User Interface Masking
The functionality described in this section is used to take data that is stored in plain text in the database and mask the value before it is presented to a user (or an external system). This feature includes the ability to allow some users to view the data unmasked using security configuration. The system allows different masking rules to be applied to different fields. For example, a credit card number can be masked differently than a social security number.
The following topics describe how to mask field values.
Identify the Data to be Masked
Identify the data that is stored as plain text, but should be masked for display to users. For example, imagine that you have identified that Credit Card Numbers and a person’s federal ID number (for example, in the United States, the Social Security Number or SSN). Each field identified may be displayed and maintained in different user interfaces throughout the system, but the masking rules for a given field are probably uniform regardless of where the data is displayed.
Primary keys cannot be masked. A field defined as a unique identifier of a row cannot be configured for masking. Masking a field that is part of the primary key causes a problem when attempting to update the record. This restriction also applies to elements that are part of a "list" in an XML column on a maintenance object. One or more elements in the list must be defined as a primary identifier of the list. Be sure that primary key elements in the list are not ones that require masking.
List members that contain different "types". Consider a page with a list that contains a person's identification numbers. You can set up the system so that a person's social security number has different masking rules than their drivers license number. If your implementation has this type of requirement, the list of masked fields should contain an entry for each masking rule.
For each field, if there are some users that may see the data unmasked on one or more of the user interfaces, then security configuration is required. If the value of a field should be masked for all users across all pages in the application, then the security configuration is not needed.
Security Configuration
Define a security type for each field with two authorization levels:
1 - Can only see the element masked
2 - Can only see the element unmasked
Link all of the security types to an application service of your choosing. We recommend linking every masking-oriented security type to a single application service (e.g., CM_​MASK) as it makes granting access easier.
For each security type, identify which users can see its data unmasked and which users can only see its data masked. If the masked and unmasked users fit into existing user groups, no additional user groups are necessary. Otherwise, create new user groups for the masked and unmasked users.
After the user groups for each security type are defined, link each user group to the application service defined above. When a user group is linked to the application service, you will define the authorization level for each security type linked to the application service. If a user group's users should see the security type's field values unmasked, set the authorization level to 2; otherwise set it to 1.
Note:
Flush the cache. Remember that any time you change access rights you should flush the security cache (by entering flushAll.jsp on the URL of the application) if you want the change to take effect immediately.
Configure a Masking Algorithm
A data masking algorithm (using the algorithm entity value of Feature Configuration - Data Masking) must be created for each combination of masking rules and security type. These algorithms determine if a user has the rights to view a given field unmasked, and, if not, how the field should be masked.
The base package provides the algorithm type F1-MASK whose parameters are designed to handle most masking needs. If certain users may see the data unmasked, parameters capture the application service, security type and authorization level defined above used to evaluate this. In addition, parameters allow you to configure how much of the data to mask, what masking character to use. Refer to the algorithm type description for more information.
Determine How the Fields are Displayed
The masking configuration differs based on how a field is retrieved for access to the user interface. So for the masking of one “logical” field (like a person’s SSN), there may be multiple configuration entries required to cover all the access methods. Review each user interface where a given field is displayed and create the following categories:
The field is an element that is retrieved by invoking a business object, a business service, or a service script
The field is displayed on a fixed maintenance page (and is therefore retrieved by invoking a page service)
The field is displayed on a fixed search page (and is therefore retrieved by invoking a search service)
The field is stored as an ad hoc characteristic
Create a Feature Configuration for Each Masked Element
Create a feature configuration with a Feature Type of Data Masking. An option entry with option type of Field Masking is needed for every combination of field to mask and the method used to display the data. The value will contain mnemonics that reference the appropriate data masking algorithm along with configuration that differs depending on how the field is retrieved for display as described below.
Schema Based Object Field Masking
For data that is accessed via a schema-based object call and displayed in a UI map, the field to be masked must reference a meta-data field name in its schema definition: field="fld_​name", alg="algorithm name"
If the element references an mdField in the schema, that is the field used to identify the masking rule. If there is no mdField reference but only a mapField reference, that is the field used to identify the masking rule. For example, if you want to mask a credit card number, let's assume that field is defined in the schema is the following:
<creditCard mdField="CCNBR" mapField="EXT_ACCT_ID"/>
In this case, the option value should be field="CCNBR", alg="algorithm name". An option value of field="EXT_​ACCT_​ID", alg="algorithm name" would not result in masking.
A "where" clause may also be specified. This is useful for data that resides in a list where only data of a certain type needs to be masked: field="fld_​name", alg="algorithm name", where="fld_​name='value'"
For example, person can have a collection of IDs and only IDs of type 'SSN' (social security number) should be masked. If the person data including its collection of person IDs is displayed on a UI map via a business object call, let's assume the collection is defined in the following way:
<personIDs type="list" mapChild=CI_PER_ID">
  <isPrimaryId mapField="PRIM_SW"/>
  <idType mapField="ID_TYPE_CD"/>
  <personIdNumber mapField="PER_ID_NBR"/>
</personIds>
The option value may look like this: field="PER_​ID_​NBR", alg="algorithm name", where="ID_​TYPE_​CD='SSN'"
Please note the following important points for schema based masking:
Limitation of 'where' field Although the main use of a 'where' clause for schema oriented elements is to mask certain elements in a list based on a 'type', it is also possible to mask a single field in the schema based on the value of another field. For example, imagine that a customer submits a registration form that defines an ID type and ID value. Although this data is not in a list, the implementation may still want to only mask the ID value if the ID type is "SSN". The framework is only able to mask an element in the schema based on a 'where' clause if the element in the 'where' clause is a "sibling" in the schema.
If the element to be masked is in a list, the element in the 'where' clause must be in the same list.
If an element to be masked maps to a real column in a table, the element in the 'where' clause must also map to a real column in the table.
If an element to be masked maps to and XML column in the table as a single element, the element in the 'where' clause must map to the same XML column as a single element.
Multiple feature option entries for the same field. It's possible that different schemas in the system have a similar type of data that may be masked based on different conditions. For example, imagine that an implementation has different schemas that captured or referenced person identifiers in different ways:
One schema captures a single person ID without any corresponding "type" record and it should always be masked using Algorithm CM_​SSN_​MASK:
<personSSN mapXML=BO_DATA_AREA mdField=PER_ID_NBR/>
One schema captures a person ID and a corresponding ID Type and it should be masked with Algorithm CM_​SSN_​MASK if the type is "SSN" and masked with algorithm CM_​FEIN_​MASK if the type is "FEIN".
<personIdType mapXML=BO_DATA_AREA mdField=ID_TYPE_CD/>
<personId mapXML=BO_DATA_AREA mdField=PER_ID_NBR/>
One schema captures a person ID and a corresponding ID Type and it has the same masking rules as the previous schema, but a different field name is used for the ID Type code. (This scenario could happen if for example a different label is desired for ID Type on the user interface for this schema.)
<personIdType mapXML=BO_DATA_AREA mdField=CM_ID_TYPE/>
<personId mapXML=BO_DATA_AREA mdField=PER_ID_NBR/>
For this scenario, the feature options may look like this:
1. field="PER_​ID_​NBR", alg="CM_​SSN_​MASK"
2. field="PER_​ID_​NBR", alg="CM_​SSN_​MASK", where="ID_​TYPE_​CD='SSN'"
3. field="PER_​ID_​NBR", alg="CM_​FEIN_​MASK", where="ID_​TYPE_​CD='FEIN'"
4. field="PER_​ID_​NBR", alg="CM_​SSN_​MASK", where="CM_​ID_​TYPE='SSN'"
5. field="PER_​ID_​NBR", alg="CM_​FEIN_​MASK", where="CM_​ID_​TYPE='FEIN'"
For each schema, the system will first find whether the element applies to any masking option. It will find 5 masking options for the field PER_​ID_​NBR. Then it will determine if any sibling elements match the 'where' clause.
If more than one sibling element matches a 'where' clause, a runtime error is issued. For example if a schema has an element that references "mdField=ID_​TYPE_​CD" and an element that references "mdField=CM_​ID_​TYPE", this is an error. Additionally, if multiple elements reference mdField=ID_​TYPE_​CD", this is an error.
If one and only one sibling element matches a 'where' clause, the value of the element is compared to the values defined in the 'where' clause. If it finds a match on the value, the appropriate masking algorithm is applied. If no match is found (for example, the Person ID Type is "LICENSE") the element is displayed as is.
If no sibling element matches a 'where' clause and a feature option exists with no 'where' clause (option 1 above), then the masking algorithm of the option with no 'where' clause is applied.
Changing the value in the 'where' clause. If your implementation has some users that are allowed to change records where some data is masked based on a condition, it is recommended to design the user interface to reset the masked value when the value in the 'where' clause changes. For example, if a user is prevented from viewing a person's social security number, but the user is allowed to make updates to the person's record, changing the value of the Person ID Type should reset the Person ID Number. This would ensure that the user does not 'unmask' the social security number by simply changing the ID Type.
Records Maintained Using Page Maintenance
For data that is accessed via a page maintenance service call, indicate the table name and the field name where the data resides: table="table_​name", field="fld_​name", alg="algorithm name"
For example if the Person record and its collection of identifiers are displayed and maintained using page maintenance, the option value should be table="CI_​PER_​ID", field="PER_​ID_​NBR", alg="algorithm name"
A "where" clause may also be specified: table="table_​name", field="fld_​name", where="fld_​name='value'", alg="algorithm name"
This is useful for data that resides in a child table where only data of a certain type needs to be masked. For the person ID example, table="CI_​PER_​ID", field="PER_​ID_​NBR", alg="algorithm name", where="ID_​TYPE_​CD='SSN'"
Characteristic Data
For data that is stored as a characteristic, simply indicate the characteristic type: CHAR_​TYPE_​CD='char type', alg="algorithm name"
This needs to be defined only once regardless of which characteristic entity the char type may reside on. Note that only ad-hoc characteristics are supported.
Masking Fields in Explorer Zones or Info Strings
In explorer zones data is often retrieved using SQL directly from the database. No masking is applied automatically in this case. If there is data in the explorer zone results that should be masked, the masking must be applied by calling a business service.
Similarly, an MO Info algorithm may not use BO interaction to get data. It may access data using SQL for efficiency purposes. No masking in applied when retrieving data via SQL. To apply masking to a string prior to including it in an info string, the masking must be applied by calling a business service.
The system supplies two business services to be called to determine if masking rules apply for a specific field.
F1-TableFieldMask. Mask a Table field. This business service receives a table name, field name and one or more field values. If masking applies it returns the masked value.
F1-SchemaFieldMask. Mask a Schema field. This business service receives a schema name and type, XPath and field value. If masking applies it returns the masked value.
Search Service Results
For data that is displayed on a 'fixed' search page, it is retrieved via a search service call. Indicate the search name and the appropriate field to mask along with the masking algorithm. For example: search="SearchServiceName", field="PER_​ID_​NBR", where="ID_​TYPE_​CD='SSN'", alg="algorithm name"
To find the name of the search service, launch the search in question, right click in the filter area and choose Inspect. Search for "serviceName". The service name is listed there. To find the field name to mask, search for "Widget Info". There should be two results found, one for the filter area and one for the results area. This results area has the text "SEARCH_​RESULTS" as prefix for each field. The field names are the ones after the x$. Do not reference the x$ when defining the field name. Note, the "where" statement can only apply to fields that are also part of the search results.
Additional Masking Information
The following points provide additional information to assist in your masking configuration:
If the demonstration database includes a Data Masking feature configuration, review the settings because it will probably contain masking rules that will match your own.
On data input pages, a user might be able to enter or change masked data, such as a bank account number, but not be able to subsequently see what they added or changed.
External systems can request information by performing a service call via a web service. Please keep in mind that some web service requests require data to be masked and some do not. For example, a request from an external system to synchronize person information needs the person's social security number unmasked; whereas a request from a web self service application to retrieve the same person information for display purposes needs the person's social security number masked. To implement this type of requirement, different users must be associated with each of the requests and these users must belong to separate user groups with different access rights.
If a maintenance object (MO) contains a field that holds an XML document and a service call invokes the MO's service program directly, the system will mask individual XML elements in the field if a Determine BO algorithm has been plugged into the maintenance object and the element(s) in the respective BO schema have been secured as described above.
Parent topic 
Encryption and Masking