The Symbol matcher uses global variables to identify a match. A global variable has a name and a value. Global variables are case sensitive and have an assigned value for the database session. The database management system provides most of the values and there might be discrepancies between database versions of the same type.
For example, the Symbol matcher can identify a connection initiated by the database administration team. To identify team members that are not Dynamic Data Masking administrators and set a matching action that blocks access to the requested data, use the global variable AUTH_USERNAME. When the Rule Engine encounters the symbol, it blocks access to the data.
You can reference a global variable by placing the global variable in parentheses preceded with a backslash. For example, \(AUTH_USERNAME) is replaced with the database username.
The availability of a global variable is dependent on the database type. Use the Client Info entry in the rule.log file to identify global variable values.
You can use the following global variables:
Defines the current database.
You can use AUTH_CURRENT_DATABASE on Sybase, IBM DB2, Informix, Teradata, and Microsoft SQL Server.
Defines the Dynamic Data Masking database name that you define in the Management Console.
You can use AUTH_DATABASE_NAME on Oracle, IBM DB2, Sybase, Informix, Data Vault, Teradata, and Microsoft SQL Server.
The driver class name that the Generic JDBC client instruments at runtime.
You can use AUTH_DRIVER_CLASS with the DDM for JDBC service.
The JDBC driver name.
You can use AUTH_DRIVER_NAME with the DDM for JDBC service.
Defines whether the user is connected to the database with a password. If the user is connected to the database with a password, the value is FALSE. If the user is connected to the database without a password, the value is TRUE.
You can use AUTH_EXTERNAL_AUTHENTICATION on Informix.
Defines the client host name and is not dependent on the client.
You can use AUTH_MACHINE on Oracle, Sybase, IBM DB2, Data Vault, and Microsoft SQL Server.
Defines the program name.
You can use AUTH_PROGRAM_NM on Oracle, IBM DB2, Sybase, Microsoft SQL Server, and Teradata.
Defines the session serial number.
You can use AUTH_SERIAL_NUM on Oracle.
Defines the session ID configured for Dynamic Data Masking.
You can use AUTH_SESSION_ID on Oracle, Microsoft SQL Server, and Teradata.
Defines the client user name.
You can use AUTH_SID on Oracle and Teradata.
Defines the client host name and is dependent on the client. For example, if you use SQL Developer to connect to an Oracle database, AUTH_MACHINE contains the client host name, but AUTH_TERMINAL does not contain the client host name.
You can use AUTH_TERMINAL on Oracle.
Defines the database user name.
You can use AUTH_USERNAME on Oracle, IBM DB2, Sybase, Informix, Microsoft SQL Server, Data Vault, and Teradata.
Defines the IP address of the client machine.
You can use CLIENT_IP on Oracle, Sybase, Microsoft SQL Server, DB2, Informix, Teradata, Data Vault, and Hive databases.