Internal Data Masking
By Acshorten-Oracle on Oct 15, 2012
By default, the data in the product is unmasked for authorized users. If particular data within the object is considered a candidate for data masking then the masking capabilities with the product can be used to mask the data in an appropriate fashion.
The inbuilt Data Masking capabilities of the Oracle Utilities Application Framework uses a number of configuration elements:
- An algorithm, of type F1-MASK, is specified to configure the elements of the data masking including the masking character, number of suffix characters left unmasked, characters to ignore in the string, the application service, security type and authorization levels applicable to the mask.
- A Data Masking Feature Configuration is created to define where the algorithm applies.
- The specification of the feature allows you to define the fields to encrypt using the configured algorithm. The algorithm can be attached to a schema field, table field, characteristic, search field and even a child record (such as an identifier).
- The appropriate user groups are then connected to the application services with the appropriate service types and level to indicate whether the masking applies to the user group or not.
For example, say there is a field called CCNBR in the product which holds the credit card details. I would create an algorithm, say CCformatCC, to mask the credit card number with the last few digits as unmasked (as the standard in most systems dictate). I would specify on the Field Mask the following:
On the algorithm CMfomatCC, I would specify the mask, application service, security type and the authorization level which users would see the credit card unmasked.
To finish the configuration off and to implemention I would connect the appropriate user groups to the application service I specified with the security type and appropriate authorization level for that group.
Whenever a user accesses the CCNBR field on any of the maintenance screens, searches and other screens that use the CCNBR meta data definition would then be masked according to the user group that the user was a member of.
Refer to the documentation supplied with F1-MASK algorithm type entry for more examples of what is possible.