Social Security Number Masking

Security settings configured on the Data Display Access window by the System Administrator control rights for groups to view student Social Security Numbers (SSN). All windows and reports except Additional Reports use this SSN functionality.

You can display SSNs in three formats.  The * is the masking character.

 

Mask

Display

Show all digits

###-##-####

123-45-5689

Show any number of digits

***-**-####

***-**-1234

Hide all digits

***-**-****

***-**-****

All groups must be defined with a particular SSN mask to view the SSN. If you log in and none of the groups of which you are a member has a SSN mask assigned, the SSN will be completely masked.  

Due to the need for producing electronic files, primarily in the J1 Desktop Human Resources module, the SSN security check allows users who can see the entire SSN on the window (i.e., the SSN is not masked for the user) AND have permissions to the Save Rows As function can save the SSN to a file. For any users where the SSN is masked in some way or who do not have permissions to the Save Rows As function, the SSN will not be saved to the file.

A priority is also assigned to each defined group. Groups with less stringent SSN access should be at the top of the list, and groups with the most stringent access should be at the bottom of the list. Assigning priorities allow users who are members of more than one group to view the SSN based on the mask of the highest priority group (i.e., top of list).

 

Assume that TE_ADMIN (with a mask of ###-##-####) has a higher priority than ADMANAGER (with a mask of ***-**-####). Members of TE_ADMIN will be able to see the whole SSN. Members of ADMANAGER will be able to see only the last four digits of the SSN. Members of both TE_ADMIN and ADMANAGER will be able to see the whole SSN because TE_ADMIN has a higher priority than ADMANAGER. If the priority changes so that ADMANAGER has the higher priority, then members of both TE_ADMIN and ADMANAGER will be able to see only the last four digits of the SSN.

In addition to masking SSN in columns, you should also add group security to columns where a SSN search can take place. Jenzabar recommends that you add security restrictions in the following three situations:

·       ID Number column in all windows: If a user has any restricted permissions and enters a SSN without dashes, do not automatically retrieve the record with the matching SSN.

·       ID Number column in all windows: If a user has any restricted permissions and enters a SSN with dashes, do not display the search drop-down list populated with records matching the SSN; instead, display a message telling the user they do not have permissions.

·       SSN column, Advanced Name Search window: If a user has any restricted permissions, disable the SSN column so that they cannot search on SSN and display the SSN with the mask after finding matching records.

Additional Notes

·       Users with limited SSN viewing should also be prevented from using the Customize button and the Customize Form menu option. This button and menu option takes the user directly to InfoMaker where they can run their own queries.

·       Changes to the mask do not affect users who are already logged in. The change takes effect the next time the user logs in to the module.

·       If there are no asterisks (*) in the mask (Security Value), the formatting is ignored and the SSN displays as usual. In other words, missing or extra dashes in the mask are ignored.

·       If a user is a member of a group that is listed in the EX_DATA_DISPLAY_ACCESS table with restricted permissions AND a group that is not included in the table (which by default does not restrict permissions), the permissions defined in the table are used. The default permissions for the non-listed group are ignored.

·       Some printed forms and reports that display the SSN will never display the mask. If a user with restricted access to the SSN attempts to print one of these forms or reports, the following message is displayed: "You do not have the appropriate SSN security access to print this form/report. Please see an administrator to update the permissions for your group or ask a user with full access to the SSN to print this form/report." The printed forms/reports that never display the mask include the following:
 

Form/Report

Module

Additional Information

W-2 Form

Payroll

 

1098-T Form

Accounts Receivable

 

1099Int Form

Accounts Payable

 

1099R Form

Accounts Payable

 

1099Q Form

Accounts Payable

 

1099Misc Form

Accounts Payable

 

Official Transcript

Registration

If the Print Official Transcript checkbox is not selected on the Transcript window, the user may print/preview the transcript with the masked SSN. If the checkbox is selected but the user does not have full permission to the SSN, the transcript will not be printed and the message will display.

SEVIS

Common

If the Final Run: Copy Rows to History checkbox is not selected on the View History/Generate Report tab of the International Students and Exchange Visitors window, the user may print/preview the SEVIS report with the masked SSN. If the checkbox is selected but the user does not have full permission to the SSN, the SEVIS Report will not be printed and the message will display.