# Restrict Access to Custom Variables
* Restriction name: monitoring/blacklist/properties
* Restriction value: Comma separated list of GLOB like filters
Imagine the following host custom variable structure.
```
host.vars.
|-- cmdb_name
|-- cmdb_id
|-- cmdb_location
|-- wiki_id
|-- passwords.
| |-- mysql_password
| |-- ldap_password
| `-- mongodb_password
|-- legacy.
| |-- cmdb_name
| |-- mysql_password
| `-- wiki_id
`-- backup.
`-- passwords.
|-- mysql_password
`-- ldap_password
```
`host.vars.cmdb_name`
Blacklists `cmdb_name` in the first level of the custom variable structure only.
`host.vars.legacy.cmdb_name` is not blacklisted.
`host.vars.cmdb_*`
All custom variables in the first level of the structure which begin with `cmdb_` become blacklisted.
Deeper custom variables are ignored. `host.vars.legacy.cmdb_name` is not blacklisted.
`host.vars.*id`
All custom variables in the first level of the structure which end with `id` become blacklisted.
Deeper custom variables are ignored. `host.vars.legacy.wiki_id` is not blacklisted.
`host.vars.*.mysql_password`
Matches all custom variables on the second level which are equal to `mysql_password`.
`host.vars.*.*password`
Matches all custom variables on the second level which end with `password`.
`host.vars.*.mysql_password,host.vars.*.ldap_password`
Matches all custorm variables on the second level which equal `mysql_password` or `ldap_password`.
`host.vars.**.*password`
Matches all custom variables on all levels which end with `password`.
Please note the two asterisks, `**`, here for crossing level boundaries. This syntax is used for matching the complete
custom variable structure.
If you want to restrict all custom variables that end with password for both hosts and services, you have to define
the following restriction.
`host.vars.**.*password,service.vars.**.*password`
## Escape Meta Characters
Use backslash to escape the meta characters
* *
* ,
`host.vars.\*fall`
Matches all custom variables in the first level which equal `*fall`.