Masking Data in Page and Field Configurator

To comply with data privacy regulations, organizations can mask personally identifiable and/or sensitive content in PeopleSoft and expose them only to authorized persons.

Use the Masking Configuration Type to mask page fields and search fields.

Note: The PeopleTools version should be 8.57.11 or higher.

Note: For HCM systems, it is recommended that HCM-specific data masking is disabled in the Installation Options and that you use Page and Field Configurator masking instead.

There are five steps to configure data masking for a page using Page and Field Configurator.

Define the mask profiles and apply the profile to the fields in the selected component using the Define Mask Profile page. This involves:

  1. Use the Define Mask Profile Page to set up data masking profiles that can be applied to the fields that are selected for masking in Page and Field Configurator.

  2. Use the Define Field Group Page to group fields with similar masking requirements.

  3. Use the Page and Field Configurator: Masking Page to configure the fields to be masked using Mask Profiles defined in step 1.

  4. Use User List Page to define a list of users to whom the configuration is to be applied.

  5. Use the Map to Portal Registry Page to map the configuration to the corresponding portal registry entries.

Note: The configuration defined in a component becomes effective only if the services defined by the utility are mapped to the corresponding portal registry entries.

Note: Only users assigned the role PFC Data Masking Admin can see the Masking configuration type.

The configuration can only be applied to a registered component in the system.

The PeopleTools version must be 8.57.11 or higher.

For more details, see the image highlight video on Data Masking:

Video: Image Highlights, PeopleSoft HCM Update Image 33: Data Masking Related Changes for PFC

Example: Modify a Person Page

This example illustrates how sensitive fields for the Modify a Person component can be masked.

 Component Masking

Use these pages to mask data using Page and Field Configurator.

Page Name

Definition Name

Usage

Define Mask Profile Page

EOCC_MASK_PROFILE

Define data masking profiles that can be applied to the fields that are selected for masking in Page and Field Configurator.

Define Field Group Page

EOCC_FIELD_GRP

Assign a default mask profile for a similar set of fields.

Page and Field Configurator: Masking Page

EOCC_CONFIG_MASK

Define the criteria and field properties for the component, when Masking is the Configuration Type.

User List Page

EOCC_CONFIG_USER

Define the list of users to whom the configuration needs to be applied.

Map to Portal Registry Page

EOCC_MAP_EVENT

Assign the configuration to a content reference in the Portal Registry, and activate event mapping.

Advanced Options Page

EOCC_ADVANCED_TAB

Streamline the selection of fields on other pages in the Page and Field Configurator.

Use the Define Mask Profile page (EOCC_MASK_PROFILE) to set up data masking profiles that can be applied to the fields that are selected for masking in Page and Field Configurator.

Navigation:

Enterprise Components > Page and Field Configuration > Define Mask Profile

Page and Field Configurator supports four types of masking configuration:

  • Complete Masking.

  • Trailing Character Type Masking (Partial Masking).

  • Date Type Masking.

  • Setup Table Based Masking.

To create a new Mask Profile, add a new value the Define Mask Profile search page

Oracle delivers one mask profile of each type as system data. Any new mask profile that you create should be migrated using data mover scripts before any masking configurations from Page and Field Configurator are migrated.

Define a new Mask Profile

 Define New Mask Profile

Complete Masking

This type of masking masks all the characters of the field.

Complete Masking in Define Mask Profile page

 Complete Masking

Field or Control

Description

Default

Select this box when the mask profile is Complete to indicate it as a system level default. The system uses the Mask Profile when no Mask Profile is selected on the Page and Field Configurator: Masking Page.

Masking Type

Select the method for presenting masked information on pages:

  • Complete to mask all characters in the field.

  • Date to mask a date field.

  • Setup Table Based to reference a table that contains the masking format for the field.

  • Unmask Trailing Characters to mask all characters in the field except for a specific number of characters at the end, which are not masked.

Mask Character

Select the character that replaces the data in the field to mask it. X and * are the supported mask characters.

Retain Separators

Select if separators should be displayed while the rest of the data is masked. Supported separators are available as system data in the EOCC_MASK_SEP table.

Unmask Trailing Characters

This type of masking can be applied when you need to partially unmask some of the ending characters in a field. For example, credit card number.

Unmask trailing characters

 Unmask trailing characters

Field or Control

Description

Length

Choose the length or number of trailing characters that needs to be kept unmasked.

Date Masking

This type of masking can be applied for date fields and you can choose the parts of the date field that can be masked or left unmasked.

Date type masking

 Date type masking

Field or Control

Description

Date Masking Options

Select which part of the date (Day, Month or Year) needs to be masked.

Setup Table Based Masking

Use this masking profile to mask data from a defined setup table that has the masking format defined in it.

Setup table based masking

 Setup table based masking

Field or Control

Description

Setup Table

Choose the Setup table that has the masking definition.

Mask Format Field

Choose the field that has the mask format in the setup table.

Control Fields

These fields in the Setup table determine the right mask format for a transaction.

Default Record

The default record to be displayed in Page and Field Configurator when a field is selected for masking. The Default Record can be overridden.

Default Field

The default field to be displayed in Page and Field Configurator when a field is selected for masking. The Default Field can be overridden.

Use the Define Field Group page (EOCC_FIELD_GRP) to assign a default Mask Profile to a similar set of fields.

Navigation:

Enterprise Components > Page and Field Configuration > Define Field Group

Define Field Group

 Define Field Group

Field or Control

Description

Default Mask Profile ID

Replace with the default Mask Profile. The default mask profile will be defaulted in Page and Field Configurator if any field from the field group is chosen for masking. The same field cannot be used in multiple field groups

Field name

Choose the similar fields that are to be grouped under this field group.

Use the Page Configuration page (EOCC_CONFIG_MASK) to define the criteria and field properties for the component, when Masking is the Configuration Type.

Navigation

Enterprise Components > Page and Field Configuration > Page and Field Configurator > Page Configuration. Select Masking as the Configuration Type

Note: The top of this page is the same as the Page and Field Configurator: Page Configuration Page - Standard.

This example illustrates the Page and Field Configurator: Masking Page (2 of 2).

 Page Configuration page where Masking is the Configuration Type (2 of 2)

Note: As of FSCM Update Image 43, PeopleSoft added the Bank Account Number Encryption feature. If you want to use this feature to encrypt and mask bank account numbers, but you previously used this page to mask bank account numbers, delete the row in the Configure Fields for Masking section prior to using this feature.

For more information about securing bank account numbers in FSCM, see PeopleSoft FSCM 9.2: Application Fundamentals, Securing Bank Accounts in FSCM.

For field and control descriptions, see Page and Field Configurator: Page Configuration Page - Standard. Fields and controls that are specific to masking are described below.

Field or Control

Description

Apply Additively

Select to indicate that you want multiple sequences to impact the page viewed by the user. In the event that a component has Standard and Masking configurations, masking configurations are applied after standard configurations.

Configure Masking

The Configure Masking section is used to configure page fields, search fields and prompt record fields for masking. Masking is supported for:

  • Primary Page fields

  • Secondary Page fields

  • Search Record fields

  • Prompt Record fields

Any drop-down field selected for masking is fully masked with the "*" character.

Choose the Select Fields button to view a list of all available fields in the component. Masking is not supported for long fields.

Search Field Masking

Search fields are configured for masking in the same way as the page fields are configured as explained above. However, there are some differences with page field masking:

  • Only the Mask profiles of Complete, Unmask Trailing Character and Date masking are supported for Search Fields masking.

  • If a component uses pivot grid based search and the masked field is also a part of facet search, then the facet will be hidden.

  • When a search field is chosen to be masked, then the List view will be hidden from Component Keyword search and Pivot Grid based search.

  • A search field selected for masking will be masked in the search result and will be disabled as a search field.

  • For Search fields, separators are supported only for non-date type masking.

Note: For PeopleTools 8.60 or higher, data masking is also supported for Search Records configured in PeopleTools Configurable Search.

For Keyword Search fields, masking is supported only for fields that are part of Component Search Record. Masking of Search Fields that are only part of the Search Index is not supported.

For more information, see 'Managing Configurable Search' in the PeopleTools Search Technology documentation.

Prompt Masking

Prompt masking provides a configurable option for masking sensitive/PII fields in Prompt records. Prompt record fields are configured for masking in the same way as the page fields are configured.

When you apply the configuration using the Map to Portal Registry Page, the record-field property “Allow Search events for Prompt dialogs” is automatically selected. This is necessary to trigger the search event programs generated by Page and Field Configurator. If the masking configurations for the prompt record field is removed, the mentioned record-field property will be de-selected.

Once prompt masking is enabled and an unauthorized user clicks on the prompt lookup the prompt dialog shows the masked data in the column(s) identified for masking in the result grid. After the user selects a value from the prompt and the page is loaded, the field value on the page will be masked if the page field is also defined in Page and Field Configurator masking configuration.

Select Fields for masking

 Select fields for masking

Field or Control

Description

Source Type

Displays the option selected on the .

Field Source

Select the record type for masking. Based on the selected field source, all the field records are listed for selection.

Page Type

Indicates whether the fields listed are from a primary page or from a secondary field.

Primary Page

Select the main page for the field that you intend to mask.

Secondary Page

Choose the secondary page from the main page.

Note: In addition to secondary pages that are part of the component structure, masking is also supported for secondary pages called from PeopleCode. To select fields from secondary pages called via PeopleCode for masking, the secondary page fields should be manually added to the Page Fields grid. For secondary pages called via PeopleCode, masking is supported only if the secondary page field is marked as Personal Identifier/Sensitive in Data Privacy Framework.

Restrict to Personal Identifier/Sensitive Fields

Select to list only the fields that have been classified as Personal Identifier or Sensitive in Data Privacy Framework. For more details, see Understanding Data Privacy.

Select the required field names and click OK at the bottom of the page.

When in Add mode, the page fields selected for masking are enabled for data entry. In other modes, fields selected for masking are enabled only if they are blank.

Configure Fields for Masking - General Information

The fields selected on the Select Field page are displayed in this section.

Field or Control

Description

Label Text, Record Name, Field Name

Displays the selected values after selecting fields from the Select Field page.

Mask Field

Select to indicate that you want to mask this field.

Mask Profile

Displays Full or Partial.

Select this link to access Configure Masking window where you can determine the mask profile, mask character, and whether to retain separators.

If the Mask Profile is listed as Select Profile or if you want to change the current profile, click on it to change it.

If the field is part of a Field Group, the Default Mask Profile from the Field Group is defaulted as the Mask Profile for that field. If the field is not part of a Field Group, the Mask Profile defaults to the system level Default Mask Profile. Select the Mask Profile link to override the defaulted mask profile for a field.

Profile Status

Displays Default, Changed

  • Changed if your modify the mask profile from the Default profile.

  • Default when the mask profile is defaulted from a field group.

This example illustrates the Configure Masking window.

 Choose Mask Profile