Creating new masking rules
Important historical context
Prior to July 2024, masking rules were created an applied in an inverse way to this guidance: The default rule allows everyone with page access to see the full value and the second rule prohibits those in the business profile from seeing the full value.
Identify the fields we’re putting masking rules on
Go to the page with the fields you want to mask.
Click in the field you want to mask. Click the Tools menu and select Item Properties.
Note the Data Block (Block), Physical Name (Item), Data Type, Maximum Data Length.
For example, if we want to mask a portion of the birth date in SPAIDEN:
Data Block: SPBPERS
Physical Name: SPBPERS_BIRTH_DATE
Data Type: Date
Maximum Data Length: This field doesn’t have a max data length, but for dates, use 11.
If you repeat this for the SSN/SIN/TIN field, you’ll see that the max data length is 15.
Tell Banner which data we want to mask - GORDMCL
In the Object field, enter the page that displays the fields we want to mask. Click Go.
Click Insert. Refer back to your note to enter the following: Block (Data Block), Item (Physical Name), Data Type, Length (Maximum Data Length). Save.
Create the masking rules - GORDMSK
For each field for which we want to control visibility, we will create two rules:
One default rule. Everyone with access to the screen will have this rule applied. If we’re masking a portion of the birthdate, the first rule will allow NO ONE with access to this screen to see the full birth date.
One rule to make the full value visible for specified users.
To create a new rule:
In the Object field, enter the page that displays the fields we want to mask. Go.
Create the first rule
Click Insert. Enter the Block and Item.
In this example, we want to mask the year for everyone except specified users. In this first rule, we’re making the default such that NO ONE can see the year.
Do you want the field to be visible, invisible, and/or or do you want the data concealed?
Visible means the field itself is visible on the page.
Unchecking Visible makes the field totally not visible. Here’s an example of a field that’s not visible:
Conceal replaces the field’s value with asterisks.. Here’s an example of a concealed field:
In this example we want all users to see the field itself. Select Visible.
If visible and the value is a date, select the format mask
This applies to our current example of the birth date.
On the Format Mask field, click the search button.
Select the format. Because we want to mask the year and display the day and month, select DD/MM.
If visible and the value is not a date, select direction of masking and the unmasked length
Partial Character Unmasked. Imagine there’s a line representing a boundary in the value you want to display.
Left Direction - You want to display everything to the left of your boundary.
Right direction - You want to display everything to the right of your boundary.
Partial Unmasked Length. Identify the number of characters you want to display after/before your boundary.
For example, to display only the last 4 of an SSN, select Right Direction for the Partial Character Masked and 4 for the Partial Unmasked Length.
Select all users. Save.
You can only select ONE of the following per rule: All Users, Business Profile, or User ID.
Create the second rule
Click Insert. Enter the Block and Item.
In this rule we’re specifying the users who can see the full birth date including the year.
Do you want the field to be visible or do you want it concealed?
Visible means the field itself is visible on the page.
Unchecking Visible makes the field totally not visible.
Conceal replaces the field’s value with asterisks.
In this example, we want all users to see the field on the page. Select Visible.
Select the Business Profile or User this rule should apply to
Select the Business Profile to which this restriction should apply. A business profile represents a group of users. The users that should see the full birth date are in the TUL_DOB_USERS. (Note: TUL_DOB_USERS is fictional and does not exist in PROD. It was created to demonstrate this procedure.)
If your masking rules should apply to those not in the TUL_DOB_USERS, determine if there’s another existing business profile that you can use or create a new business profile (GTVFBPR, GOAFBPR) and assign users to the business profile.
After selecting the business profile, Save.
If you want this rule to apply to a specific user, rather than entering a Business Profile, enter their user ID in the User ID field and Save.
You can only select ONE of the following per rule: All Users, Business Profile, or User ID.
Test
Identify users
Identify a user in the business profile selected in the second rule and a user NOT in the business profile selected in the second rule.
Impersonate each in the TEST environment.
Expected results
The user IN the business profile should see the full value. In this example, they would see the full birth date in SPAIDEN.
The user NOT IN the business profile should only see the masked value.