This question has been asked before but I have a different spin. Plus, I haven't seen any real robust answers to this type of question. They all seem individual code/setting based per field.
I want to identify a list of fields that will always be masked for everyone not associated with the appropriate rule set.
This includes, UI, Flows, Reports, etc..
I don't want to have to write special code and/or settings to implement. If the field, on the list, appears anywhere in Pega it is treated accordingly. This list enables every company using Pega to customize the names, types, etc. without worrying about location, usage, etc..
Since PII, ITAR, HIPPA, FISMA, PCI, and EAR are all internationally recognized as sensitive data I'd hope this has been addressed, or can be addressed in a future release, in the Pega platform holistically and not just an afterthought.
I've attached a simple workflow pic for clarity. This is a simple effective way to enable field masking. The performance impact can be analyzed and this could be enabled via an admin option so it doesn't have to be used if it isn't wanted.
If it is available in the version of Pega 7 you are using, you may want to look into enabling the attribute-based access control (ABAC) functionality on your system (it was introduced in either 7.2 or 7.2.1, I believe). It would allow you to define authorization at a property level. If your version supports ABAC you can get more details on it by going to the help menu in designer studio and go to Contents tab of the help (the help should open to this tab by default) and click on "Security" and then "Attribute-based access control". If you want to enable the functionality on your system, you will need to change the "EnableAttributeBasedSecurity" dynamic system setting to true.