Module access policies (MAPs) are access controls that you apply to your cryptographic modules. Use these access policies to decide which users and scripts can access data encrypted by a cryptographic module.

Module access policies

Note: A subscription is required to utilize the Field Encryption Enterprise functionality. See Activate Field Encryption for more information on Field Encryption Enterprise.

Module access policies are introduced with the Key Management Framework (KMF) in the base system.

Module access policies expand on the role-based designations that were provided with the encryption modules. Module access policies can be based on the following:

In a cryptographic module, you must configure the correct module access policies to permit access to encrypted data. Without a module access policy associated with a cryptographic module, encrypted data isn’t visible to users and associated fields and columns in lists display as empty.

In this example, the absence of a module access policy on the encrypted Short Description field hides the content from all users accessing the Incident table. With a module access policy in place, only users with a specific role are able to see the encrypted data.

Figure 1. Encrypted short descriptions with and without module access policies
Data with and without module access policies.
Note: The data in the column also appears empty to users without the correct role specified in the module access policy.

Refer to Create a module access policy for setup.

Autogen policies

Autogen policies are automatically system generated based on the default module access policy defined for the given cryptographic module. If there are no granular level policies defined when the system or a script tries to access the given cryptographic module, these global policies are generated and applied.

Important:

Autogen policy rules aren’t applied for scheduled jobs types, or field encryption modules (modules where the parent module is Field Encryption).