zPET - IBM Z and z/OS Platform Evaluation and Test - Group home

Using the Management Interface for Hyper Protect Data Controller

By Michael Cohoon posted Thu October 07, 2021 11:11 AM


z/OS Platform Evaluation and Test (zPET) runs customer-like workloads in a Parallel Sysplex environment to perform the final verification of new IBM Z hardware and software. For more information about zPET, please check out our community.


IBM Hyper Protect Data Controller brings security to the eligible data itself in the form of encrypted data objects (EDO). These EDOs offer field-level encryption, helping to protect the data whether on Z, in the cloud, or somewhere in between. The recent release of Hyper Protect Data Controller version 1.2.0 focuses on performance and usability, and the zPET team has found that while the new Management Interface may fall under the usability category, it’s also helped our team’s performance.

Before we get started, you may want to check out Anthony Sofia’s great blog
 about Hyper Protect Data Controller version 1.2.0.



With Hyper Protect Data Controller, data access is defined by a policy. This policy allows the Data Controller to determine who should see what data. Depending on need-to-know, individuals may see different results when querying the same data. Because the policy is the backbone of Hyper Protect Data Controller, the ability to quickly and effectively update and manage policies is paramount.

In previous releases of the product, the only way to create, edit, and view a policy was by working with raw XML in a text editor. Though manageable, this process was sometimes tricky. Creating and updating a policy was slow, lots of proofreading was required, and since different parts of the XML file were related, it was possible to update one section while easily overlooking another. Though the 1.1.0 version of Hyper Protect Data Controller simplified working with the policy, we still needed to get our hands dirty with XML. Thankfully, things have changed with the new Management Interface.

Though the Management Interface comes in a separate download, it is a must-have in our zPET environment. Only one instance of the Management Interface is needed, yet it can manage multiple independent Data Controllers.

Figure 1. Hyper Protect Data Controller login page


Access is provided only to administrators, so only those with authorization to view, change, and approve a policy can do so. Once logged in, it is easy to view and edit policies, create new policies and drafts, and approve and promote new policies. Like actions done directly through the administrative APIs, all actions performed via the Management Interface are auditable.

Figure 2. Hyper Protect Data Controller Policy Dashboard


Working with a policy has become much easier, and real-time validation helps ensure that a valid and accurate policy is created as intended. Being guided through the policy by the Management Interface, and being alerted to necessary changes, is a marked improvement from the “trial and error” approach of editing the XML directly, allowing us to be more accurate and efficient.

Figure 3. Hyper Protect Data Controller Policy Creation Page


Additionally, adding personas and data elements to the policy has become exceedingly easier. The Management Interface provides convenient panels to define a data element as well as create default and persona-based protection rules, all from a single menu. This is a very welcome change from the XML days, where you might find yourself jumping around several parts of the document to manage rules and protection schemes for multiple personas.

Figure 4. Hyper Protect Data Controller Data Elements Page


Instead of an arduous reviewal process more akin to a code review, the Management Interface offers an intuitive, streamlined process that is less complex and more interactive.



In this blog, our aim has been to provide the reader with insight to the benefits of using the new Hyper Protect Data Controller Management Interface. The interface aids users in policy creation and management, a pivotal function in any environment that leverages Hyper Protect Data Controller. The interface elevates this task from an arduous, manual process to a streamlined, accessible method, while still maintaining the integrity and security standards of the product. Our team in zPET couldn’t be happier to make use of this new feature, and we look forward to future improvements and additions that will continue to enhance the user experience for Hyper Protect Data Controller.


Resources for IBM Hyper Protect Data Controller version 1.2.0

Content Solution page: https://www.ibm.com/support/z-content-solutions/hyper-protect-data-controller/

Product page: https://www.ibm.com/products/hyper-protect-data-controller

Documentation: https://www.ibm.com/docs/en/hpdc



Trent Balta (Trent.Balta@ibm.com)

Michael Cohoon (mtcohoon@us.ibm.com)