icingadb/denylist/variableswill block users from accessing certain custom variables. A user affected by this won’t see that those variables even exist. This should be a comma separated list of variable paths. It is possible to use match patterns.
icingadb/protect/variableswill replace certain custom variable values with***. A user affected by this will still be able to see the variable names though. This should be a comma separated list of variable paths. It is possible to use match patterns.
https://icinga.com/docs/icinga-db-web/latest/doc/04-Security/