Additional Masking Information

The following points provide additional information to assist in your masking configuration:

You should examine the Data Masking feature configuration in the demonstration system because it will probably contain masking rules that will match your own.
On data input pages, a user might be able to enter or change masked data, such as a bank account number, but not be able to subsequently see what they added or changed.
External systems can request information by performing a service call via XAI. Please keep in mind that some XAI requests require data to be masked and some do not. For example, a request from an external system to synchronize person information needs the person's social security number unmasked; whereas a request from a web self service application to retrieve the same person information for display purposes needs the person's social security number masked. To implement this type of requirement, different users must be associated with each of the requests and these users must belong to separate user groups with different access rights.
If you need to mask a field value that is retrieved by invoking a business object (BO), a business service (BS), or a service script (SS), the associated element in the invoked schema must be associated with a meta-data field. It is this field's name that is referenced on the field's respective option value on the Data Masking feature configuration. For example, if you need to mask a bank account number that's returned via a business object call, the element in the schema that holds the bank account number must have either an mdField= attribute or a mapField= attribute that references a field name (for example, BANK_ACCT). This is because when the option value in the Data Masking feature configuration is defined, it references the BANK_ACCT field and not the element name in the schema. Please note that if other BO, BS or SS schema elements reference this meta-data field, the same masking rules will be applied.
If a maintenance object (MO) contains a CLOB field that holds an XML document and a service call invokes the MO's service program directly, the system will mask individual XML elements in the CLOB if a Determine BO algorithm has been plugged into the maintenance object and the element(s) in the respective BO schema have been secured as described above.