• Log inStart now

Enable configurable security policies


APM's configurable security policies is available in limited release for approved New Relic accounts.

If you are a New Relic customer and interested in the limited release of configurable security policies, contact your New Relic sales rep.

APM's configurable security policies gives you granular control over configuration options related to your account's data security. This document explains how to enable account-wide security policies and the options available.

For more information about New Relic's security measures, see our security and privacy documentation, or visit the New Relic security website.

Compatibility and requirements

APM agent versions that support this feature include:

  • C SDK: not available
  • Go: 2.1 or higher
  • Java: 4.1 or higher
  • .NET: 8.1 or higher
  • Node.js: 4.1 or higher
  • PHP: 8.1 or higher
  • Python: not available
  • Ruby: 5.2 or higher

Enable configurable security policies


Security policies apply account-wide. Once enabled, they can only be edited or disabled with the help of New Relic support.

If high security mode is enabled for the account(s), do not disable it. Account-level high security mode differs from your APM agent's high security mode, which is set in the configuration file.

High security mode and configurable security policies do not apply to Lambda monitoring or use of the New Relic Event API.

For the limited release, there is no UI component.

If you are participating in the limited release, follow this procedure to set up your accounts:

  1. Choose the accounts on which to enable configurable security policies.
  2. Choose the configurable security policies options that you want for those accounts.
  3. Inform your New Relic sales rep of the options that you have chosen.
  4. Ensure your agent versions support this feature. Update agents if necessary.
  5. When you receive the security token based on the security policies options that you chose, insert the security token into the agent configuration file(s). See examples.
  6. Delete the high security mode enabled flag from your config file(s).

High security mode (HSM) at the agent level is different than high security mode at the account level. Be sure to disable HSM in the agent's config file, as explained in this procedure. Having both the security token and the HSM flag will result in the agent disconnecting.

Example configuration

Here are some example configuration examples for enabling the configurable security policies:

Available policy options

Here are the settings you can choose when creating your policies. Some of these options will not be available for some agents.



Database query collection


  • Enabled: Collects obfuscated database query data. Obfuscated queries generally appear along with slow query details in the APM or explorer UI.

  • Disabled: Prevents the collection of obfuscated database query data.

    Raw query data is not collected once configurable security policies is enabled.

attributes.include list

Go, Java, .NET, Node.js, Ruby only


  • Enabled: attributes.include list functions normally; attribute keys found in the attributes.include list are recorded.

  • Disabled: Ignores the list of allowed attributes listed in the attributes.include property in agent configuration; no intrinsic request parameter attributes will be collected.

    Whitelisting attributes at the account level is not supported.

Raw exception messages


  • Enabled: Allows recording of all raw exception messages.
  • Disabled: Prevents recording of all raw exception messages. The messages may be either obfuscated or completely removed, depending on the agent.

Custom events


  • Enabled: Allows the recording of custom events that are created and sent up via an agent API.
  • Disabled: Prevents recording of any custom events collect by an agent API.

Custom attributes


  • Enabled: Allows for the collection of custom attributes passed in by the New Relic agent.
  • Disabled: Prevents collection of custom attributes that are collected by the New Relic agent.

Custom instrumentation editor

Java only


  • Enabled: Allows custom instrumentation of the agent, using the custom instrumentation editor.

  • Disabled: Prevents custom instrumentation of the agent using the custom instrumentation editor. Instrumentation previously done via the editor is also disabled.

    Access to the custom instrumentation editor is only available to New Relic account Owners and Admins.

Message parameters

Java and Ruby only


  • Enabled: Allows the collection of message parameters (message.parameters.*).
  • Disabled: Prevents collection of message parameters.

Job arguments

Ruby only


  • Enabled: Allows the collection of job arguments (job.(type).args.*).
  • Disabled: Prevents the collection of job arguments.
Copyright © 2022 New Relic Inc.