About Protected Custom Attributes


Custom ticket, asset, configuration item, issue or risk attributes can be marked as Protected, which means their content will be protected from unauthorized viewing. An attribute with the Protected flag is referred to as a Protected Custom Attribute (PCA). Once data has been entered into a PCA field, an individual with TDNext access can only view a PCA if they have permission for that specific attribute, and every view and edit of the attribute is logged. In order to ensure PCAs remain secure, they are excluded from Reporting and the API, and they cannot be drivers for attribute dependencies.

At this time Protected Custom Attributes can only be created by ESM Enterprise Administrators. Department's desiring to use a PCA should submit an Enterprise Service Management request for assistance.

In this article:

Viewing Protected Custom Attributes

When a technician views an item with PCAs, they will see each attribute’s value hidden by an eye icon (). When the technician clicks on the eye, if they are in a group with permission, the value will displayed and the eye icon will be updated to have a slash through it (). When they view an attribute, a log entry is created with who viewed the attribute, which attribute they saw, the value at the time, and their IP address. This log entry is kept separate within TDAdmin.

Technicians without permission to the PCA will not see the eye icon, so they cannot view the attribute. If the attribute is partially masked (see below), they will be able to see the unmasked part. Otherwise, the entire attribute value will be hidden from them.

Partial Masking

PCAs can be configured to show partial values, such as masking all but the final 4 digits of a Identification Number. This can allow some individuals to view only the unmasked part, and others to view the whole value.

The following shows an example of PCAs without masking enabled.
Enterprise Service Management Protected Custom Attribute without text masking

The following shows an example of a PCA textbox with masking enabled.
Enterprise Service Management Protected Custom Attribute with text masking

PIN Authentication

PCAs can also be further protected with PIN authentication. This will require the individual to validate that they are the correct person by entering their PIN before they can view a custom attribute. If an individual forgets their PIN, an ESM Enterprise Administrator can reset it for them using the Reset PIN option in the Actions menu on the person's record.

The very first time a person attempts to access a PCA that has PIN authentication enabled, they will see a prompt similar to the following asking them to enter a PIN, and then re-enter to Confirm PIN.
Enterprise Service Management Set PIN Authentication dialog window

If an individual enters an invalid PIN, they will be warned that they have X attempts remaining. This counter resets after they've successfully entered their PIN.
Enterprise Service Management Protected Attributes PIN incorrect error message
However, if the are unsuccessful ten (10) times in a row their PIN will be temporarily locked for 30 minutes.
Enterprise Service Management PIN Authentication locked for 30-min message

Edit Data Within Protected Attributes

When a technician edits or updates a work item with PCAs, the protected attribute fields will still be hidden, the same as when viewing the details page.
Enterprise Service Management Protected Custom Attributes hidden in edit/update view

Once they view the attribute, it will display in an editable field, and an update can be made. If an update is made, two log entries will be created; one for viewing the attribute, and another for changing it.
Enterprise Service Management Protected Custom Attributes edit/update field visible

Gotchas & Pitfalls

Before you consider using Protected Custom Attributes (PCAs), you should be aware of the following security driven limitations:

  • PCAs cannot be included in Reports or Desktops.
  • PCAs cannot be the driver for a Cascading Attribute.
  • PCAs are excluded from the TDWebAPI.
  • PCAs are excluded from Notifications.
  • Changes to PCAs are not logged in the feed. If only PCAs change as part of an edit, the feed entry will read “Edited this [item].”
  • Changes to PCAs are logged within the application's admin section under the custom attribute's Access Log. App Admins are able to review this log.
  • PCAs can only be applied to new attributes.
  • PCAs cannot be added in Ticket Templates
  • PCAs cannot be imported using the ticket or asset import tools.


After creation, by default, protected custom attributes are not be available to any groups. The ESM Enterprise Admin's must explicitly go into the attribute's Permissions tab and add at least one Associated Group. Additionally, within TDNext protected custom attributes can only be set to Editable, or Editable and Required. You will be unable to set it as Hidden, or Read-Only. Setting options related to the Client Portal remain unchanged.
Each PCA contains both an Access Log and a Configuration Log which is viewable to the ESM Enterprise Administrators. These logs records provide an audit trail to both changes to the attribute's values as well as any changes to the attribute's access configuration settings.


Need additional help or have issues

For support, requests may be submitted anytime using the appropriate Enterprise Service Management form. Requests generate a Ticket which will be worked in order received and urgency by IT Employees with the knowledge and permissions to assist with the request.

For immediate assistance please review the Contact Us page for the appropriate support group.


Article ID: 1437
Mon 2/27/23 1:18 PM
Mon 2/27/23 3:10 PM

Related Articles (1)

Information to help Enterprise Service Management (ESM) App Admins understand custom ticketing attributes, create, and manage them.