Setting Up the Encryption Framework
This topic discusses how to set up the Encryption Framework.
|
Page Name |
Definition Name |
Usage |
|---|---|---|
|
HSC_ENCCTRY |
Add countries that need to encrypt and mask sensitive data. |
|
|
HSC_CRYPTRUN |
Define encryption criteria. |
|
|
HSC_FLDSEL_SEC |
View or change the field mapping of the data to be encrypted. |
|
|
HSC_ROLESEL_SEC |
Specify roles for users to view unmasked data after data is encrypted. |
|
|
HSC_MASKREC |
Define process records for batch processes that display unmasked data. |
|
|
HSC_CRYPT_RCTL |
Run the encryption process for specified source records. |
|
|
HSC_COUNTRY_SEC |
View the list of countries whose data set from the source record is encrypted. |
|
|
HSC_PRCSSTG_MAP |
Identify application batch processes that display unmasked data in output files. |
|
|
HSC_PRCSMSK_SEC |
View the process record setup for the application batch process. |
|
|
HSC_PRCSCLEANUP_RC |
Clean up residual data from the staging tables of the encryption process. |
Use the Encryption Administration component to access the pages that are used to configure the Encryption Framework. Pages appear in the navigation collection for easy access.
Administrators must have the Encryption Configuration Admin role to access this setup component.
This example illustrates the Encryption Administration component, which lists pages that used to set up the Encryption Framework in HCM.
Note: In this topic, Payroll for North America is used as an example to demonstrate the setup of the Encryption Framework.
Video: Image Highlights, PeopleSoft HCM Update Image 39: HCM Encryption Configuration
Here are the high-level steps for setting up the Encryption Framework:
Set up the administrator(s) with the new Encryption Configuration Admin role. This role allows the administrators to access the Encryption Administration component and configure the framework.
Additionally, if you want the administrator(s) to be able to view unmasked data after encryption is run, create a role and assign it to the administrator(s). Add this role to the Grant Unmasked Access Page of the source records that store the data to be encrypted. Both Global Payroll for United States and Payroll for North America deliver user roles for this purpose.
Select the Enable Encryption check box on the HCM Options Page of the Installation Table.
Create Encryption and Decryption profile IDs to use in the framework. You may use existing profile IDs you have already created provided they are not based on 3DES algorithm, or create new profile IDs. Do not use any of the profiles provided as sample data.
The 3DES encryption algorithm is now considered obsolete and is maintained for backward compatibility only. It is recommended that you create a new set of Encryption and Decryption profiles not based on 3DES and instead use another similar, but stronger algorithm (e.g., AES).
For more information on Profiles, see the Defining Encryption Profiles topic in PeopleTools: Security Administration, “Securing Data with PeopleSoft Encryption Technology”.
For more information on Encryption Algorithms, see the Privacy Through Encryption section of the Understanding Data Security topic in PeopleTools: Security Administration, "Securing Data with PeopleSoft Encryption Technology".
Review and update the Encryption Administration pages to set up the framework as needed.
Run the Encryption process on the Manage Encryption and Masking Page.
Refer to these topics for additional information about the data encryption implementation that is specific to applications:
Understanding Data Encryption for Global Payroll for United States
Use the Define Country for Encryption page (HSC_ENCCTRY) to add countries that need to encrypt and mask sensitive data.
Navigation:
This example illustrates the fields and controls on the Define Country for Encryption page.
Field or Control |
Description |
|---|---|
Country |
Add one or more countries that use the Encryption Framework to encrypt and mask data. This page is delivered without any values. In the Payroll for North America example, data (bank account numbers) will be encrypted for USA (which is required to satisfy Nacha requirements) and Canada to illustrate that the new functionality is also available to other countries. |
Use the Define Source Records page (HSC_CRYPTRUN) to define encryption criteria.
Navigation:
This example illustrates the fields and controls on the Define Source Records page before the encryption process is run. Fields in the Encryption Criteria section are read-only.
This example illustrates the fields and controls on the Define Source Records page after the encryption process is run, in which the fields in the Encryption Criteria section become editable.
This screenshot shows the system-delivered data for Payroll for North America, which includes the DIR_DEP_DISTRIB (direct deposits), GARN_SPEC (garnishment), and SRC_BANK (source bank) source records. To comply with Nacha requirements, do not change the delivered data.
Encryption Profile Details
Field or Control |
Description |
|---|---|
Encryption Profile ID, Decryption Profile ID, and Validate |
Specify a profile that will be used by the framework to encrypt and decrypt data (bank account numbers in this example) respectively. You may use existing profile IDs you have already created provided they are not based on 3DES algorithm, or create new profile IDs. Important! The IDs in this screenshot are for illustration purposes only. Use your own set of profile IDs; do not use any of the profiles provided as sample data. Click the Validate button to verify the profiles specified. The system updates the profile status to Valid after the profiles are validated successfully. For more information about encryption profiles, see PeopleTools: Security Administration, “Securing Data with PeopleSoft Encryption Technology”, Defining Encryption Details. |
Encryption Criteria
Field or Control |
Description |
|---|---|
Source Record |
Specify the “source-of-truth” record(s) that store and maintain the data to be encrypted and masked. For Payroll for North America, the source records for storing the data are DIR_DEP_DISTRIB, GARN_SPEC, and SRC_BANK. Note: The framework allows customers to add new source records with a corresponding source record field to store the encrypted data. Since the field name can be determined by the user, there is no validation to ensure the selections are correct when using the prompts. |
Data Selection Criteria |
Select the scope of data encryption. Values are: All Data: Selects all data in the record for encryption. Country: Selects data that belongs to the countries specified on the Define Country for Encryption Page for encryption. |
Country Field |
Enter the field in the source record that is used to identify the country to which a row of data belongs. This field becomes available for selection if the data selection criteria is set to Country. The lookup prompt shows the fields of the source record. For Payroll for North America, the framework uses the COUNTRY_CD field in DIR_DEP_DISTRIB and SRC_BANK records to identify country-specific data rows that are subject to encryption. Data (account numbers) that belongs to the countries (specified on the Define Country for Encryption page) from the corresponding source record will be encrypted. |
Status |
Displays the current encryption status of the source record. Values are: None (no action has been performed on the data in the source record – delivered value). Encrypted (data in the source record is encrypted). Decrypted (data in the source record is decrypted). |
Edit Fields |
Select to change the field mapping of the data to be encrypted on the Field Mapping Page, if needed. This page is editable when the source record is in the Decrypted status. |
Grant Unmasked Access |
Select to specify roles for users who can view unmasked data on the Grant Unmasked Access Page. |
Use the Field Mapping page (HSC_FLDSEL_SEC) to view or change the field mapping of the data to be encrypted.
Navigation:
Click the Edit Fields button on the Define Source Records page.
This example illustrates the fields and controls on the Field Mapping Page, which is displayed in read-only mode when the source record is encrypted.
This screenshot shows the Payroll for North America setup example, where the ACCOUNT_NUM field stores the sensitive data (bank account numbers) in the DIR_DEP_DISTRIB source record, and the PY_BANKACCCRYPT field, a new field added to the same source record to store the encrypted data of the account numbers after the encryption process is run.
This page becomes editable when the source record is decrypted.
Use the Grant Unmasked Access page (HSC_ROLESEL_SEC) to specify roles for users to view unmasked data after data is encrypted.
Navigation:
Select the Grant Unmasked Access button on the Define Source Records page.
This example illustrates the fields and controls on the Grant Unmasked Access page.
Field or Control |
Description |
|---|---|
Role Name |
Specify the role(s) that allow users (for example, administrators) to view the unmasked data when the data is masked for the rest of the users. If no one should be able to view masked data in its original form, do not enter any roles in this field. Both Global Payroll for United States, Payroll for North America, and Payroll Interface deliver user roles to grant users access to unmasked data. For more information about these roles, see the Delivered Roles For Viewing Unmasked Data (Global Payroll for United States), Delivered Roles For Viewing Unmasked Data (Payroll for North America), and Delivered Role For Viewing Unmasked Data (Payroll Interface) topics. For example, an employee added a direct deposit account in Self Service and the number is 12345678. Encryption is run for the DIR_DEP_DISTRIB source record, and the account number is masked and displayed as XXXX5678 on the direct deposit pages. However, when the Bank Account Admin role is specified in the Roles Name field, an administrator with this role will see the unmasked account number of 12345678 on the online pages even though the account number is encrypted and masked in the database. |
Use the Define Process Records page (HSC_MASKREC) to define process records for batch processes that display unmasked data.
Navigation:
This example illustrates the fields and controls on the Define Process Records page.
This screenshot shows the system-delivered data for Payroll for North America, which is the DIR_DEP_DISTRIB source record. To comply with Nacha requirements, do not change the delivered-system data for the Process Record and Process Stage Record fields.
Some applications have batch processes that display the sensitive data in its actual, unmasked form in the output files. For example, the account numbers that appear in direct deposit transmit files created by the DDP001 process need to be unmasked. For the unmasked data to display in its outputs after the encryption is run, the batch process (DDP001) copies the required data from the process record (defined on this page) to perform data unmasking in the stage record. The stage record structure must match the process record + one additional key field PROCESS_INSTANCE as the first key field.
Use this page to define an association between a process record (where the masked data is stored) and a source record (from where the application batch process retrieves the encrypted data to unmask the data coming from the process record).
Note: The framework allows the customers to define a process record with a corresponding process stage record to decrypt data. Since the field name can be determined by the user, there is no validation to ensure the selections are correct when using the Process Record Field and Process Stage Record field prompts.
Field or Control |
Description |
|---|---|
Process Record |
Specify the record that contains the sensitive data that needs to be unmasked. The sensitive data is masked in the process record after the encryption process is run. |
Process Stage Record |
Specify the temporary record that will be used by the application batch process to unmask data, using the required data copied from the process record. The stage record structure must match the process record, plus one additional key field PROCESS_INSTANCE as the first key field. |
Data Selection |
Select the data selection option. Values are: PeopleSoft Query: Use this option if it is not possible to define a join between the source and process records. This usually requires additional tables to be used to build the join to define a 1:1 relationship for the data in the 2 records. For Payroll for North America, PeopleSoft Query SELECT should have all columns of the process record plus the account number field(s) from the source record. No other columns should be part of the SELECT. Join Source Record: Use this option of the key structure if source and process record can be mapped to define a 1:1 relationship for the data in the 2 records. |
Data Set Query |
This field is available if the Data Selection field is set to PeopleSoft Query. Use the Query Manager link to identify the PS Query to be used to define the data mapping between the process and source records. Note: PS Query will display the masked account numbers stored in ACCOUNT_NUM once encryption is run. At this time, we don’t deliver a process to display the unmasked account numbers. Note: The framework allows the customers to define the query. Since the field name can be determined by the user, there is no validation to ensure the selections are correct when selecting the query name in the prompt. |
Map Keys |
This link is available if the Data Selection field is set to Join Source Record. Click to open a modal page to map the key fields between the process and the source record. |
Fields
Field or Control |
Description |
|---|---|
Process Record Field and Source Record Field |
Use Process Record Field to identify one or more fields from the specified process record that should be masked, and Source Process Field to specify their corresponding fields from the specified source record to get the actual values during the unmask process. |
Use the Manage Encryption and Masking page (HSC_CRYPT_RCTL) to run the encryption process for specified source records.
Navigation:
This example illustrates the fields and controls on the Manage Encryption and Masking page.
Field or Control |
Description |
|---|---|
Run |
Click to run the encryption and masking process (HCCRYPTAE) to encrypt (or decrypt) and mask (or unmask) data for the source records using the specified parameters. Encrypted data can only be viewed with a query; it’s not available on any delivered online page. |
Encrypt and Decrypt Source Records
Use this section to specify the parameters used to run the encryption process.
Field or Control |
Description |
|---|---|
Source Record |
Displays the “source-of-truth” records that are defined on the Define Source Records Page. |
Status |
Displays the current encryption status of the source record. Values are: Decrypted Encrypted: Click the link to view the list of countries with encrypted data from the source record on the Encryption Details Page. None |
Action |
Select an action to be performed on the source record. Available values are based on the current encryption status: None: available to all statuses. Decrypt: available when the status is Encrypted. Encrypt: available when the status is None or Decrypted. |
Process Record Mask |
Select a masking action to be performed on the process record. Available values are: Always Mask Do Not Unmask None (this is the only available mask action if the source record is not associated with any process record) Unmask The availability of these mask values are controlled based on the current action value for the source record. For example, for Payroll for North America, the following values are available for the DIR_DEP_DISTRIB source record: Always Mask: available when the action is Encrypt. Do Not Unmask: available when the action is Decrypt. None: available when the action is None. Unmask: available when the action is Decrypt. For the GARN_SPEC and SRC_BANK source records, the only available mask action is None. |
Use the Encryption Details page (HSC_COUNTRY_SEC) to view the list of countries whose data set from the source record is encrypted.
Navigation:
Select the Encrypted link on the Manage Encryption and Masking page.
This example illustrates the fields and controls on the Encryption Details page.
Use the Map Batch Processes page (HSC_PRCSSTG_MAP) to identify application batch processes that display unmasked data in output files.
Navigation:
This example illustrates the fields and controls on the Map Batch Processes page.
This batch process mapping is used to identify application batch processes that are required to output the actual data. Without this configuration, application batch processes will always show masked data in the output.
This screenshot shows the system-delivered data for Payroll for North America. To comply with Nacha requirements, do not change the delivered data.
This setup step is not required for Global Payroll for United States.
Field or Control |
Description |
|---|---|
Process Name |
Specify an application batch process that is required to include the actual data in its output. |
Source Record |
Specify the source-of-truth record to retrieve the encrypted data. |
Staging Record |
Specify the source staging record, which is a clone of source record with PROCESS_INSTANCE as the additional key field. During the batch process run-time, the framework process will copy the required data from source record over to the stage record for decryption. |
Process Records |
Click the link to view the process record setup (available on the Define Process Records Page) for the application batch process. |
Use the Process Records page (HSC_PRCSMSK_SEC) to view the process record setup for the application batch process.
Navigation:
Select the Process Records link on the Map Batch Processes page.
This example illustrates the fields and controls on the Process Records page.
The source record, process record, and process stage record setup is defined on the Define Process Records Page.
Field or Control |
Description |
|---|---|
Process Stage Record |
The process stage record is a clone of the process record plus PROCESS_INSTANCE as the additional key field. During the application batch process run-time, the framework process will copy the required data from the process record over to the process stage record. After copying the data, the framework process unmasks the data in the process stage record using the decrypted data in the source stage record. The application batch process can then retrieve the actual data (bank numbers in Payroll for North America). |
Action |
Displays the Unmask value, which means that the data in the process stage record will be unmasked during the application process run-time. |
Use the Maintain Process page (HSC_PRCSCLEANUP_RC) to clean up residual data from the staging tables of the encryption process.
Navigation:
This example illustrates the fields and controls on the Maintain Process page.
Parameters
Select a parameter to search for residual data of the corresponding status in the staging tables that may contain unmasked or decrypted data. Residual data may be caused by incorrect or unsuccessful runs in the staging tables.
Field or Control |
Description |
|---|---|
Delete All |
Select to mark all process runs for deletion. This option can be used to remove the staging table data for all process instances. |
Process Runs
The system populates the Process Runs grid with process instances of the selected status, if applicable. You can select specific process instances to clear residual data. This grid does not apply to the Delete All option.
This section describes what needs to be done when you want to encrypt data for a new country, using Payroll for North America as an example.
Suppose that you ran the encryption process to encrypt direct deposit account numbers for USA to comply with Nacha requirements. Now, you have decided to run it for Canada as well to enhance data security. You need to decrypt all encrypted data from the source record, add the new country, and encrypt data for all selected countries.
Follow these steps:
Run the decryption process on the Manage Encryption and Masking Page to decrypt all direct deposit account numbers previously encrypted for USA.
Select the Decrypt action for the DIR_DEP_DISTRIB source record. Run the process. After the process completes, all account numbers for USA will be unmasked in the database.
Add CAN to the country list on the Define Country for Encryption Page. The page now shows both USA and CAN.
Run the encryption process on the Manage Encryption and Masking Page to encrypt direct deposit account numbers for both countries.
Select the Encrypt action for the DIR_DEP_DISTRIB source record. Run the process. After the process completes, all account numbers for USA and CAN will be masked in the database.
Run the Mask Direct Deposit Audit Rcd process. This process masks the direct deposit account numbers for Canadian employees. Previously masked account numbers remain unchanged.
Note that the Mask Direct Deposit Audit Rcd process can be run to mask account numbers in the audit records for direct deposits and general deductions. For more information, see Audit Records.
This procedure applies to other scenarios involving different source records and countries.