Masking reports

The Report Masking feature allows limiting access to sensitive data in reports residing in the Control-D repository. Administrators can assign permissions to access the full content of specific reports for a particular group of one or more authorized users, who are defined in a security product such as RACF. Administrators can create a specific Mask Ruler for each report containing sensitive data. A report assigned to such a Mask Ruler can be viewed or printed by unauthorized users only after applying this Mask Ruler. This process is applied for U-screen and Control-D Web Access users. If there is a view, print ruler, or Logical view for this report, it will be applied only after applying the Mask Ruler.

To prevent a report from being viewed by unauthorized users do the following:

1. Identify the list of users that are permitted to view the full report and define a corresponding Mask Ruler.
2. Specify these user IDs in the security product. For more information on masking reports, see the "Control-D and Control-V Basic Definition Security Calls" section in the INCONTROL for z/OS Security Guide.
3. Assign reports for masking by adding a DO MASKRUL = mask_ruler_name statement in the decollation definition where:

   mask_ruler_name is the name of the Mask Ruler defined for this report in the V,E-screen. For example:

-------------------------------------------------------------------------------

DO WHEN LINE 00020 - 00060 COL 00020 - 00024 PRINT REF NXT CT AND/OR STRING =  

TOTAL DO MASKRUL = MASK1                                                       

-------------------------------------------------------------------------------

For more information, see the DO MASKRUL section in the Decollation Mission Parameters chapter in the Control-D and Control-V User Guide.

1. Run a decollation mission to create the report in the Control-D Repository. The REP26GE message is issued.
2. Define a Mask Ruler for the created report in the U,V,E screen. To see the masked report, use the RULE MASK primary command on the U,V-screen.

For automatically masking new reports, apply the WDN065 optional wish. In this case the Mask Ruler must be created using the previous report entry with the same USER, JOBNAME, and REPORT NAME.

For manually masking old reports, enter the USER, JOBNAME, and REPORT NAME in the Mask Ruler field using the update option in U-screen in DI A mode.

The CTDUFUPD utility can be used to update the Mask Ruler name for old reports as well.

For more information on the CTDUFUPD, see the INCONTROL for z/OS Utilities Guide.

Note. The optional wishes WDN065 and WDM065 can be used to change the masking report implementation. The WDN065 determines if Mask Ruler is set up automatically during decollation. The default is “No”. The WDM065 determines whether the report is viewed or printed if Mask Ruler is not found. The default is “Yes”.