Masking Data in Page and Field Configurator
To comply with data privacy regulations, organizations can mask personally identifiable and/or sensitive content in PeopleSoft and expose them only to authorized persons.
Use the Masking Configuration Type to mask page fields and search fields.
Note: The PeopleTools version should be 8.57.11 or higher.
Note: For HCM systems, it is recommended that HCM-specific data masking is disabled in the Installation Options and that you use Page and Field Configurator masking instead.
There are five steps to configure data masking for a page using Page and Field Configurator.
Define the mask profiles and apply the profile to the fields in the selected component using the Define Mask Profile page. This involves:
- Use the Define Mask Profile Page to set up data masking profiles that can be applied to the fields that are selected for masking in Page and Field Configurator. 
- Use the Define Field Group Page to group fields with similar masking requirements. 
- Use the Page and Field Configurator: Masking Page to configure the fields to be masked using Mask Profiles defined in step 1. 
- Use User List Page to define a list of users to whom the configuration is to be applied. 
- Use the Map to Portal Registry Page to map the configuration to the corresponding portal registry entries. 
Note: The configuration defined in a component becomes effective only if the services defined by the utility are mapped to the corresponding portal registry entries.
Note: Only users assigned the role PFC Data Masking Admin can see the Masking configuration type.
The configuration can only be applied to a registered component in the system.
The PeopleTools version must be 8.57.11 or higher.
For more details, see the image highlight video on Data Masking:
Video: Image Highlights, PeopleSoft HCM Update Image 33: Data Masking Related Changes for PFC
Example: Modify a Person Page
This example illustrates how sensitive fields for the Modify a Person component can be masked.
 
    Use these pages to mask data using Page and Field Configurator.
| Page Name | Definition Name | Usage | 
|---|---|---|
| EOCC_MASK_PROFILE | Define data masking profiles that can be applied to the fields that are selected for masking in Page and Field Configurator. | |
| EOCC_FIELD_GRP | Assign a default mask profile for a similar set of fields. | |
| EOCC_CONFIG_MASK | Define the criteria and field properties for the component, when Masking is the Configuration Type. | |
| EOCC_CONFIG_USER | Define the list of users to whom the configuration needs to be applied. | |
| EOCC_MAP_EVENT | Assign the configuration to a content reference in the Portal Registry, and activate event mapping. | |
| EOCC_ADVANCED_TAB | Streamline the selection of fields on other pages in the Page and Field Configurator. | 
Use the Define Mask Profile page (EOCC_MASK_PROFILE) to set up data masking profiles that can be applied to the fields that are selected for masking in Page and Field Configurator.
Navigation:
Page and Field Configurator supports four types of masking configuration:
- Complete Masking. 
- Trailing Character Type Masking (Partial Masking). 
- Date Type Masking. 
- Setup Table Based Masking. 
To create a new Mask Profile, add a new value the Define Mask Profile search page
Oracle delivers one mask profile of each type as system data. Any new mask profile that you create should be migrated using data mover scripts before any masking configurations from Page and Field Configurator are migrated.
Define a new Mask Profile
 
      Complete Masking
This type of masking masks all the characters of the field.
Complete Masking in Define Mask Profile page
 
        | Field or Control | Description | 
|---|---|
| Default | Select this box when the mask profile is Complete to indicate it as a system level default. The system uses the Mask Profile when no Mask Profile is selected on the Page and Field Configurator: Masking Page. | 
| Masking Type | Select the method for presenting masked information on pages: 
 | 
| Mask Character | Select the character that replaces the data in the field to mask it. X and * are the supported mask characters. | 
| Retain Separators | Select if separators should be displayed while the rest of the data is masked. Supported separators are available as system data in the EOCC_MASK_SEP table. | 
Unmask Trailing Characters
This type of masking can be applied when you need to partially unmask some of the ending characters in a field. For example, credit card number.
Unmask trailing characters
 
        | Field or Control | Description | 
|---|---|
| Length | Choose the length or number of trailing characters that needs to be kept unmasked. | 
Date Masking
This type of masking can be applied for date fields and you can choose the parts of the date field that can be masked or left unmasked.
Date type masking
 
        | Field or Control | Description | 
|---|---|
| Date Masking Options | Select which part of the date (Day, Month or Year) needs to be masked. | 
Setup Table Based Masking
Use this masking profile to mask data from a defined setup table that has the masking format defined in it.
Setup table based masking
 
        | Field or Control | Description | 
|---|---|
| Setup Table | Choose the Setup table that has the masking definition. | 
| Mask Format Field | Choose the field that has the mask format in the setup table. | 
| Control Fields | These fields in the Setup table determine the right mask format for a transaction. | 
| Default Record | The default record to be displayed in Page and Field Configurator when a field is selected for masking. The Default Record can be overridden. | 
| Default Field | The default field to be displayed in Page and Field Configurator when a field is selected for masking. The Default Field can be overridden. | 
Use the Define Field Group page (EOCC_FIELD_GRP) to assign a default Mask Profile to a similar set of fields.
Navigation:
Define Field Group
 
      | Field or Control | Description | 
|---|---|
| Default Mask Profile ID | Replace with the default Mask Profile. The default mask profile will be defaulted in Page and Field Configurator if any field from the field group is chosen for masking. The same field cannot be used in multiple field groups | 
| Field name | Choose the similar fields that are to be grouped under this field group. | 
Use the Page Configuration page (EOCC_CONFIGURE) to define the criteria and field properties for the component, when Masking is the Configuration Type.
Navigation
. Select Masking as the Configuration Type
Note: The top of this page is the same as the Page and Field Configurator: Page Configuration Page - Standard.
This example illustrates the Page and Field Configurator: Masking Page (2 of 2).
 
      Note: As of FSCM Update Image 43, PeopleSoft added the Bank Account Number Encryption feature. If you want to use this feature to encrypt and mask bank account numbers, but you previously used this page to mask bank account numbers, delete the row in the Configure Fields for Masking section prior to using this feature.
For more information about securing bank account numbers in FSCM, see PeopleSoft FSCM 9.2: Application Fundamentals, Securing Bank Accounts in FSCM.
For field and control descriptions, see Page and Field Configurator: Page Configuration Page - Standard. Fields and controls that are specific to masking are described below.
| Field or Control | Description | 
|---|---|
| Apply Additively | Select to indicate that you want multiple sequences to impact the page viewed by the user. In the event that a component has Standard and Masking configurations, masking configurations are applied after standard configurations. | 
Configure Masking
The Configure Masking section is used to configure page fields, search fields and prompt record fields for masking. Masking is supported for:
- Primary Page fields 
- Secondary Page fields 
- Search Record fields 
- Prompt Record fields 
Any drop-down field selected for masking is fully masked with the "*" character.
Choose the Select Fields button to view a list of all available fields in the component. Masking is not supported for long fields.
Search Field Masking
Search fields are configured for masking in the same way as the page fields are configured as explained above. However, there are some differences with page field masking:
- Only the Mask profiles of Complete, Unmask Trailing Character and Date masking are supported for Search Fields masking. 
- If a component uses pivot grid based search and the masked field is also a part of facet search, then the facet will be hidden. 
- When a search field is chosen to be masked, then the List view will be hidden from Component Keyword search and Pivot Grid based search. 
- A search field selected for masking will be masked in the search result and will be disabled as a search field. 
- For Search fields, separators are supported only for non-date type masking. 
Note: For PeopleTools 8.60 or higher, data masking is also supported for Search Records configured in PeopleTools Configurable Search.
For Keyword Search fields, masking is supported only for fields that are part of Component Search Record. Masking of Search Fields that are only part of the Search Index is not supported.
For more information, see 'Managing Configurable Search' in the PeopleTools Search Technology documentation.
Prompt Masking
Prompt masking provides a configurable option for masking sensitive/PII fields in Prompt records. Prompt record fields are configured for masking in the same way as the page fields are configured.
When you apply the configuration using the Map to Portal Registry Page, the record-field property “Allow Search events for Prompt dialogs” is automatically selected. This is necessary to trigger the search event programs generated by Page and Field Configurator. If the masking configurations for the prompt record field is removed, the mentioned record-field property will be de-selected.
Once prompt masking is enabled and an unauthorized user clicks on the prompt lookup the prompt dialog shows the masked data in the column(s) identified for masking in the result grid. After the user selects a value from the prompt and the page is loaded, the field value on the page will be masked if the page field is also defined in Page and Field Configurator masking configuration.
Select Fields for masking
 
        | Field or Control | Description | 
|---|---|
| Source Type | Displays the option selected on the . | 
| Field Source | Select the record type for masking. Based on the selected field source, all the field records are listed for selection. | 
| Page Type | Indicates whether the fields listed are from a primary page or from a secondary field. | 
| Primary Page | Select the main page for the field that you intend to mask. | 
| Secondary Page | Choose the secondary page from the main page. Note: In addition to secondary pages that are part of the component structure, masking is also supported for secondary pages called from PeopleCode. To select fields from secondary pages called via PeopleCode for masking, the secondary page fields should be manually added to the Page Fields grid. For secondary pages called via PeopleCode, masking is supported only if the secondary page field is marked as Personal Identifier/Sensitive in Data Privacy Framework. | 
| Restrict to Personal Identifier/Sensitive Fields | Select to list only the fields that have been classified as Personal Identifier or Sensitive in Data Privacy Framework. For more details, see Understanding Data Privacy. | 
Select the required field names and click OK at the bottom of the page.
When in Add mode, the page fields selected for masking are enabled for data entry. In other modes, fields selected for masking are enabled only if they are blank.
Configure Fields for Masking - General Information
The fields selected on the Select Field page are displayed in this section.
| Field or Control | Description | 
|---|---|
| Label Text, Record Name, Field Name | Displays the selected values after selecting fields from the Select Field page. | 
| Mask Field | Select to indicate that you want to mask this field. | 
| Mask Profile | Displays Full or Partial. Select this link to access Configure Masking window where you can determine the mask profile, mask character, and whether to retain separators. If the Mask Profile is listed as Select Profile or if you want to change the current profile, click on it to change it. If the field is part of a Field Group, the Default Mask Profile from the Field Group is defaulted as the Mask Profile for that field. If the field is not part of a Field Group, the Mask Profile defaults to the system level Default Mask Profile. Select the Mask Profile link to override the defaulted mask profile for a field. | 
| Profile Status | Displays Default, Changed 
 | 
This example illustrates the Configure Masking window.
