Change Field Mask (CHGFLDMSK)

The Change Field Mask (CHGFLDMSK) command allows authorized users to change the mask for a field in the Field Encryption Registry.

The following users can use this command:

  • QSECOFR user profile (unless excluded in the Key Officer settings)
  • A user profile with *SECADM authority (unless excluded in the Key Officer settings)
  • A Key Officer who has a *YES specified for the "Maintain Field Enc. Registry" authority setting

This command requires the user to have *CHANGE authority to the CRVL002 Validation List (*VLDL) object which contains the Field Encryption Registry.

NOTE: The CHGFLDMSK command only changes the field entry settings in the registry. It will not cause any action to be performed on the actual database field in the file.

How to Get There

From the Field Encryption Menu, choose option 4. Or, submit the command CHGFLDMSK.

Options

Field identifier (FLDID)

Indicate the Field identifier to change the mask for.

Mask option (MASKOPT)

Indicate the mask option to use for the field when the masked value is requested on a decrypt operation.

The possible values are:

*NONE No masking is performed.
*OPTION1 Exact positions within the field value can be shown or masked using the FLDMASK parameter.
*OPTION2 Only a specified number of digits or characters are shown on the left and right sides of the field using the DIGLEFT and DIGRIGHT parameters. Specify the masking character to use in the FLDMASKV parameter. When using field procedures, you must specify a masking character of 1-9, as only numbers are allowed in numeric fields. Examples when DIGLEFT(4) and DIGRIGHT(4) is specified with FLDMASKV(#) when using field procedures:
  • String ' 1234567890123456' is masked as ' 1234999999993456'
  • String '1234567890123456 ' is masked as '1234999999993456 '
  • Numeric 001234567890123456 is masked as 001234999999993456
  • Numeric 1234567890123456 is masked as 1234999999993456

If you are not using field procedures, a non-numeric character can be used, for example:

  • String ' 1234567890123456' is masked as ' 1234########3456'
  • String '1234567890123456 ' is masked as '1234########3456 '
  • Numeric 001234567890123456 is masked as 001234########3456
  • Numeric 1234567890123456 is masked as 1234########3456
*OPTION3 Used for Date, Time and Timestamp fields. The value entered will be used as the mask value. The mask value must be a proper Date, Time or Timestamp value for the field being masked. It is recommended to specify a mask value that does not conflict with an existing value in your database. For instance, for a date field, you may want to specify a mask value with a high value date of 9999-12-31.
 
Examples:
  • Date '9999-12-31'
  • Time '24.00.00'
  • TimeStamp '9999-12-31-24.00.00.000000'
NOTE: When specifying *OPTION3, you should not specify a not-authorized fill value.
Field mask (FLDMASK)

Indicate the masking format to apply to the field when the masked value is requested on a decrypt operation. Valid for MASKOPT(*OPTION1) masking.

Specify the number 9 in a position to show the underlying value for that position. Specify any other character (including spaces) or number in a position to mask the underlying value for that position.

For example, if a mask of '************9999' is specified for a credit card number, then a sample of a masked credit card number would be '************1234'.

As another example, if a mask of '##99##999' is specified for an account number, then a sample of a masked account number would be '##76##541'.

When the field type is numeric the whole number is masked. The decimals values are not. The Mask must not be longer than the whole number length. When using field procedures the mask value must be numeric. For example, if a mask of '779977999' is specified for an account number, then a sample of a masked account number would be '774577541'.

  • For MASKOPT(*OPTION3) masking

You must enter in a valid Date, Time or Timestamp value. This will be the value used as the mask.

Examples:

  • Date '9999-12-31'
  • Time '24.00.00'
  • TimeStamp '9999-12-31-24.00.00.000000'

Used for Date, Time and Timestamp fields. The value entered will be used as the mask value. The mask value must be a proper Date, Time or Timestamp value for the field being masked.

It is recommended to specify a mask value that does not conflict with an existing value in your database. For instance, for a date field, you may want to specify a mask value with a high value date of 9999-12-31.

The format of the mask value must be in the format of the field format. For example if the "Date Format" of a field is *ISO, then the format of the masked value must be *ISO.

Examples:

  • Date '9999-12-31'
  • Time '24.00.00'
  • TimeStamp '9999-12-31-24.00.00.000000'
NOTE:
  • When specifying *OPTION3, you should not specify a not-authorized fill value.
  • Char/Digits to show on left (DIGLEFT)
  • When a masked value is requested on a decrypt operation, indicate the number of characters or digits to show on the left side of the field value. Valid for MASKOPT(*OPTION2) masking.

For a character field, any leading blank characters will be ignored when performing the masking. For a decimal field, any leading zeros will be ignored.

Char/Digits to show on right (DIGRIGHT)

When a masked value is requested on a decrypt operation, indicate the number of characters or digits to show on the right side of the field value. Valid for MASKOPT(*OPTION2) masking.

For a character field, any trailing blank characters will be ignored when performing the masking.

Masking Value (FLDMASKV)

The value to be used as the masking character or number. Valid for MASKOPT(*OPTION2) masking.

When masking a numeric field and using DB2 Field Procedures, the mask value must be a number between 0 and 9.

When masking a character field, or when masking a numeric field and not using DB2 Field Procedures, the mask value can be any character or number.

Not authorized fill value (NOTAUTHFV)

Indicate the 1-byte value to fill the returned value on a decryption request (from a DB2 Field Procedure or a Powertech Encryption 'auth' API) if the user is not authorized to either the full or masked authorization lists.

For instance, if the fill value is '9' and the field length is 7, then the value of '9999999' will be returned on an unauthorized decryption request.

NOTE:  
  • The fill value is required when a DB2 Field Procedure is utilized and the return value (FLDPROCOPT) is set to *AUTH.
  • If the field type is *CHAR, then the fill value can be a number, letter or special character (e.g. #, *, %).
  • If the field type is *DEC, then the fill value can be a number from 1 through 9 if a DB2 Field Procedure is being utilized, otherwise it can be number from 0 through 9.
  • The fill value is not allowed for field types of *DATE, *TIME and *TIMESTAMP.