You need to ensure that sensitive data such as social security number (SSN) are visible only to human resources staff and to the employee.
- In Dev Studio, create an access control policy for an Apply to class equal to Employee and Action equal to PropertyRead. For more information, see Creating an access control policy.
- Next to the Permit access if field, click the Open icon to create a new Access control policy condition instance.
- Create an access control policy condition named CanViewSSN
to define who can view the SSN value. Enter the
following values. For more information, see Creating an access control policy condition
- Policy condition A = Requestor.AccessGroup = HRApp:HRStaff (the user works in human resources)
- Policy condition B = Requestor.OperatorID = EmployeeID (the user is looking at the user’s own employee record)
- Conditional logic = A OR B
- On the Access control policy instance, in the Permit access if field, enter CanViewSSN.
- Click Add property and in the Property field, enter SSN.
- In the Restriction Method list, select whether to fully mask all values or to
mask only the values in a certain position. For example, you might want to
permit viewing the last 4 digits of the SSN. The value is masked for everyone
except the users who satisfy the condition in step 3c.You can combine property encryption with property masking.