With PeopleTools 8.58.02 comes the functionality to mask personally identifiable information within query results. This article will review the steps in setting up query masking in your PeopleSoft environment.
To configure query masking, the user must have the security role Data Privacy. This role includes two permission lists, EODP1000 and EODP1010.
Role: Data Privacy
PLs: EODP1000, EODP1010
EODP1000
Menu: EODP_FRAMEWORK_FL
Components:
If all of these components are not in the permission lists, they will need to be added. To add the additional components, navigate to PeopleTools > Portal > Structure and Content. Scroll down and select Enterprise Components. Scroll down the list of Enterprise Components and select Data Privacy Framework.
On the Data Privacy Framework page, click Edit relative to Query Masking in the ‘Folders’ section, then click on the Folder Security tab. Add the permission lists (EODP1000, EODP1010).
Navigate back to the Data Privacy Framework page and click on Query Masking in the ‘Folders’ section.
On this page, click the Add Content Reference link below the ‘Content References’ section. Add the missing components (see below), if necessary. On the General tab:
On the Security tab, add the permission lists:
On the Fluid Attributes tab, identify relevant information, if desired.
Before query masking can take effect, data fields in the SIS need to be identified as personally identifiable information (PII). This is done on Enterprise Components > Data Privacy Framework > Maintain Data Privacy Settings. Notice that this, and the other Query Masking-related pages, are fluid pages.
Note the different search options. One obviously personally identifiable piece of information is Social Security Number, or National ID within PeopleSoft. For example, a search can be performed on the field NATIONAL_ID to view all of the entries into the Maintain Data Privacy Settings list for that field.
SCC_PERS_NI_QVW is a common record used within SR reporting at some institutions. The example above shows the additional of this record, specifically the field NATIONAL_ID, to the Maintain Data Privacy Settings list. To find out more about adding PII fields, view Chapter 13 of the April 2021 release PeopleSoft 9.2: Enterprise Components.
Once the PII fields are identified in the Maintain Data Privacy Settings page, access the Query Masking pages, navigate to Enterprise Components > Data Privacy Framework > Query Masking.
To enable query masking, select the System Settings page, and select Yes to enable query masking.
Navigate to Enterprise Components > Data Privacy Framework > Query Masking to identify, by security role, who should have access to the PII. For example, at Northern Illinois University, the custom role NIU_CS_SR_REPORTING_WRITE_QRY is assigned to few users who have administrative query writing access, including the highest level of access on the SR query tree access group. This role should be granted access to PII. Another role, NIU_CS_SR_QUERY_CAMPUS, is a role allowing distributed college and department users access to a select set of custom views used to write a series of ‘campus queries’, to which those users have view/run-only access. That role should not be granted access to PII.
Once an authorized role is added, records and fields need to be identified.
Once the roles/fields are added, all authorized role data will appear on the Authorized Roles page.
The last entry on the page in this example is a custom view written for campus queries, limited to users with the NIU_CS_SR_QUERY_CAMPUS role, but that is not the role associated with the view in this list. Therefore, campus query users should not have access to birthdate, but query administrators with the role listed should.
The next step is to sync the masked fields by navigating to Enterprise Components > Data Privacy Framework > Query Masking > Run Data Sync.
Choose the appropriate ‘Synchronize Data Privacy Settings’ options and click Run to run the process EODP_QRYMSK.
Query Masking is ready to be used with the records and fields identified in Maintain Data Privacy Settings.
When a user with an authorized role runs a query with a PII field that has been identified to be masked, the PII will appear.
When a user without an authorized role runs the same query, the selected masking character will appear instead of the PII.
To change the masking character, navigate to PeopleTools > Utilities > Adminstration > Query Administration. Select the ‘Settings’ tab and change the masking character, if desired.
Be sure to use an appropriate character! For example, exclamation marks may not be the best choice.
