I have a requirement to allow personal information to be collected from users on various catalog offerings.  This information should only be visible to specific groups of ITIL roled users depending on the offering.  To make this happen, I have used masked encrypted variables for the data.  This is working.  The problem is that I have to give any user, needing to see the variable response, the catalog_view_masked role and that allows them to see any masked encrypted field on any offering.  I need group A to be able to view the masked encrypted variable for offering A and not offering B, while at the same time allow group B to be able to view the masked encrypted variable for offering B and not offering A.

Any ideas?  I have tried recreating the catalog_view_masked role as catalog_view_masked2 and assigned it to the B group, but the A group can still see the B group's field data, while the B group cannot see the A or B group's field data.

Thank you in advance.

Krysta