X

Data Masking in Fusion Applications

In Release 10 of Fusion Applications, Oracle Data Masking for Fusion HCM Security Cloud Service is offered as an optional subscription service for Fusion HCM Cloud customers.  Release 11 extends this to include ERP and Sales Cloud products, masking PII attributes in tables owned by these products.

Data masking, also known as data scrambling or data anonymization, is the process of obscuring sensitive information copied from a production database with realistic, scrubbed data based on masking rules, to a test or non-production database. Data masking is ideal for any situation where confidential or regulated data needs to be shared with non-production users who need access to the original data, but not necessarily to every column of every table. Examples of non-production users include internal application developers or external business partners, such as offshore testing companies, suppliers or customers.

Customers can submit a data masking service request as part of an environment refresh request. Personally Identifiable Information (PII) data are removed or masked in the Applications schema, and removed from temporary tables, interface tables and audit shadow tables including workflow notifications. In addition, links to attachments are removed, thus removing access to these attachments from the user interfaces. Data masking is run after the environment refresh and released to customers after the masking process is complete.

Data Masking in Release 10 Fusion Applications

Data Masking in Release 10 of Fusion Applications is designed to mask specific sensitive personal data or PII attributes. Different masking rules are applied for these attributes to ensure the masked data does not fail validation when the same is queried in Fusion Applications user interfaces. PII attributes covered by data masking are:


  • Person Name
  • Person Telephone Number
  • Date of Birth
  • Date of Death
  • Country / Town / Region of Birth
  • Address
  • Bank Account Number 
  • Credit Card Number
  • Instant Messaging / Email Address
  • Passport Number, Visa or Work Permit details
  • Tax Registration Number or National Taxpayer Identifier

Customers are strongly encouraged to use the principle of least privilege when granting users access to a masked database by restricting the access privileges. Users should be granted only those privileges that are necessary to complete their work.

There are some scenarios that are not addressed by the Oracle Data Masking for Fusion Applications.

  • Underlying identities are not masked in the Fusion schema; therefore, it is possible to associate internal database IDs with identities and infer those identities in the masked database.
  • User login accounts are not masked; therefore, certain formats such as firstname.lastname may reveal identities in the masked database.
  • Other sensitive information, such as compensation, performance and benefits are not masked.
  • Running Payroll on a masked database may not fetch valid results as any PII attributes related to payroll calculation are scrambled.

Ensure you understand the limitations with using masked data before requesting data masking service.  Masking data may not be helpful in certain scenarios which include:

  • Testing payroll calculation or other processes that uses data masked by data masking service
  • Verifying interfaces to downstream systems that require real or original (unmasked) data

More information and references can be found in My Oracle Support (MOS) Doc ID 1534683.1

Join the discussion

Comments ( 11 )
  • guest Thursday, June 2, 2016

    This article refers to Release 10 but we are still on Release 8 and due to upgrade later this year. Can anyone please confirm that the Data Masking process described here is identical for both Release 8 and 10?


  • guest Monday, June 6, 2016

    Data masking is offered as a subscription service, only from Release 10 for HCM Cloud.


  • guest Thursday, June 16, 2016

    Hi,

    We need to understand about this process. Will oracle do data masking throughout the volume with same masked data as shown in above example or assorted masked data. Basically we want ot keep some meaningful value rather than having all the email address similar and all the first name similar.


  • naji bejjani Friday, July 15, 2016

    My client is asking to data mask 'salary details' , this is not a standard option field that Oracle usually masks , is this a possibility? what are the options available to my client here?


  • guest Monday, July 18, 2016

    It is not the same masked data used all through, but different rules are

    applied for different attributes with an objective to keep the data usable but

    sensitive PII information masked. For example, while the email address used is

    same throughout, one has the ability to replace these email addresses for a

    smaller data set using the respective UIs after masking operations. First Names are shuffled using the first names present in the system.


  • guest Monday, July 18, 2016

    Masking service supports masking of PII attributes only at this time.


  • Damien Latour Friday, August 19, 2016

    Is the scope broader in R11? (ie salary, performance)

    Best regards


  • guest Friday, August 19, 2016

    Scope is extended to cover masking of PII attributes in ERP and CRM, alongwith HCM.


  • guest Monday, December 19, 2016

    Hi

    Can a customer opt to 'Not' mask First name & Last name and apply data masking for all other fields?


  • guest Wednesday, February 15, 2017

    Are there any updates on the data that is being masked as of R12? And will this service be customizable through templates in the future the way it is in the on-premise offering?


  • guest Wednesday, February 15, 2017

    Customizations to the standard masking template is not supported at this stage.


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.