Skip to main content

Masking the values of sensitive properties

Suggest edit
Updated on July 1, 2021

You need to ensure that sensitive data such as Social Security number (SSN) are visible only to human resources staff and to the employee.

Before you begin: Assume that in the Employee class, a property named SSN defines the employee’s Social Security number.
  1. In Dev Studio, create an access control policy for an Apply to class equal to Employee and Action equal to PropertyRead. For more information, see Creating an access control policy.
  2. Next to the Permit access if field, click the Open icon to create a new Access control policy condition instance.
  3. Create an access control policy condition named CanViewSSN to define who can view the SSN value. Enter the following values. For more information, see Creating an access control policy condition
    1. Policy condition A = Requestor.AccessGroup = HRApp:HRStaff (the user works in human resources)
    2. Policy condition B = Requestor.OperatorID = EmployeeID (the user is looking at the user’s own employee record)
    3. Conditional logic = A OR B
  4. On the Access control policy instance, in the Permit access if field, enter CanViewSSN.
  5. Click Add property and in the Property field, enter SSN.
  6. In the Restriction Method list, select whether to fully mask all values or to mask only the values in a certain position. For example, you might want to permit viewing the last 4 digits of the SSN. The value is masked for everyone except the users who satisfy the condition in step 3c.
    You can combine property encryption with property masking.
  • Previous topic Encrypting the values of sensitive properties
  • Next topic Securing your application for mashup communication
Did you find this content helpful? YesNo

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us