Error Replacement
If a database user attempts to access encrypted data to which they do not have decryption permission, the system returns an error message. You can specify the content of those permission–related errors using the replacement values feature. You can use the Error Replacement Value field on the Column Properties section to specify that the system return a specific value, a NULL value, or the original standard error.
If users without sufficient permissions access the migrated data, CDP can be configured to return any of the following:
Standard “insufficient permissions” error
NULL value (not the error)
User specified error replacement value
Return encrypted value for FPE encryption
Important
Replacement values are not returned if a query yields a NULL value. When a query results in a NULL value, no cryptographic process is required, so CDP for DB2 does not interact with the Key Manager and the replacement values feature is not activated.
When CDP performs crypto operations in local mode, the error replacement values also get cached. The values remain in the cache until the time specified in
Symmetric_Key_Cache_Expiry
has passed.For large object data types, CDP does not support the user-defined error replacement value. Standard error and Null value replacement are supported.
If there is an empty record in a column, then instead of the Error Replacement value, empty is displayed.
Replacement values cannot be set to null for the following column types:
VARCHAR
CHAR
TIME
TIMESTAMP
Note
Error replacement can't be set for VARGRAPHIC datatype.