Decision masking allows you to remove information from each decision before it gets logged by OPA in DAS. The
system.log package in the system's policy bundle defines decision masking rules. When you add an Envoy system, an example decision masking policy is automatically added to your system. You can view and modify this policy via the UI under
system/log/mask.rego as you would any other policy (see Figure 1 below).
As with other policies, decision masking can also be defined at the stack level and applied to a system.
For Envoy stack types, the default decision masking policy is located under
Additional information on decision masking in DAS can be found in the Decision Logs - Decision Masking documentation.
The following example shows the default decision masking policy added to Envoy systems. This policy instructs OPA to remove the token and authorization headers from requests before logging decisions.