When devs (or any other role) have access rights to change environment constants they are able to toggle the 'mask’ field option. This makes the field not readable for the users that browse through these constants. They however are able to deselect this 'mask’ option and read the value in this field even though it could contain sensitive company information (e.g. API-Key, Passwords, etc). We would like to have a separate authorization/permission to toggle this 'mask’ option per environment variable so that these values are not directly readable to anyone that have access rights to adjust the constants of this environment.
A solution could be that only Scrum Masters (or any other role) can only change the mask boolean yes to no and vice versa, or that there would be a separate permission to change the mask option of these constants.
Looks like a valid idea to me. It could also be used to limit changing such a toggle only to a technical user (eg. which runs the CI/CD pipeline) rather than a personal user account like a scrummaster, in case of deployments to PROD environments.