Table of Contents

Search

  1. Preface
  2. Introduction to Dynamic Data Masking
  3. Rules
  4. Connection Rules
  5. Security Rules
  6. Security Rule Set Simulator
  7. Masking Functions
  8. Glossary

Security Rule Set Simulator Example

Security Rule Set Simulator Example

You have a database that contains sensitive employee information and you want to create and test a masking rule that prevents non-privileged database users from viewing the sensitive data.
You create a database connection in the Management Console. The following image shows the database connection parameters:
The DDM Database Name is OracleDatabase. The DBA Username is DDMAdministrator.
Note the
DDM Database Name
and
DBA Username
values. You use the database connection parameters when you run the Security Rule Set Simulator.
You add the Dynamic Data Masking service for the database in the Management Console and create a connection rule. The connection rule directs requests to the database to a security rule set. The All Incoming Connections rule matcher creates a match for all connections to the database. The Use Rule Set rule action directs all connections to the rule set that you specify in the Rule Set Name parameter. The following image shows the connection rule parameters:
The connection rule uses the All Incoming Connections matcher, the Use Rule Set rule action, and the Stop if Applied processing action.
Note the
Rule Set Name
value. You use the value to name the security rule set.
You create a masking security rule that uses the column alias to truncate all values in the database. The Any rule matcher matches all requests that go through the rule. The mask rule action uses a masking function to mask the sensitive data. The following image shows the rule set and the masking rule parameters:
The masking rule uses the Any matcher and the Mask rule action.
In the Rule Editor, you highlight the masking rule in the rule tree and open the Security Rule Set Simulator.
In the Security Rule Set Simulator you enter the following information:
DDM Database Name
The database name that you used to create the database node in the Management Console.
DBA Username
The database user name that you used to connect to the database in the Management Console.
DBA Password
The password for the database user.
AUTH_USERNAME Symbol Value
The database user name that you want to use to test the masking rule. If you do not enter a database user name, the simulator uses the Dynamic Data Masking administrator user name and password that you used to connect to the database in the Management Console.
SQL Statement
The SQL request that you want to use to test the masking rule.
Click
Run
to run the simulator and test the rule. The following image shows the Security Rule Set Simulator parameters and the simulator log output:
The simulator displays the log output for the user that you defined for the AUTH_USERNAME symbol.
The log output shows that the simulator tested the rule as the user that you entered for the AUTH_USERNAME symbol.
The following text shows the complete simulator log output:
Replace Using MaskingRule Original Statement: SELECT * FROM HR.EMPLOYEES Replaced by: SELECT substr("EMPLOYEES"."EMPLOYEE_ID",1,2) "EMPLOYEE_ID" , substr("EMPLOYEES"."FIRST_NAME",1,2) "FIRST_NAME" , substr("EMPLOYEES"."LAST_NAME",1,2) "LAST_NAME" , substr("EMPLOYEES"."EMAIL",1,2) "EMAIL" , substr("EMPLOYEES"."PHONE_NUMBER",1,2) "PHONE_NUMBER" , substr("EMPLOYEES"."HIRE_DATE",1,2) "HIRE_DATE" , substr("EMPLOYEES"."JOB_ID",1,2) "JOB_ID" , substr("EMPLOYEES"."SALARY",1,2) "SALARY" , substr("EMPLOYEES"."COMMISSION_PCT",1,2) "COMMISSION_PCT" , substr("EMPLOYEES"."MANAGER_ID",1,2) "MANAGER_ID" , substr("EMPLOYEES"."DEPARTMENT_ID",1,2) "DEPARTMENT_ID" FROM HR . EMPLOYEES Done by ClientInfo:[User=null, Host=null, application=null] - DDMUser ------------------------------------------------------------- Original statement: SELECT * FROM HR.EMPLOYEES Replaced by: SELECT substr("EMPLOYEES"."EMPLOYEE_ID",1,2) "EMPLOYEE_ID" , substr("EMPLOYEES"."FIRST_NAME",1,2) "FIRST_NAME" , substr("EMPLOYEES"."LAST_NAME",1,2) "LAST_NAME" , substr("EMPLOYEES"."EMAIL",1,2) "EMAIL" , substr("EMPLOYEES"."PHONE_NUMBER",1,2) "PHONE_NUMBER" , substr("EMPLOYEES"."HIRE_DATE",1,2) "HIRE_DATE" , substr("EMPLOYEES"."JOB_ID",1,2) "JOB_ID" , substr("EMPLOYEES"."SALARY",1,2) "SALARY" , substr("EMPLOYEES"."COMMISSION_PCT",1,2) "COMMISSION_PCT" , substr("EMPLOYEES"."MANAGER_ID",1,2) "MANAGER_ID" , substr("EMPLOYEES"."DEPARTMENT_ID",1,2) "DEPARTMENT_ID" FROM HR . EMPLOYEES
You select
Debug Mode
and run the simulator to view the detailed log output. The detailed log output shows additional connection and Dynamic Data Masking Server information. The following text shows the debug log output:
Database set to: OracleDatabase FolderAction: trying: MaskingRule for: [] MaskingRule.match: matcher: AnyMatcher h: [] Applying rule: MaskingRule MaskingAction.execute: SELECT * FROM HR.EMPLOYEES OracleDatabase: Getting connection for: DDMAdministrator OracleDatabase.buildURL: Finished being built URLjdbc:informatica:oracle://hr-server;ServiceName=Oracle11g OracleDatabase: Is Setting schema: true Try and impersonate using: user=DDMAdministrator and null catalog. Starting to impersonate user: DDMAdministrator -- Null catalog Adding for execution SQL statement: ALTER SESSION SET CURRENT_SCHEMA = DDMAdministrator Here are the 1 return codes after executing the statement list:- 0: Statement returned with number of rows: 0 Completed impersonation to user: DDMAdministrator Completed successfully impersonating user: DDMAdministrator -- Null catalog MaskingAction: Alias set is: ["EMPLOYEES"] OracleDatabase: Impersonating OracleDatabase: Getting connection for admin user = DDMAdministrator OracleDatabase: Getting connection for ddm admin user and password OracleDatabaseUser = DDMAdministrator ; Password = GCMNFIENGEBPNCBI OracleDatabaseAbout to obtain non-pooled connection. OracleDatabase.buildURL: Finished being built URLjdbc:informatica:oracle://hr-server;ServiceName=Oracle11g OracleDatabaseObtained connection successfully. OracleDatabase: Using ddm admin user DDMAdministrator, testing if impersonating supported for: client user = DDMUser ;client catalog = null ;client path = null OracleDatabase: Using ddm admin user DDMAdministrator, impersonating supported for: client user = DDMUser ;client catalog = null ;client path = null Try and impersonate using: user=DDMUser and null catalog. Starting to impersonate user: DDMUser -- Null catalog Adding for execution SQL statement: ALTER SESSION SET CURRENT_SCHEMA = DDMUser Here are the 1 return codes after executing the statement list:- 0: Statement returned with number of rows: 0 Completed impersonation to user: DDMUser Completed successfully impersonating user: DDMUser -- Null catalog MaskingAction: Rewriting start to: SELECT "EMPLOYEES" . "EMPLOYEE_ID" , "EMPLOYEES" . "FIRST_NAME" , "EMPLOYEES" . "LAST_NAME" , "EMPLOYEES" . "EMAIL" , "EMPLOYEES" . "PHONE_NUMBER" , "EMPLOYEES" . "HIRE_DATE" , "EMPLOYEES" . "JOB_ID" , "EMPLOYEES" . "SALARY" , "EMPLOYEES" . "COMMISSION_PCT" , "EMPLOYEES" . "MANAGER_ID" , "EMPLOYEES" . "DEPARTMENT_ID" FROM HR . EMPLOYEES Replace Using MaskingRule Original Statement: SELECT * FROM HR.EMPLOYEES Replaced by: SELECT substr("EMPLOYEES"."EMPLOYEE_ID",1,2) "EMPLOYEE_ID" , substr("EMPLOYEES"."FIRST_NAME",1,2) "FIRST_NAME" , substr("EMPLOYEES"."LAST_NAME",1,2) "LAST_NAME" , substr("EMPLOYEES"."EMAIL",1,2) "EMAIL" , substr("EMPLOYEES"."PHONE_NUMBER",1,2) "PHONE_NUMBER" , substr("EMPLOYEES"."HIRE_DATE",1,2) "HIRE_DATE" , substr("EMPLOYEES"."JOB_ID",1,2) "JOB_ID" , substr("EMPLOYEES"."SALARY",1,2) "SALARY" , substr("EMPLOYEES"."COMMISSION_PCT",1,2) "COMMISSION_PCT" , substr("EMPLOYEES"."MANAGER_ID",1,2) "MANAGER_ID" , substr("EMPLOYEES"."DEPARTMENT_ID",1,2) "DEPARTMENT_ID" FROM HR . EMPLOYEES Done by ClientInfo:[User=null, Host=null, application=null] - DDMUser FolderAction: rule matched: true FolderAction: rule applied: true DNRStatementProcessor.getStatementHandler: rule match: [] on: SELECT * FROM HR.EMPLOYEES ------------------------------------------------------------- Original statement: SELECT * FROM HR.EMPLOYEES Replaced by: SELECT substr("EMPLOYEES"."EMPLOYEE_ID",1,2) "EMPLOYEE_ID" , substr("EMPLOYEES"."FIRST_NAME",1,2) "FIRST_NAME" , substr("EMPLOYEES"."LAST_NAME",1,2) "LAST_NAME" , substr("EMPLOYEES"."EMAIL",1,2) "EMAIL" , substr("EMPLOYEES"."PHONE_NUMBER",1,2) "PHONE_NUMBER" , substr("EMPLOYEES"."HIRE_DATE",1,2) "HIRE_DATE" , substr("EMPLOYEES"."JOB_ID",1,2) "JOB_ID" , substr("EMPLOYEES"."SALARY",1,2) "SALARY" , substr("EMPLOYEES"."COMMISSION_PCT",1,2) "COMMISSION_PCT" , substr("EMPLOYEES"."MANAGER_ID",1,2) "MANAGER_ID" , substr("EMPLOYEES"."DEPARTMENT_ID",1,2) "DEPARTMENT_ID" FROM HR . EMPLOYEES
You view the log output to verify that you defined the rule correctly. You can save the Security Rule Set Simulator parameters and log output to a file. You can load the saved parameters and log output to a new instance of the Security Rule Set Simulator.
The log output shows that you created the rule properly. You exit the Security Rule Set Simulator and save the rule.