Secure User Custom Fields

Prior to this release, clients do not have the ability to define their own Sensitive Personally Identifiable Information (SPII) fields.

With this release, newly created short text, scrolling text, date, and numeric user custom fields can be configured as secure fields, by using a new “Secure” checkbox on the Custom Field Administration page. Secure custom fields will function like Sensitive Personally Identifiable Information (SPII) fields and can be maintained and viewed if the administrator’s IP is part of the IP whitelist.

On the user record, secure custom field data is masked by default, but with proper permission, an administrator can click Show to view the masked data.

Considerations

  • When creating a new Secure custom field, the All Users and Active boxes must be checked.
  • The Secure property can only be configured when creating a new custom field and cannot be changed.
  • To prevent any potential secure data from being accessible to non-whitelisted users, Secure custom fields cannot be included in group membership criteria or email notifications.
  • Required custom fields cannot be set to Secure.
  • Secure custom fields cannot be added to My Account and won't be available for selection in My Account preferences.
  • Secure custom fields cannot be maintained via Data Load Wizard. Any existing load/feed setup must be reconfigured to exclude secure custom fields.
  • Secure custom fields cannot be maintained or exposed via Employee API.
  • Secure custom fields cannot be maintained via Forms.
  • Secure custom fields cannot be accessed via standard or custom reports.
  • Secure custom fields cannot be accessed via Point in Time Headcount report or Employee Record Change ODF.
  • Secure custom fields cannot be included in duplicate user management preferences. If a potential duplicate is identified, the system will exclude secure custom field data when admin resolves the duplicates via 'Pending Duplicate Users page' and client will need to re-enter the secure data for the resolved user record.
  • Secure custom field changes will be audited and visible in Modification History in an encrypted format. Detailed audits on who viewed decrypted information can be provided on a need basis by contacting GPS.
  • Secure custom field feature cannot be disabled.
  • Portal copydowns won't include secure custom field data as the encryption keys are different across environments. Secure custom field data will not be retained in copydowns.

Implementation

This functionality is available by default to CHR clients only.

Use Case

John Adams is a system admin at the ACME organization. He is preparing to onboard 10 new employees in Acme’s newest Spain office. John wants to ensure that the Cornerstone HR system is set up correctly to ensure that other regional HR business partners can quickly onboard the next set of employees.

John wants to promote high quality data integrity standards and wants to ensure that ACME stays compliant with respect to employee data capture. He is aware that employees in Spain need to register their tax identification number (NIF) with their company for payroll processing. John is aware that the NIF number is SPII data and only members of Regional HR team should be authorized to maintain this information. As a result, John is looking for a way to securely manage the employee data administration using authorized IP addresses for an additional layer of security, as well as setting the correct permissions.

Since the NIF number is not available as a standard field, John logs into the Cornerstone system and navigates to the User Custom Field Administration page. John creates a new custom field and checks the 'Secure' checkbox that allows him to set NIF number as a secure custom field that can only be maintained by IP whitelisted users.

Permissions

The following new permissions apply to this functionality:

PERMISSION NAME PERMISSION DESCRIPTION CATEGORY
Users - Edit Secure User Custom Fields - Unmasked Grants the ability to edit secure user custom field info unmasked. This permission can be constrained by OU, Restrict to User's OU, User Self and Subordinates, User, User's Self, User's Manager, User's Superiors, User's Subordinates, User's Direct Reports, Employee Relationship. This is an administrator permission. Core Administration
Users - Manage Secure User Custom Fields Grants the ability to manage the setting secure user custom fields. This permission can be restrained by OU, User's OU, User Self and Subordinates, User, User's Self, User's Manager, User's Superiors, User's Subordinates, User's Direct Reports, Employee Relationship. This is an administrator permission. Core Administration
Users - View Secure User Custom Fields - Masked Grants the ability to view secure user custom field info masked. This permission can be constrained by OU, User's OU, User Self and Subordinates, User, User's Self, User's Manager, User's Superiors, User's Subordinates, User's Direct Reports, Employee Relationship. This is an administrator permission. Core Administration
Users - View Secure User Custom Fields - Unmasked Grants the ability to view secure user custom field info unmasked. This permission can be constrained by OU, User's OU, User Self and Subordinates, User, User's Self, User's Manager, User's Superiors, User's Subordinates, User's Direct Reports, Employee Relationship. This is an administrator permission. Core Administration

The following existing permissions apply to this functionality:

PERMISSION NAME PERMISSION DESCRIPTION CATEGORY
Self-Registration and User Record Custom Fields - Manage Grants access to manage custom fields for user Self Registration and the user record in Custom Field Administration. This permission can be constrained by OU and User's OU. This is an administrator permission. Core Administration
User Record Custom Field Configurable Validations - Manage Grants ability to manage the configurable validations for user record custom fields within Custom Field Administration. This permission cannot be constrained. This is an administrator permission. This permission is only available to organizations that are using Cornerstone HR. Core Administration