Masking or Obfuscating Sensitive User Information in the Admin UI

[yacho-isens]

Masking or Obfuscating Sensitive User Information in the Admin UI

Description

1. Issue
In the admin page, user email addresses are currently visible in areas such as the dashboard and user management menus.

2. Proposed Solution
To prevent information leakage and potential security incidents, we would like to know if it is possible to hide or mask user email addresses in the admin UI, similar to how sensitive information such as API keys is hidden.

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

[mooreds]

@yacho-isens thanks for filing the issue. Can you explain the use case a bit more? Why do you want to hide email addresses from admins?

[yacho-isens]

@mooreds Thank you for your reply. When an administrator logs in to the FusionAuth admin console, the dashboard currently displays the email addresses of all recently logged-in users. Even if we minimize the administrator’s role, the admin UI still allows access to the Dashboard, where these email addresses are visible.

Since email addresses are personal information, we would like to reduce unnecessary exposure. For this reason, we are wondering if it is possible to mask these email addresses or otherwise limit their visibility for better security.

[mooreds]

thanks for the feedback @yacho-isens .

Would it meet your needs if admin users did not see any user emails on the dashboard page unless they had one of the following roles:

• admin
• user_manager
• user_deleter
• user_support_manager
• user_support_viewer

[yacho-isens]

@mooreds Thank you for your reply. Yes, that works for me.

[mooreds]

thanks @yacho-isens . We'll evaluate this request as part of our feature prioritization process and update this if/when we decide to implement.

Thanks again for walking through the use case with me.