Table of Contents

Search

  1. Preface
  2. Introduction to Dynamic Data Masking
  3. Rules
  4. Connection Rules
  5. Security Rules
  6. Security Rule Set Simulator
  7. Masking Functions
  8. XML Functions Reference
  9. Glossary

Symbol Matcher

Symbol Matcher

The Symbol matcher identifies and stores client and database variable values.
The Symbol matcher uses global variables to identify a match. A global variable has a name and a value. Global variables are case sensitive and have an assigned value for the database session. The database management system provides most of the values and there might be discrepancies between database versions of the same type.
For example, the Symbol matcher can identify a connection initiated by the database administration team. To identify team members that are not Dynamic Data Masking administrators and set a matching action that blocks access to the requested data, use the global variable AUTH_USERNAME. When the Rule Engine encounters the symbol, it blocks access to the data.
You can reference a global variable by placing the global variable in parentheses preceded with a backslash. For example, \(AUTH_USERNAME) is replaced with the database username.
The availability of a global variable is dependent on the database type. Use the Client Info entry in the rule.log file to identify global variable values.
You can use the following global variables:
AUTH_CURRENT_DATABASE
Defines the current database.
You can use AUTH_CURRENT_DATABASE on Sybase, IBM DB2, Informix, Teradata, and Microsoft SQL Server.
AUTH_DATABASE_NAME
Defines the Dynamic Data Masking database name that you define in the Management Console.
You can use AUTH_DATABASE_NAME on Oracle, IBM DB2, Sybase, Informix, Data Vault, Teradata, and Microsoft SQL Server.
AUTH_DRIVER_CLASS
The driver class name that the Generic JDBC client instruments at runtime.
You can use AUTH_DRIVER_CLASS with the DDM for JDBC service.
AUTH_DRIVER_NAME
The JDBC driver name.
You can use AUTH_DRIVER_NAME with the DDM for JDBC service.
AUTH_EXTERNAL_AUTHENTICATION
Defines whether the user is connected to the database with a password. If the user is connected to the database with a password, the value is FALSE. If the user is connected to the database without a password, the value is TRUE.
You can use AUTH_EXTERNAL_AUTHENTICATION on Informix.
AUTH_MACHINE
Defines the client host name and is not dependent on the client.
You can use AUTH_MACHINE on Oracle, Sybase, IBM DB2, Data Vault, and Microsoft SQL Server.
AUTH_PROGRAM_NM
Defines the program name.
You can use AUTH_PROGRAM_NM on Oracle, IBM DB2, Sybase, Microsoft SQL Server, and Teradata.
AUTH_SERIAL_NUM
Defines the session serial number.
You can use AUTH_SERIAL_NUM on Oracle.
AUTH_SESSION_ID
Defines the session ID configured for Dynamic Data Masking.
You can use AUTH_SESSION_ID on Oracle, Microsoft SQL Server, and Teradata.
AUTH_SID
Defines the client user name.
You can use AUTH_SID on Oracle and Teradata.
AUTH_TERMINAL
Defines the client host name and is dependent on the client. For example, if you use SQL Developer to connect to an Oracle database, AUTH_MACHINE contains the client host name, but AUTH_TERMINAL does not contain the client host name.
You can use AUTH_TERMINAL on Oracle.
AUTH_USERNAME
Defines the database user name.
You can use AUTH_USERNAME on Oracle, IBM DB2, Sybase, Informix, Microsoft SQL Server, Data Vault, and Teradata.
CLIENT_IP
Defines the IP address of the client machine.
You can use CLIENT_IP on Oracle, Sybase, Microsoft SQL Server, DB2, Informix, Teradata, Data Vault, and Hive databases.