Difference in behavior in instances when using legacy CLE vs KMFSummary- If the Encryption context (legacy CLE) is being used in the instance, it is supposed to be tied with a role. This means only the users having the role that is associated with encryption context will have access.- This is the expected behavior of the product when legacy CLE is in use.- To check the same, We can verify the property "glide_encryption.cle_replatforming_with_kmf" which says "opt_out" that means KMF is not active.- When the legacy CLE is in use, it has nothing to do with MAP access. Even if we try to assign a role that is added in module access policy ( ex : sn_si.admin ), the relevant field will not be visible.This requires encryption context only.- Whereas, using KMF ( latest one ) , the MAP access applies. Hence if we assign a role which has the module access policy, that role users can see the field.Related LinksNote : If customers would like to migrate to KMF, raise a new case to support to follow the process and follow the migration steps manually.