X

Best Practices from Oracle Development's A‑Team

Using Expression Language (EL) in Page Composer to Mask Data based on a Custom Role

Introduction

Oracle provides features and functionality to secure and mask sensitive information such as Personal Identifiable Information (PII) and Payment Information. There are instances where customers may want to hide additional information falling outside the scope of the standard functionality.

This post provides instructions on how to use an EL in the component properties to mask data based on the user’s access. Previous experience working with the Page Composer and Security Console is required to carry out this customization.

It is important to note that this customization does not include any encryption or tokenization of the underlying data and the data remains accessible from other pages, standard BIP reports, Dashboards, REST services etc.

Creating an Abstract Role

In this step we create a simple abstract role using the security console. This role will only be used in our page customization to check if a user has been granted access to the role, there is no need to add any functional or data policies to this role.

Edit the Page

You will need the required adminstrator privileges to access the page composer. Once these are assigned to your user open the the required page and from the administrators menu click on the action link 'Edit Pages'.

Click on the ‘Select’ tab in the page composer menu.

Select the field you want to mask and then click on the 'Edit Component' action.

Under Component Properties click on the drop down list for value and select Expression Builder.

 

In this example we will be using the expression to mask the person name only if the following conditions are met:

The user has NOT been assigned the abstract role created in the earlier step

The expenditure item type equals “Professional” which identifies expenditure items containing sensitive hourly rate information for contractors

Where

securityContext.userInRole[‘<Role Name>'] returns a true or false if the role specified has been assigned to the user

row.<attributename> returns the value assigned to the outputText for the row

== is an operator used for comparing values

? : is used for if/then/else

Using the above we apply the following logic

IF the role ‘XXX_PJC_VIEW_PERSON_NAME_ABSTRACT’ has been assigned to our user, our user has access THEN we display the value currently assigned to the outputText for the person name.

securityContext.userInRole['XXX_PJC_VIEW_PERSON_NAME_ABSTRACT']==true? row.PersonNameDisplayValue

ELSE the role has NOT been assigned and we proceed to check if the expenditure type  equals ‘Professional’. If the outputText value assigned is ‘Professional’ THEN we override the person name with ‘***’

: row.ExpenditureTypeDisplayValue=='Professional'? '***'

ELSE the expenditure type is not equal to ‘Professional’ and there is no need to mask the person name

: row.PersonNameDisplayValue

Below is the full sample expression to achieve this

#{securityContext.userInRole['XXX_PJC_VIEW_PERSON_NAME_ABSTRACT']==true? row.PersonNameDisplayValue : row.ExpenditureTypeDisplayValue=='Professional'? '***' : row.PersonNameDisplayValue}

Summary

This design pattern allows for the masking of data at a UI level for a specific page using Page Composer, this data will remain accessible using alternative methods and careful consideration must be given to evaluate if this meets your own security requirements.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha

Recent Content