Set up Module Access Policies

  • Release version: Australia
  • Updated April 2, 2026
  • 1 minute to read

    • Configure module access policies in External Key Management Service (EKMS) to control who can view encrypted data in clear text.

    Before you begin

    Role required: sn_kmf.admin or sn_kmf.cryptographic_manager

    Confirm that you have:

    Procedure

    1. Navigate to All > System Security > Field Encryption > Field Encryption Experience > Configurations > Access Policies.
      Note:
      For additional information, refer to Configure module access policies for Field Encryption.
    2. Select Create New.
    3. Select Configure.
    4. Complete the Module Access Policy (MAP) form.
      Table 1. MAP Form
      Field Description
      Policy name Enter a name for the policy.
      Type Decide who or what should have access to this MAP to encrypt or decrypt data.
      • Scope- Anything within the specified Application Scope has access to this MAP.
      • Role- Only users with the specific role can access this MAP.
      • Script- Ensure a specified script can access this MAP.
      • System Access- Allows processes running in “System Context” access to this MAP.
      • Resource Exchange- Allows for the Resource Exchange feature access to this MAP.
      For more information on how these different types of MAP work, see Exploring Field Encryption.
      Target scope Field is visible as an identifier for the Scope type. Refers to the functionality of the policy. Select the applications from the search menu.
      Specify purpose Optional.  Enable  to  display  the  Crypto  Spec  field  on  the  form.  Enable this option to configure granular operations, such as some users being able to encrypt, but not decrypt. 
      Application The  Application scope  is  auto-populated  by  your  current scope. 
      Active Select to activate the policy.
      Result Select one of the following:
      • StrictReject rejects access under all circumstances.
      • Reject rejects users with the Target Role or Target Scope from accessing this cryptographic module unless another policy grants them access.
      • Track to permit access and monitor use of the module.
      Example of completed MAP form.

    Result

    The Module Access Policy for the script is available in the system.

    Next steps: