Test Data Management and Access Rights

By default, Enterprise Manager Administrators can access the primary test data management (TDM) pages:

  • Application Data Models

  • Data Subset Definitions

  • Data Masking Definitions

  • Data Masking Formats

This is by virtue of having the TDM_ACCESS privilege, which is included in the PUBLIC role. The Super Administrator can revoke this privilege for designated administrators, thereby restricting access to the TDM pages. Without the privilege, the respective menu items do not appear in the Cloud Control console.

Additionally, Enterprise Manager provides a privilege access model that enables Super Administrators and administrators to limit access to TDM objects to authorized users only. The model involves the ability to grant Operator or Designer privileges to selected users.

Operator Privileges

Those granted Operator privileges can perform data masking and subsetting operations. Privileges can be granted on TDM objects; that is, on Application Data Models (ADM), data subsetting definitions, and data masking definitions. Operator privileges do not include the ability to edit and delete these objects.

  • ADM–a user (other than Super Administrator) with ADM Operator privileges can view an ADM but cannot edit and delete it, nor view its properties. To enforce this, the Edit and Delete icons, and the Properties menu are disabled. Additionally, the Sync option on the Create Verification Job page is disabled.

  • Data subset definition–a user (other than Super DSD Administrator) with Operator privileges can view but not edit and delete a subset definition. To enforce this, the Edit and Delete icons are disabled.

    A user with Data Subset Definition Operator privileges can do any other operation except edit and delete the data subset definition and has the following rights:

    • View the data subset definition.

    • Create a data subset to export files.

    • Create a data subset on a database.

    • Save the subset script.

  • Data masking definition–a user with Data Masking Definition Operator privileges can do any other operation except edit and delete the data masking definition and has the following rights:

    • View the data masking definition.

    • Generate a data masking script.

    • Schedule a data masking job.

    • Export a data masking definition.

Designer Privileges

Those granted Designer privileges can enhance, modify, and manage TDM objects. These users can also grant and revoke Operator and Designer privileges to others. Designer privileges imply the corresponding Operator privileges on a TDM object.

  • ADM–a user with Designer privileges can perform all operations on an ADM including delete.

  • Data subset definition–a user with Designer privileges can perform all operations on a subset definition including delete.

  • Data masking definition–a user with Designer privileges can perform all operations on a masking definition including delete.