Table of Contents

Search

  1. Preface
  2. Introduction to Dynamic Data Masking
  3. Rules
  4. Connection Rules
  5. Security Rules
  6. Security Rule Set Simulator
  7. Masking Functions
  8. Stored Procedure Result Set Masking
  9. Integration with Informatica Products
  10. Appendix A: XML Functions Reference
  11. Appendix B: Glossary

Reverse Masking Function

Reverse Masking Function

The reverse masking function rewrites the
WHERE
clause of masked request statements to return the actual value stored in the database.
You can use the reverse masking function to prevent requests that use masked data. For example, you send a request to the database for an account number and the database returns a masked value. You send another request to the database. The request references the masked account number and the database returns an error message. The reverse masking function replaces the masked
WHERE
clause with actual data and you do not receive an error message.

Reverse Masking Example

The following example shows how to create a reverse masking function. The reverse masking function uses the Search and Replace security rule action to replace the
WHERE
clause in a request statement.
To create reverse masking functions, use nested security rules. The top-level folder uses the Any matcher, the Folder action, and the Continue processing action.
Create two security rules. The first rule performs reverse masking. If the request statement does not match the criteria for the first rule, the Rule Engine applies the second rule. The second rule masks the account information.
In the top level folder, create a security rule called Unmask. The Unmask rule rewrites the
WHERE
clause with the reverse masked value by using regular expression. Configure the security rule to use the Any matcher and the Search and Replace rule action. In the Search Text field, enter
ACCOUNT\s*=\s*(\:\w+)
. Select the Regular Expression identification method. In the Replacement String field, enter
ACCOUNT = substr(\(1),1,6) || translate('3412', '1234', substr(\(1),7)) || subst.(\(1),11)
.
Select the Continue processing action so that the Rule Engine continues to the next rule in the rule tree.
In the top level folder, create a security rule called Account Masking. Select the Any matcher and the Mask rule action.
In the Table name field, enter
.*
for all tables. In the Column Name field, enter
ACCOUNT
. In the Masking Function field, enter
substr(\(col),1,6) || translate('1234', '3412', substr(\(col),7)) || substr(\(col),11)
.
Select the Stop if Applied processing action so that the Rule Engine does not continue to the next rule in the rule tree.