Error Replacement
If a database user attempts to access encrypted data to which they do not have decryption permission, the system returns an error message. You can specify the content of those permission–related errors using the replacement values feature. You can use the Error Replacement Value field on the Column Properties section to specify that the system return a specific value, a NULL value, or the original standard error.
If users without sufficient permissions access the migrated data, CDP can be configured to return any of the following:
Standard “insufficient permissions” error
NULL value (not the error)
User specified error replacement value
Return encrypted value for FPE encryption
Important Notes
Replacement values are not returned, if a query yields a NULL value. When a query results in a NULL value, no cryptographic process is required, so CDP does not interact with the CipherTrust Manager and the replacement values feature is not activated.
When CDP performs crypto operations in local mode, the error replacement values also get cached. The values remain in the cache until the time specified in
Symmetric_Key_Cache_Expiryhas passed.For large object data types, CDP does not support the user-defined error replacement value. Standard error and Null value replacement are supported.
If there is an empty record in a column, then instead of the Error Replacement value, empty is displayed.
In remote mode, for VARCHAR(MAX), NVARCHAR(MAX), TEXT, and NTEXT data types, if the record has less than 4096 characters, the Error Replacement value will be displayed as empty.
Replacement values cannot be set to null for the following column types:
Column Type Column Type Column Type VARCHAR NVARCHAR CHAR NCHAR TIME DATETIME2 GRAPHIC VARGRAPHIC
