62 Work with Field Level Masking (Release A9.3 Update)

This chapter contains these topics:

Section 62.1, "Understanding Field Level Masking,"
Section 62.2, "Reviewing the Field Level Masking Flow,"
Section 62.3, "Tasks to Set up Field Level Masking,"
Section 62.4, "Field Masking Inclusions,"
Section 62.5, "Setting up Data Item Masking Definitions,"
Section 62.6, "Setting up Database Field Level Masking,"
Section 62.7, "Working with Field Level Masking Workbench,"
Section 62.8, "Setting Field Level Masking,"
Section 62.9, "Dropping Field Level Masking,"

62.1 Understanding Field Level Masking

You use the Field Level Masking application to mask certain portions or all of the data in a database field within a database file in a specific library.

You can mask all characters in a field/file/library or for a range of characters within the field.

Field Level Masking Application Functionalities

Oracle JD Edwards World recommends to mask only certain fields and files. These recommended fields are defined within the files for use within the application.
You can create a masking definition for a recommended field within a database file. You can also create multiple masking definitions for a field (data item), but only one masking definition can be set at any one time for a field with a database file in a specific library combination.
You can define a masking value to be the replacement character when a masking definition is established and Field Level Masking is applied to a field. The masking value can be any character for an alphanumeric field. The masking value must be zero for a numeric field. Therefore, only a zero value displays in a numeric field that has Field Level Masking set.
You can apply Field Level Masking at an IBM database field level. This field level mask is applied using an IBM Authorization List. The IBM Authorization List determines the users that have access to view or update the field as opposed to users who cannot view or update the field within a file/library combination.
You use a workbench to maintain Field Level Masking components as well as set and drop the field for masking.

Caution:

If you allow fields to be masked, system performance can be impacted based on the number of fields masked on a file, the number of records in the file, and the number of times the file and field is accessed or updated. For performance purposes, in most cases, place field level masking only on fields in a master file, not in a transaction file.

Navigation

From Master Directory (G), choose Field Level Masking G941 Menu

62.2 Reviewing the Field Level Masking Flow

The following describes the Field Level Masking flow.

Figure 62-1 Field Level Masking flowchart

Description of "Figure 62-1 Field Level Masking flowchart"

Figure 62-2 Field Level Masking flowchart

Description of "Figure 62-2 Field Level Masking flowchart"

62.3 Tasks to Set up Field Level Masking

Setting up Field Level Masking includes the following tasks:

Determine the files and fields available for field level masking.
Define the Item Masking.
Attach the Masking Definition to the database field and file within a library.
Set or Drop the database field for Field Level Masking.

62.4 Field Masking Inclusions

Navigation

From Field Level Masking (G941), choose Field Masking Inclusions

You use the Field Masking Inclusions maintenance program (P94101) to maintain the Field Masking Inclusions file (F94101).

The Field Masking Inclusions file allows only specifically recommended fields by file to be used for Field Level Masking purposes. Oracle JD Edwards World ships the Field Masking Inclusions file (F94101) with these recommended database fields included. Any modifications to the files and fields are made at your own discretion.

If the File/Field combination does not exist in the Field Masking Inclusions file, Field Level Masking cannot be set on that field within the database file through this application.

The Field Masking Inclusions maintenance program and screen are intended to be used only for inquiry purposes to determine which files and potential fields are made available for Field Level Masking.

Figure 62-3 Field Masking Inclusions screen

Description of "Figure 62-3 Field Masking Inclusions screen"

Field

Explanation

File Name

The member name of the file. All file names begin with F.

Field Name

This field contains a value that identifies an exit or action in Extensibility or a database field allowed for use in Field Level Masking.

Screen-Specific Information

In Field Level Masking, the Field Name is used to define the field within a data base file that is to be included and/or enabled in Field Level Masking.

Field Description

The description of the selected video screen or user ID.

62.4.1 File Name Selection Window (P941SLW)

You use the File Name Selection (P941SLW) window for Field Level Masking to display a list of the files and select a file value to be returned to the calling program.

Figure 62-4 File Name Selection window

Description of "Figure 62-4 File Name Selection window"

62.5 Setting up Data Item Masking Definitions

Navigation

From Field level Masking (G941), choose Data Item Masking Definitions

You use the Data Item Masking Definitions program (P94103) to maintain the Data Item Masking Definitions file (F94103). The Data Item Masking Definitions program defines the various potential maskings for a Data Item (field).

The system uses a Masking Code to define different and multiple maskings for each Data Item.

The system uses the Data Item Masking Definition to format the mask of the database field when it is set for Field Level Masking.

The combination of Data Item and Masking Code defines the Data Item mask.

The Masking Value defines the character to be used to mask the Data Item field. The Masking Value character must be a 0 for numeric Data Items (defined as packed or signed fields). There are no restrictions on Masking Values that can be used for alphanumeric Data Item fields.

For alphanumeric Data Items, the Masking Starting and Ending Positions define the range of characters within the Data Item character string to be masked when Field Level Masking is set on the database field.

The Masking Starting and Ending Positions default to the entire field length for numeric Data Items since the Masking Value is 0 and displays accordingly based on the Data Item's Edit Code.

The system displays the Data Item attributes on the screen for information purposes, you can review the Field Size, Display Decimals, Edit Code, and Data Type Description. Use the Data Item attributes to determine the Non-mask and Mask Display values.

The Non-mask and Mask Display values display the result of the masking definition created for the Data Item. If the Data Item's Field Size is greater than 60 characters, the Non-mask and Mask Display fields will not be displayed.

For alphanumeric Data Items, the Non-mask Display field displays using alpha characters A-Z, repeated when necessary. The Mask Display field then displays the Masking Value replacing the characters within the Starting and Ending Position range.

For numeric Data Items, the Non-mask Display field displays using numeric characters 1-9 and 0, repeated when necessary. This field displays commas and decimal points as defined based on the Data Item attribute fields displayed. The Mask Display field displays the zero or not, again based on the Data Item attributes, including the Edit Code.

62.5.1 Examples of Data Item Masking Definitions

The following screen displays the Description field with all 30 characters masked with a * Masking Code

Figure 62-5 Data Item Masking Definitions screen

Description of "Figure 62-5 Data Item Masking Definitions screen"

The following screen displays the Tax ID with the first 5 characters masked with a / Masking Code

Figure 62-6 Data Item Masking Definitions screen

Description of "Figure 62-6 Data Item Masking Definitions screen"

The following screen displays the Additional Tax ID field with positions 2-4 masked with a * Masking Code

Figure 62-7 Data Item Masking Definitions screen

Description of "Figure 62-7 Data Item Masking Definitions screen"

Field	Explanation
Data Item	For World, the RPG data name. This data field has been set up as a 10-byte field for future use. Currently, it is restricted to 4 bytes so that, when preceded by a 2-byte table prefix, the RPG data name will not exceed 6 bytes. Within the Data Dictionary, all data items are referenced by this 4-byte data name. As they are used in database tables, a 2-character prefix is added to create unique data names in each table specification (DDS). If you are adding an error message, this field must be left blank. The system assigns the error message number using next numbers. The name appears on a successful add. You should assign error message numbers greater than 5000. Special characters are not allowed as part of the data item name, with the exception of #, @, $. You can create protected data names by using $xxx and @xxx, where you define xxx. Create new data items using system codes 55-59. The alias cannot be changed.
Masking Code	The Masking Code is used in Field Level Masking to identify a Data Dictionary Item that is being masked in a certain defined way. This Masking Code allows multiple ways to mask the Data Dictionary Item at a database file field level. For example, a Tax ID field can be masked to show the last 4 numbers only with an * appearing in the first 5 positions. A second Masking Code might be defined on this field to use a Masking Value of / rather than *. A third Masking Code might identify the Tax ID field to show only the last two numbers with a Masking Value of > in the first 7 positions.
Masking Value	The Masking Value is used in Field Level Masking to mask a database field with the specified character value at the Data Dictionary Item level. For example, a Tax ID field can be masked to show the last 4 numbers only with an * being used as the Masking Value to display in the first 5 characters. Any character can be used for the Masking Value, except for numeric fields which must have a Masking Value of 0.
Starting Position	Within Field Level Masking, the Mask Starting Position identifies the first position within the Data Dictionary Item and database field where the Masking Values will be displayed.
Ending Position	Within Field Level Masking, the Mask Ending Position identifies the last position within the Data Dictionary Item and database field where the Masking Values will be displayed.
Field Size/Disp Dec	The field size of the data item. Note: All amount fields should be entered as 15 bytes, 0 decimals, and the data item type should be P (packed).
Edit Code	Determines how data is printed or displayed. Depending on the code, you can change the appearance of the fields as follows (standard IBM edit codes): Show commas - 1, 2, A, B, J, K, N, or O Show decimal point - 1, 2, 3, 4, A, B, C, D, J, K, L, M, N, O, P, Q Show sign for negative - A, B, C, D ("CR") or J through Q ("-") Suppress leading zeros - 1 through 4, A through D, J through Q, Y, and Z Refer to user defined codes (system 98/type EC) for all valid codes, including additional J.D. Edwards edit codes.
Data Edit Code	Defines the type of data to be stored in the field. The data item types are user defined codes (98/DT). Note: All amount fields should be entered as 15 bytes, 0 decimals, and data item type P<SP>(packed).

62.5.2 Data Item Selection window (P941SLW)

You use the Data Item Selection (P941SLW) window for Field Level Masking to display a list of the data item masking definitions and select a Data Item and Mask Code combination value to be returned to the calling program.

Figure 62-8 Data Item Selection window

Description of "Figure 62-8 Data Item Selection window"

62.6 Setting up Database Field Level Masking

Navigation

From Field level Masking (G941), choose Database Field Level Masking

You use the Database Field Level Masking program (P94104) to maintain the Database Field Level Masking file (F94104) and to set up the masking of a field within a file and its library.

If you create a Database Field Level Masking for the file, library, and field combination, the system does not set the field for Field Level Masking at this point. Use the Field Level Masking Workbench to complete the setting and dropping of the field level masking.

The Database Field Level Masking is based on a combination of File Name, Data File Library, and Field Name.

You can set up the Field Level Masking for only a valid field within an existing database file in a library.

Note:

Before you create the Database Field Level Masking record, you must verify the edits in the following section.

Verify the following edits before you create the Database Field Level Masking record

The File Name and Field Name must exist in the Field Masking Inclusions file (F94101).
The Masking Definition (combination of Data Item and Masking Code) entered must exist in the Data Item Masking Definitions file (F94103).
The Field Name must be valid within an existing object for the File Name and Data File Library entered.
The Authorization List must be a valid IBM Authorization List object (see Appendix H - IBM Authorization Lists – Object Authority Information, for more information on IBM Authorization Lists).
The Data Item must match the Field Name disregarding the File Prefix.
The user must be authorized to the object (File Name and Data File Library combination).

The Masking Definition you entered, defines the Masking Value (character) and the Starting and Ending Positions that display the Masking Values for an alphanumeric database field.

The Masking Definition for a numeric database field always display as either 0 or blanks, based on the Data Item's Edit Code determining whether the zero should display.

If the Field Level Masking is set for the File/Library/Field combination, the Masking Status on the screen displays Active.

If the Field Level Masking has been dropped for the File/Library/Field combination, the Masking Status on the screen displays Inactive.

Figure 62-9 Database Field Level Masking screen

Description of "Figure 62-9 Database Field Level Masking screen"

Field	Explanation
File Name	The member name of the file. All file names begin with F.
Data File Library	The Data File Library Name designates the library location of the data base files.
Field Name	This field contains a value that identifies an exit or action in Extensibility or a database field allowed for use in Field Level Masking. Screen-Specific Information In Field Level Masking, the Field Name is used to define the field within a data base file that is to be included and/or enabled in Field Level Masking.
Authorization List	The Authorization List will be used in Field Level Masking for authorizing the database field for viewing or updating purposes to a list of user profiles.
Data Item	For World, the RPG data name. This data field has been set up as a 10-byte field for future use. Currently, it is restricted to 4 bytes so that, when preceded by a 2-byte table prefix, the RPG data name will not exceed 6 bytes. Within the Data Dictionary, all data items are referenced by this 4-byte data name. As they are used in database tables, a 2-character prefix is added to create unique data names in each table specification (DDS). If you are adding an error message, this field must be left blank. The system assigns the error message number using next numbers. The name appears on a successful add. You should assign error message numbers greater than 5000. Special characters are not allowed as part of the data item name, with the exception of #, @, $. You can create protected data names by using $xxx and @xxx, where you define xxx. Create new data items using system codes 55-59. The alias cannot be changed.
Masking Code	The Masking Code is used in Field Level Masking to identify a Data Dictionary Item that is being masked in a certain defined way. This Masking Code allows multiple ways to mask the Data Dictionary Item at a database file field level. For example, a Tax ID field can be masked to show the last 4 numbers only with an * appearing in the first 5 positions. A second Masking Code might be defined on this field to use a Masking Value of / rather than *. A third Masking Code might identify the Tax ID field to show only the last two numbers with a Masking Value of > in the first 7 positions.
Masking Status	The Masking Status is used in Field Level Masking to determine whether the data base field in a file and library has been set. The values for Masking Status are: Active - Field Level Masking is set for this field. Inactive - Field Level Masking is not set for this field or it has been dropped.

62.6.1 File Name Selection window (P941SLW)

You use the File Name Selection (P941SLW) window for Field Level Masking to display a list of the files and select a file value to be returned to the calling program.

Figure 62-10 File Name Selection window

Description of "Figure 62-10 File Name Selection window"

62.7 Working with Field Level Masking Workbench

Navigation

From Field level Masking (G941), choose Field Level Masking Workbench

You use the Field Level Masking Workbench program (P98XWB) as a tool to manage the Field Level Masking database fields that are set up within the application. The workbench provides the mechanism to set and drop the database field to and from Field Level Masking.

The workbench is driven by the Database Field Level Masking file (F94104).

All inquiries and filtering are performed to the Database Field Level Masking file (F94104).

The Field Level Masking Workbench program allows several selection options for each database file set up within the Field Level Masking application tool.

Selection options to call the various programs or to perform the processes

Field Masking Inclusions (calls program P94101).
Data Item Masking Definitions (calls program P94103).
Database Field Level Masking (calls program P94104).
Set Field Level Masking (calls program J94100).
Drop Field Level Masking (calls program J94100)

The system displays error messages if you attempt to set a database field with an Active Masking Status or if you attempt a Drop for a database field with an Inactive Masking Status (never set or has been dropped).

You can filter selection of the Database Field Level Masking file (F94104) on the following fields:

File Name
Library Name
Field Name
Authorization List

62.8 Setting Field Level Masking

The Masking Status field displays as Active on the workbench for a database field that has been set with Field Level Masking and masking.

To set a field in a file and library for Field Level Masking based on the Authorization List and the Masking Definition (Data Item and Mask Code) specified, select option 4 (Set) from the Field Level Masking Workbench screen.

When you select option 4 (Set) to set the field, the system completes the following steps:

The object (file and library) is checked first for existence and both *OBJMGT and *OBJOPR rights for the user attempting the set. If the object does not exist (IBM error CPF9801) or any other error occurs on the check object command, the system displays error message 941E.
The IBM Authorization List is also checked to determine if the user has *READ or *UPD rights. If the user is not authorized, the system displays error message 941F on the workbench.
If no errors occur, the object is then attempted to be allocated with a *EXCL exclusive lock. If it cannot be allocated, the system displays error 941C on the workbench.
If no allocation error, the RUNSQL statement is executed on the field/file/library to attach the fieldproc program X940000000. If an error occurs on the RUNSQL statement, the system displays error message 941G on the workbench.
If no error occurs on the RUNSQL statement, the file is de-allocated for the exclusive lock and the process ends.
If the process ends successfully, the IBM command DSPFFD can be run for the file and library where the Field Level Masking was placed. Then, you can scan for the field using F16 to confirm that the fieldproc X940000000 program has been attached to the field. See the example in the Appendix G - Example of Setting a Field with Field Level Masking, to use the DSPFFD command and finding the fieldproc attached to the field.
You can run the following SQL statement to verify that the field has been set up for Field Level Masking:
- Select sys_cname, sys_tname, sys_dname, fldproc from qsys2/sysfields
This file contains every Field/File/Library combination in the system that has Field Level Masking applied, so the combination now exists.
If the process did not end successfully, review the error message and refer to the interactive session job log for further details for the specific issue found.

62.9 Dropping Field Level Masking

The Masking Status field displays as Inactive on the workbench, if a database field is not set or has been dropped from Field Level Masking.

To drop a field in a file and library from Field Level Masking based on the Authorization List and the Masking Definition (Data Item and Mask Code) specified, select option 5 (Drop) from the Field Level Masking workbench screen.

When you select option 5 (Drop) to drop the field, the system completes the following steps:

The object (file and library) is checked first for existence and both *OBJMGT and *OBJOPR rights for the user attempting the set. If the object does not exist (IBM error CPF9801) or any other error occurs on the check object command, the system displays error message 941E.
The IBM Authorization List is also checked to determine if the user has *READ or *UPD rights. If the user is not authorized, the system displays error message 941F on the workbench.
If no errors occur, the object is then attempted to be allocated with a *EXCL exclusive lock. If it cannot be allocated, the system displays error 941C on the workbench.
If no allocation error, the RUNSQL statement is executed on the Field/File/Library to drop the fieldproc program X940000000. If an error occurs on the RUNSQL statement, the system displays error message 941H on the workbench.
If no error on the RUNSQL statement, the file is de-allocated for the exclusive lock and the process ends.
If the process ends successfully, the IBM command DSPFFD can be run for the file and library where the Field Level Masking was dropped. Then, scanning for the field using F16, confirms that the fieldproc X940000000 program has been dropped from the field. See the example in the Appendix G - Example of Setting a Field with Field Level Masking, to use the DSPFFD command and finding the fieldproc dropped from the field.
You can run the following SQL statement to prove the field has now been removed from Field Level Masking:
- Select sys_cname, sys_tname, sys_dname, fldproc from qsys2/sysfields
This file contains every Field/File/Library combination in the system that has Field Level Masking applied, so the combination no longer exists.
If the process did not end successfully, review the error message and refer to the interactive session job log for further details for the specific issue found.

Figure 62-11 Field Level Masking Workbench screen

Description of "Figure 62-11 Field Level Masking Workbench screen"

Field	Explanation
File Name	The identification, such as program number, table number, and report number, that is assigned to an element of software.
Library Name	The Data File Library Name designates the library location of the data base files.
Field Name	This field contains a value that identifies an exit or action in Extensibility or a database field allowed for use in Field Level Masking. Screen-Specific Information In Field Level Masking, the Field Name is used to define the field within a data base file that is to be included and/or enabled in Field Level Masking.
Auth List	The Authorization List will be used in Field Level Masking for authorizing the database field for viewing or updating purposes to a list of user profiles.
Op	Selection exit codes are options and function keys that are used to perform a specific function for a selected line or form of data. The most commonly used selection exits for each program are displayed in highlighted text at the bottom of the form. To display all available selection exits, press F24. Press F1 in the Option field to display all available Options for the program.
File Name	The identification, such as program number, table number, and report number, that is assigned to an element of software.
Library Name	The Data File Library Name designates the library location of the data base files.
Field Name	This field contains a value that identifies an exit or action in Extensibility or a database field allowed for use in Field Level Masking. Screen-Specific Information In Field Level Masking, the Field Name is used to define the field within a data base file that is to be included and/or enabled in Field Level Masking.
Auth List	The Authorization List will be used in Field Level Masking for authorizing the database field for viewing or updating purposes to a list of user profiles.
Data Item	For World, the RPG data name. This data field has been set up as a 10-byte field for future use. Currently, it is restricted to 4 bytes so that, when preceded by a 2-byte table prefix, the RPG data name will not exceed 6 bytes. Within the Data Dictionary, all data items are referenced by this 4-byte data name. As they are used in database tables, a 2-character prefix is added to create unique data names in each table specification (DDS). If you are adding an error message, this field must be left blank. The system assigns the error message number using next numbers. The name appears on a successful add. You should assign error message numbers greater than 5000. Special characters are not allowed as part of the data item name, with the exception of #, @, $. You can create protected data names by using $xxx and @xxx, where you define xxx. Create new data items using system codes 55-59. The alias cannot be changed.
Mask Code	The Masking Code is used in Field Level Masking to identify a Data Dictionary Item that is being masked in a certain defined way. This Masking Code allows multiple ways to mask the Data Dictionary Item at a database file field level. For example, a Tax ID field can be masked to show the last 4 numbers only with an * appearing in the first 5 positions. A second Masking Code might be defined on this field to use a Masking Value of / rather than *. A third Masking Code might identify the Tax ID field to show only the last two numbers with a Masking Value of > in the first 7 positions.
Masking Status	The Masking Status is used in Field Level Masking to determine whether the data base field in a file and library has been set. The values for Masking Status are: Active - Field Level Masking is set for this field. Inactive - Field Level Masking is not set for this field or it has been dropped.
File Description	The description of the selected video screen or user ID.
Data Item Description	Additional text that further describes or clarifies a field in the J.D. Edwards systems.