Best-in-class privacy broadens applicability of visual Session Replay for web and mobile

With role-based access control for replaying user sessions, Dynatrace exceeds the typical data-privacy capabilities of competitive solutions, allowing you broader and more granular use of Session Replay for web and mobile.

Today, when almost everything can be done through a web or mobile application, data privacy is more important than ever for end-users. At the same time, end users want a best-in-class experience when interacting with these applications. This puts application owners under pressure—how do you get immediate feedback on application experience, feature adoption, and performance, get all the information needed to solve issues quickly, all while ensuring maximum privacy and data protection?

Session Replay provides the highest levels of data privacy in compliance with regional data regulations

The Dynatrace Session Replay module is the perfect solution for capturing and visually replaying the complete digital experiences of your end-users across all device form factors, personalization, and responsive UIs. It helps you identify errors, analyze areas of struggle, and provides tons of analytical data for your testing teams. Development teams use it to proactively analyze new feature adoption and user experience to make smarter investments in their applications while optimizing business success.

Building on a series of improvements to data privacy in Session Replay, including automated and GDPR-compliant masking options and URL exclusion, we’re now happy to provide you with role-based access control for Session Replay. Our new permissions not only meet but exceed the typical data privacy capabilities of competitive solutions. Dynatrace administrators will now have greater flexibility and control in providing different teams with appropriate access to user data via Session Replay.

Employees need varying levels of access based on their roles and responsibilities

As an example, consider the concrete requirements of a Dynatrace customer, one of the largest European financial service institutions, with strict rules regarding who can view certain kinds of information.

Our customer has teams distributed all around the world: a support team located in India, development and product teams in Europe, and a UX team in the United
States. This company wants to offer the best experience to their users while meeting data privacy and protection requirements, so they use Dynatrace to monitor their applications. Their Dynatrace administrators and compliance/security officers have the following challenges:

• Ensure that the support team can diagnose problems quickly by providing them with all the information they need, given the data protection regulations
  In this case, the support team needs and have access to general RUM data, but they should not have access to Session Replay.
• Ensure developers have access to all the information and context they need to resolve bugs as quickly as possible
• Ensure that the UX team can improve application flows by enabling the team to see real users interacting with the application while all private data is masked from view

Ensure employees can only access the information they need to do their jobs

With version 1.208, Dynatrace provides two new user permissions for Session Replay, designed in collaboration with CISO/GDPR privacy leaders to ensure that we comply with all relevant regulations. You can now assign the proper Session Replay permissions to user groups. You can have all the advantages that Dynatrace offers while also protecting confidential user data by ensuring that employees can only access the information and perform the actions that are required to do their jobs.

The new user permissions are:

• Replay session data: Users with this permission can playback user sessions. An extra configurable set of masking rules is applied at playback time (so that you can control what information is hidden during playback).
• Replay session data without masking: Users with this permission can replay sessions as they were recorded; playback masking rules are not applied.

The playback masking rules that are applied to those users who have permission to replay user sessions can be configured for each application, much in the same way that recording masking rules are defined.

Achieve optimal security and productivity by granting varying levels of user permissions

Let’s take a closer look at what the user group permissions should look like for solving the challenges that our customer, the European financial services institution, faces when it comes to data access.

Three user groups can be created: Support, Developers, and UX. All three groups need to have the Access environment permission, which includes access to RUM data.

• The Support group needs to have the Manage support tickets permission.
• The Developers group needs to have Replay session data without masking (this automatically selects the Replay session data permission).
• The UX group needs to have the ability to Replay session data.

• With this configuration, Support team members will see all the available RUM information, but if they try to playback a session, they will see a message indicating they have no rights to replay end-user sessions.
• The Developers will be able to see all RUM data and also playback sessions as they were recorded.
  Note that the content excluded from recording never leaves the client browser, where recording masking rules are executed, so this information is not visible to anyone at playback time.
• The UX team will be able to playback sessions, but an extra set of masking rules will be applied: playback masking rules. They will see less information than the previous group of users. In fact, as they only need to see the user interactions, the playback masking setting can be set to Mask all.

Now, Dynatrace administrators and compliance/security officers can make sure that their teams can take advantage of all Dynatrace features to help them understand their users’ behavior, understand the context and impact of errors, and solve issues faster, all while relevant data protection rules are stringently followed.

What’s next?

In an upcoming blog post, we’ll take a look at how you can broaden the applicability of Session Replay for web and mobile applications while remaining compliant in even the most highly regulated industries. So stay tuned and watch this space for updates!