This graphic shows how sensitive data is masked on a response.
On the inbound request, OWSM enforces the request policy and performs the appropriate authentication and authorization for user Bob Doe. If the request is permitted, OWSM passes the payload to the service provider. During response processing, OWSM invokes the oracle/binding_oes_masking_policy to determine if there is any sensitive data that needs to be masked. The data masking rules defined in OES take into consideration the client information, the current subject, resource action, and so forth. For each payload attribute, OES responds with Obligations that specify whether the attribute should be passed as-is or masked. OWSM honors these obligations in the response back to the client.