Data Masking
Your application backend should regulate what records are visible to this or that user according to an ACL (access control layer) implemented within your application, while Web Services will unredact the response body as-is without checking user’s permissions.
How to mask values for users requesting regulated records outside the country of origin?
By default, Web Services unredacts regulated values without checking whether the user requesting them originates from the country of origin. To avoid situations, when you may expose regulated records outside their country of origin, you can use the masking option when configuring the Web Services endpoint.
In this case, Web Services will check the IP address of the requestor and check whether it matches or not the record’s country of origin. If it matches, then Web Services will return a clear-text value, otherwise it will return the masked value to the application frontend for rendering to this user.
Also, your application must know which fields are redacted/masked and which fields are not allowed for some actions (such, as editing), when you configure the Web Services endpoint. All such limitations and restrictions must be implemented within your application, so Web Services will just redact the ingress data and unredact egress data without checking what the current user can do and what cannot do.