be collected for troubleshooting a product issue, removed from the database, and shared by an authorized user with Support where NDA/data security contracts exist regarding sensitive data. 

If you feel there should be more restrictive controls over logging enablement beyond the available security controls in the product, I'd encourage you to submit an (or leave a comment and vote on an existing) enhancement request for our Product Team in the Ideas Portal.

Hi, while I appreciate your response - working in a large company with numerous different customer departments, IT, Infrastructure, COE, etc and using a single instance of Blue Prism between us, we can't say that just because you have access to the process means you should have access to the data.

We have restrictions in place to ensure only authorised people can access the source data, and only authorised people can access Blue Prism and the logs, this doesn't however help us stop said people viewing the logs for other processes and potentially then obtaining data they shouldn't be able to see.

I have submitted this as an idea, but it does seem that if other customers have asked these questions in the past then the main takeaway should be to look at a solution in the product, not that "if they can access blue prism they should be allowed to access the data" - that is not an realistic cross departmental organisation