Data Privacy Framework Query Incorrectly Masks Emplid and Returns Error 'You have insufficient access to retrieve this data. (30,15)' if NATIONAL ID is Marked as Sensitive on STDNT_AID_SRCH but EMPLID is not Marked Sensitive (Doc ID 2813251.1)

Last updated on FEBRUARY 20, 2024

Applies to:

Symptoms

When Query Masking is enabled and National ID is marked sensitive under Maintain Data Privacy Settings - e.g. Product = FA-General - for record STDNT_AID_SRCH, there are problems encountered when running simple queries in Query Manager. Note, these problems only occur when authorized user "CS - Administrator" is removed from the logged in user's user profile, prior to running the query. If user "CS - Administrator" remains attached to the logged in user's user profile and the same query is run, nothing is masked, which is the expected result.

First the results of the following query shows the Emplid masked, when it's expected only the NATIONAL_ID should be masked.

The issue can be reproduced with the following steps:

1. Login as PS/PS
2. Navigate to Enterprise Components> Data Privacy Framework > Maintain Data Privacy Settings
3. Search for a product to display relevant records/fields (in this example, enter 'FA' into the Product filter and click Search)
4. Select FA-General
5. Click Search
6. Scroll down to locate the STDNT_AID_SRCH rows
7. Enable the 'Sensitive' checkbox for the STDNT_AID_SRCH row.
   Record name: STDNT_AID_SRCH
   Field name: NATIONAL_ID
   Category: Government Identifier
   Classification: National Identifier
   Product: FA-General
8. Add Authorized Role under Enterprise Components > Data Privacy Framework > Query Masking > Authorized Roles
   
   Role Name: CS - Administrator
   Record Name: STDNT_AID_SRCH
   Access Code: Authorized
9. Navigate to Enterprise Components > Data Privacy Framework > Query Masking > System Settings
10. Enable Query masking (Make sure that Enable Query masking is set to Yes)
11. Navigate to Enterprise Components > Data Privacy Framework > Query Masking > Run Data Sync
12. On Synchronize Data tab, click Run
13. Click Process Scheduler link
14. Click Refresh button until Status is Success | Posted
15. Click Details and go to Message Log --> make sure there's no error.
16. Navigate to PeopleTools > Security > User Profiles
17. Open User ID = PS
18. Go to Roles tab and make sure "CS - Administrator" is in the list of roles attached to the user
19. Navigate to Reporting Tools > Query > Query Manager
20. Create a new query (e.g. SB_TEST_QRY_MASK) to fetch NATIONAL_ID field, EMPLID and other rows from STDNT_AID_SRCH record
    Sample query SQL as follows:
    --
    SELECT A.EMPLID, A.INSTITUTION, A.AID_YEAR, A.NATIONAL_ID,
    FROM PS_STDNT_AID_SRCH A
    WHERE ( A.OPRCLASS = 'HCPPALL')
21. Run the query - it shows the National ID ok but EMPLID is masked. EMPLID is masked.
22. Remove the authorized role "CS - Administrator" on logged in user's User Profile's role tab.
23. Rerun the query. National ID is masked together with EMPLID. EMPLID is masked.
24. Adjust the query to include critera on specific EMPLID. Query SQL should be similar to the following:
    --
    SELECT A.EMPLID, A.INSTITUTION, A.AID_YEAR, A.NATIONAL_ID
    FROM PS_STDNT_AID_SRCH A
    WHERE ( A.OPRCLASS = 'HCPPALL'
    AND ( A.EMPLID = 'AA0002' ))
25. Click Run tab
26. Error: "You have insufficient access to retrieve this data. (30,15)" is displayed.

Changes

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.