Oracle provides features and functionality to secure and mask sensitive information such as Personal Identifiable Information (PII) and Payment Information. There are instances where customers may want to hide additional information falling outside the scope of the standard functionality.
This post provides instructions on how to use an EL in the component properties to mask data based on the user’s access. Previous experience working with the Page Composer and Security Console is required to carry out this customization.
It is important to note that this customization does not include any encryption or tokenization of the underlying data and the data remains accessible from other pages, standard BIP reports, Dashboards, REST services etc.
In this step we create a simple abstract role using the security console. This role will only be used in our page customization to check if a user has been granted access to the role, there is no need to add any functional or data policies to this role.
You will need the required adminstrator privileges to access the page composer. Once these are assigned to your user open the the required page and from the administrators menu click on the action link 'Edit Pages'.
Click on the ‘Select’ tab in the page composer menu.
Select the field you want to mask and then click on the 'Edit Component' action.
Under Component Properties click on the drop down list for value and select Expression Builder.
In this example we will be using the expression to mask the person name only if the following conditions are met:
The user has NOT been assigned the abstract role created in the earlier step
The expenditure item type equals “Professional” which identifies expenditure items containing sensitive hourly rate information for contractors
Where
securityContext.userInRole[‘<Role Name>'] returns a true or false if the role specified has been assigned to the user
row.<attributename> returns the value assigned to the outputText for the row
== is an operator used for comparing values
? : is used for if/then/else
Using the above we apply the following logic
IF the role ‘XXX_PJC_VIEW_PERSON_NAME_ABSTRACT’ has been assigned to our user, our user has access THEN we display the value currently assigned to the outputText for the person name.
securityContext.userInRole['XXX_PJC_VIEW_PERSON_NAME_ABSTRACT']==true? row.PersonNameDisplayValue
ELSE the role has NOT been assigned and we proceed to check if the expenditure type equals ‘Professional’. If the outputText value assigned is ‘Professional’ THEN we override the person name with ‘***’
: row.ExpenditureTypeDisplayValue=='Professional'? '***'
ELSE the expenditure type is not equal to ‘Professional’ and there is no need to mask the person name
: row.PersonNameDisplayValue
Below is the full sample expression to achieve this
#{securityContext.userInRole['XXX_PJC_VIEW_PERSON_NAME_ABSTRACT']==true? row.PersonNameDisplayValue : row.ExpenditureTypeDisplayValue=='Professional'? '***' : row.PersonNameDisplayValue}
This design pattern allows for the masking of data at a UI level for a specific page using Page Composer, this data will remain accessible using alternative methods and careful consideration must be given to evaluate if this meets your own security requirements.
Previous Post
Next Post