OpenAPI-Specification icon indicating copy to clipboard operation
OpenAPI-Specification copied to clipboard

Published 20 hours ago verified publisher icon OAI

Support for Sensitive/PII/Personal Data

Open galvo opened this issue 4 years ago • 15 comments

It would be useful if you could tag schema properties and parameters as being sensitive or PII specific so that these could be tagged appropriately in API docs.

galvo avatar Apr 02 '20 00:04 galvo

You could use an extension such as x-pii: true.

hkosova avatar Apr 04 '20 11:04 hkosova

That's the exact extension we are going with actually but would be ideal to have it incorporated in the spec and to standardise on it so that all API doc generators handle it the same way i.e. swagger, widdershins, readme, apigee etc

galvo avatar Apr 04 '20 11:04 galvo

A good candidate for a ui / forms / documentation vocabulary to extend JSON Schema.

MikeRalphson avatar Apr 04 '20 11:04 MikeRalphson

@MikeRalphson does such a vocabulary exist or is there a suitable place to get one started?

galvo avatar Apr 04 '20 14:04 galvo

@galvo formal extension vocabularies will be a thing in OAS 3.1 (with JSON Schema draft 2019-09 or later). So there aren't any yet but there is a lot of interest.

We've designated https://github.com/json-schema-org/json-schema-vocabularies/issues as a place to hold ideas, although the JSON Schema organization will not be acting on those directly. It is more of a clearinghouse for others to figure out what might be useful.

It is not necessary for a vocabulary to be proposed there, it's just where we moved all of the keyword proposals from the JSON Schema spec repo that weren't going into the core or validation spec.

handrews avatar Apr 04 '20 21:04 handrews

It would be good for sensitive information not to be part of what gets logged also - notably not to be considered in the toString method of java implementations for example

lpicquet avatar Oct 31 '21 14:10 lpicquet

It would be good for sensitive information not to be part of what gets logged also - notably not to be considered in the toString method of java implementations for example

has anything happened about this issue? it would be really useful

Barna1234 avatar May 30 '22 10:05 Barna1234

I agree this is a usefull feature (especially in EU with all the GDPR regulation) this would allows gateway , and logger to not take decision weither it should be log or not for instance also for documentation sharing with the party using the API is subject to regulation for instance as manipulating sensitive data

notice it can be tricky as PII definition can vary from a regulation to another ...

also in some case a unitary field is not pii but the combination of is .

still having simple flag true/false can handle most of the case usually

LasneF avatar Feb 07 '24 15:02 LasneF