Using Encrypted Fields

Use encrypted Fields to include and protect sensitive data relevant to a Business Object (ex: Identity information, financial data, etc.). When working with encrypted Fields, Users can:

  • Provide sensitive, plain text data in new Business Object records.
  • Decrypt encrypted Fields in existing Business Object records.

Good to know:

  • Working with encrypted Fields requires Business Object rights.
  • When a new record is created, encrypted Fields are blank and editable. However, when the record is saved, the Field is converted to read-only to prevent unauthorized editing of encrypted data.
  • Data entered into encrypted Fields appears as plain text. Data is masked when the encrypt/decrypt button is clicked or when the record is saved. In the Browser Client, tabbing out of an encrypted Field also masks the data. Data is not actually encrypted until the record is saved.
  • Data in an encrypted Field must be explicitly decrypted by clicking the encrypt/decrypt button. All decryption attempts are recorded in Journal-History records and in Splunk logs (if configured). Decrypted data appears as plain text, but is masked again as soon as the User saves the record or navigates away.
  • Encrypted Fields:
    • Cannot be searched, displayed in grids, or used in many of the areas where regular fields can (examples: One-Step Actions, expressions, widgets, etc.).
    • Cannot be used in reports as parameters or results.
    • Are stored in a database table separate from Business Objects, and cannot be indexed.
    • Cannot have default or calculated values, or set values based on lifecycle state.
    • Cannot use validation or auto-population.
    • Are limited to a maximum of 255 characters.
    • Cannot be permanently decrypted or converted back to unencrypted fields.