BAQ for PrEmpMas Social Security Number (Encrypted)

In doing some testing with 2021.100.26 it looks like the social security numbers are now encrypted through BAQ. So no more accessing from PrEmpMas through baq or baq report.
The suggested fix is to create a UD column.
Just a heads up for anyone interested.

I will need this for some reports, adding UD column seems like a way to revert the security purpose of this. Any recommendations?


There is an enhancement request ERPS-152082 Payroll/External Payroll Employee Social Security Number encrypted in database to be exposed as decrypted in BAQ, and re-encrypted back when updated by Updatable BAQ


As a workaround, if users want SSNs in plain text, add a UD Field to table PREmpMas, get the unencrypted list of SSNs using the BO, using REST(GetRows for example)and just save the unencrypted value into the UD Field. This should easily pull UD fields into a BAQ.

If you require additional assistance setting this up you will need to work with Professional Services.


Epicor has the facility to decrypt them to print in w2 etc

Is just a matter of calling the right function

Going from memory here but try this on a UBAQ GetList post processing for each of the rows on the BAQ where str is the field holding the encrypted data


Can you give me a few more hints on the UBAQ ?
My end result is an Baq Report into SSRS. Do I need to setup BPM to trigger when the BAQ runs?

an Updatable BAQ , you can run that bit of code in the Post Processing of GetList that basically “unmasks” the data.

Thank you, ill dig into that.

When I post the Encrypted SSN to a message box I get a small portion of it. Same as the BAQ column. 24 characters I believe.
It’s trying to decrypt only part of it so I get Nothing for a result after that.
(Actually might be the entire thing i dunno)

Here is my process (which is a little goofy since im trying to figure this out)

GetList->Post Processing

PrEmpMas.SocSecNum to Calculated Field (Calculated_SSNph)
Set Argument/Variable of MaskedSSN = resultResultsRow.Calculated_SSNph
Execute Custom Code:
string UnMaskedSSN = Epicor.Security.Cryptography.Encryptor.DecryptToString(MaskedSSN);
Show both MaskedSSN and UnMaskedSSN in message box.


I’m going to build a Dashboard with a customization and see if i can get it to work there maybe.

It works in Form Customization, same code. Must be missing a reference, or something with how im doing the bpm.

So if i do a message box through the code block it works yay. Now I confirmed I can decrypt it. Next step is to add it back to the baq column or replace a column in the baq result.

Ughh… im going to give up and pay Epicor to rewrite our 401k Submission report (Which requires SSN). I wrote the original BAQ Report in E10, which was very simple, just query PrEmpMas table with sub-query on deductions.

I can get the decrypted value to show up in a message box when the baq returns (1) result / employee. Otherwise it’s trying to put it into a list. I imagine its some sort of ‘foreach’ code that would solve this but i would also need to have it dump back into the baq as a new column so I can use it on my SSRS report.

Loop through the results in the dataset, and assign the decrypted value to a Calculated field in the BAQ.