Security settings

Security settings configure data redaction and data retention. For example, these settings control how data is redacted in Cloud logging and the Conversation history.

Security settings are set at the project level. If you have access to an agent in a project, you can view project-level security settings. To update project-level security settings, you must have the dialogflow.securitySettings.update permission. Dialogflow can take up to one hour to implement security settings updates.

The following table summarizes the settings. For more information about the settings, see the SecuritySettings RPC reference.

Security Setting Description
redaction_strategy RedactionStrategy: Defines how we do redaction.
redaction_scope RedactionScope: Defines the data for which Dialogflow applies redaction. Dialogflow does not redact data that it does not have access to – for example, Cloud logging.
inspect_template string

Sensitive Data Protection: The inspect template name. Use this template to define inspect base settings.

The The DLP Inspect Templates Reader role is needed on the Dialogflow service identity service account for your agent's project.

If empty, we use the default Sensitive Data Protection inspect config.

The template name will have one of the following formats: projects//locations//inspectTemplates/ OR organizations//locations//inspectTemplates/

Note: inspect_template must be located in the same region as the SecuritySettings.

deidentify_template string

Sensitive Data Protection: The deidentify template name. Use this template to define deidentification configuration for the content.

The DLP Deidentify Templates Reader role is needed on the Dialogflow service identity service account for your agent's project.

If empty, Dialogflow replaces sensitive info with [redacted] text.

The template name will have one of the following formats: projects//locations//deidentifyTemplates/ OR organizations//locations//deidentifyTemplates/

Note: deidentify_template must be located in the same region as the SecuritySettings.

purge_data_types[] PurgeDataType: A list of types of data to be removed when retention settings triggers purge.
audio_export_settings AudioExportSettings: Controls audio export settings for post-conversation analytics when ingesting audio to conversations using [] or [Participants.StreamingAnalyzeContent][].

If retention_strategy is set to REMOVE_AFTER_CONVERSATION or [audio_export_settings.gcs_bucket][] is empty, audio export is disabled. If audio export is enabled, audio is recorded and saved to [audio_export_settings.gcs_bucket][], subject to retention policy of [audio_export_settings.gcs_bucket][].

This setting won't affect audio input for implicit sessions using Sessions.DetectIntent or Sessions.StreamingDetectIntent.

insights_export_settings InsightsExportSettings: Controls conversation exporting settings to Insights after conversation is completed.

If retention_strategy is set to REMOVE_AFTER_CONVERSATION, Insights export is disabled no matter what you configure here.

data_retention The union field that specifies how data is retained. Even if data is purged because of a retention policy, it might remain in backup storage for a few days without allowing direct access. data_retention can be only one of the following:

retention_window_days (int32): Retains data for the specified number of days. You must set a value lower than Dialogflow's default 365-day TTL (30 days for Agent Assist traffic); higher values are ignored and the default is used. Setting a value higher than the default is ignored. A missing value or a setting of 0 also uses the default TTL. When data retention configuration is changed, it only applies to data created after the change; the TTL of existing data created before the change remains intact.

retention_strategy: Specifies the retention behavior defined by SecuritySettings.RetentionStrategy.

You can configure multiple security settings in each location. Each agent specifies the security settings to apply, and you can apply each setting to multiple agents in the same project and location. For more information about data application levels, see data application levels.

If you don't specify security settings in an agent, Dialogflow doesn't apply redaction.

Create a security settings resource

To create a security settings resource in a particular location:

Console

  1. Go to the Dialogflow CX console.
  2. Select your Google Cloud project.
  3. Select your agent.
  4. Click Agent Settings.
  5. Click the Security tab.
  6. Click Manage security settings. The CCAI console opens in a new tab.
  7. Click Create security settings in the CCAI console.
  8. Enter security settings configuration.
  9. Click Create.

API

For information about the create method, see the SecuritySettings type.

Select a protocol and version for the SecuritySettings reference:

Protocol V3 V3beta1
REST SecuritySettings resource SecuritySettings resource
RPC SecuritySettings interface SecuritySettings interface
C++ SecuritySettingssClient Not available
C# SecuritySettingssClient Not available
Go SecuritySettingssClient Not available
Java SecuritySettingssClient SecuritySettingssClient
Node.js SecuritySettingssClient SecuritySettingssClient
PHP Not available Not available
Python SecuritySettingssClient SecuritySettingssClient
Ruby Not available Not available

Specify a security setting in agent

To specify a security setting in agent:

Console

  1. Go to the Dialogflow CX console.
  2. Select your Google Cloud project.
  3. Select your agent.
  4. Click Agent Settings.
  5. Click the Security tab.
  6. Select settings in the Security settings drop-down menu.
  7. Click Save.

API

For information about the patch and update methods, see the Agent type.

Select a protocol and version for the Agent reference:

Protocol V3 V3beta1
REST Agent resource Agent resource
RPC Agent interface Agent interface
C++ AgentsClient Not available
C# AgentsClient Not available
Go AgentsClient Not available
Java AgentsClient AgentsClient
Node.js AgentsClient AgentsClient
PHP Not available Not available
Python AgentsClient AgentsClient
Ruby Not available Not available