Data Masking Support

If data within the object is considered a candidate for data masking, then the masking capabilities with the product can be used to mask the data in an appropriate fashion.

Note: The data is not stored in a masked fashion; it is configured to be displayed in masked format for users using Security Types.

To mask data using the internal data masking capability:

• An internal algorithm type of F1-MASK is supplied with the product to perform basic data masking.

• The following parameters are applicable to the algorithm:

Parameter	Description
Masking Character	The character to be used as a mask. By default, the asterisk (*) character is used.
Number of Unmasked Characters	The number of suffix characters to unmask. Commonly, the last x characters are displayed unmasked to allow some identification. A value of zero masks all characters.
Unmasked Characters	List of characters without spaces to leave unmasked. Commonly, this is used to denote delimiter characters to enhance recognition.
Application Service	Used for security authorization checking. It allows global or local services to be configured to indicate security access to data masks.
Security Type	Used to flag which users will view the data in masked on unmasked format. User Groups need to be connected to the Application Service and Security Type and given the Authorization Level to determine the level of data masking.
Authorization Level	The authorization level used that determines if the user can access the unmasked data. All other authorization levels in the Security Type indicate masked data.

• Configure an Algorithm entry of Algorithm Type F1-MASK for the desired masking configuration. Algorithm entries can be shared across fields to be masked using the Algorithm menu option on the Administration menu.

• Attach User Groups to the Application Service with the appropriate Authorization Level for the Security Type.

• Create or update a feature configuration with a Data Masking feature type by using the Feature Configuration menu option on the Administration menu.

• For each field to mask, add an entry to the Options section of Feature Configuration and configure the following settings:

• Option Type: Select Field Masking for Data Masking.

• Sequence: Specify a sequence number for sorting purposes.

• Value: Specify a tag string delimited by a comma to indicate the data masking definition.

• The supplied algorithm only supports fields defined as strings.

• Enter alg="algorithm name" to reference the masking algorithm. The corresponding Algorithm Type must reference the Data Masking algorithm entity.

• For data accessed via a scheme-based object call, reference a metadata field name from its schema definition. For example, to mask a credit card number with a schema of <creditCard mdField="CCNBR" mapField="EXT_ACCT_ID"/>, set the option value to field="CCNBR", alg="algorithm name".

• For data accessed through a page maintenance service call, indicate the table name and the field name where the data resides, for example table="table_name", field="fld_name", alg="algorithm name".

• A WHERE clause may also be specified, which is useful for data that resides in a child table where only data of a certain type needs to be masked. For example, table="CI_PER_ID", field="PER_ID_NBR", alg="algorithm name", where="ID_TYPE_CD='SSN'"

• For data stored as a characteristic, indicate the characteristic type as CHAR_TYPE_CD='char type', alg="algorithm name". This needs to be defined only once regardless of which characteristic entity the char type may reside in. Note that only ad-hoc characteristics are supported at the present time.

• For data displayed via a search service call, indicate the search name and the appropriate field to mask along with the masking algorithm. For example, search="SearchServiceName", field="PER_ID_NBR", where="ID_TYPE_CD='SSN'", alg="algorithm name". To find the search service name, launch the search in question, right-click the filter area, select View Source and search ServiceName. To find the field name to mask, return to the search window and right-click the search area then select View Source. Look for the Widget Info section and find the field name in the search results excluding the $. Note that the WHERE statement can only apply to fields that are also part of the search results.