Inline Masking and Subsetting Scenarios

The scenarios described below assume that an Application Data Model (ADM) exists for a production (or test) database in which sensitive column details are captured. The steps outlined are at a high level. See "Masking with an Application Data Model and Workloads" for details on creating a masking definition; see "Creating a Data Subset Definition" for details on creating and editing a subset definition.

Consider the following scenarios:

Mask and Export Production Data

As the Security Administrator, you want to create copies of the production database by exporting the data with masked values; that is, the export dump will have only masked values and no sensitive data.

  1. Create a masking definition. Implies the following:

    1. Select an appropriate ADM.

    2. Search and select sensitive columns (includes dependent columns and recommended masking formats).

    3. Review suggested formats and edit as necessary.

    4. Save the results.

  2. Create a subset definition. Implies the following:

    1. Select an appropriate ADM.

    2. Submit the create subset job.

  3. Edit the subset definition.

    On the Data Masking tab, search for and select masking definitions. System validation checks for overlapping columns that use multiple masking definitions.

  4. Generate the subset using the Export option.

Summarizing the outcome:

  • Generates and executes a script to create a mapping table and a mapping function. Also creates a table to map the column(s) to the respective mapping function.

  • Copies subsetting and masking scripts to the target database.

  • Generates an export dump of production data, replacing sensitive data with masked values using the mapping function.

Mask and Delete Operation on a Test Database

As the Security Administrator, you want to create a usable test database by masking sensitive information. The resulting database will have only masked values and no sensitive data.

  1. Create a masking definition on a cloned database. Implies the following:

    1. Select an appropriate ADM.

    2. Search and select sensitive columns (includes dependent columns and recommended masking formats).

    3. Review suggested formats and edit as necessary.

    4. Save.

  2. Create a subset definition. Implies the following:

    1. Select an appropriate ADM.

    2. Submit the create subset job.

  3. Edit the subset definition.

    On the Data Masking tab, search and select masking definitions. System validation checks for overlapping columns that use multiple masking definitions.

  4. Generate the subset using the In-Place Delete option.

Summarizing the outcome:

  • Copies subsetting and masking scripts to the target database.

  • Performs data subsetting based on subset rules, if specified.

  • Sequentially executes the pregenerated data masking scripts on the target database.

  • Creates a masked copy of the production database for use in testing.

Mask Sensitive Data and Export a Subset of a Production Database

As the Security Administrator, you want to create copies of the production database by exporting a subset of production data with masked values.

  1. Create a masking definition. Implies the following:

    1. Select an appropriate ADM.

    2. Search and select sensitive columns (includes dependent columns and recommended masking formats).

    3. Review suggested formats and edit as necessary.

    4. Save.

  2. Create a subset definition. Implies the following:

    1. Select an appropriate ADM.

    2. Submit the create subset job.

  3. Edit the subset definition.

    1. Define table rules, resulting in space estimates.

    2. On the Data Masking tab, search and select masking definitions. System validation checks for overlapping columns that use multiple masking definitions.

  4. Generate the subset using the Export option.

Summarizing the outcome:

  • Generates and executes a script to create a mapping table and a mapping function. Also creates a table to map the column(s) to the respective mapping function.

  • Copies subsetting and masking scripts to the target database.

  • Generates an export dump of production data, replacing sensitive data with masked values using the mapping function.

Perform Subset, Mask, and Delete Operations on a Test Database

As the Security Administrator, you want to create a usable test database by masking sensitive information. On import, the database will have only masked values and no sensitive data.

  1. Create a masking definition. Implies the following:

    1. Select an appropriate ADM.

    2. Search and select sensitive columns (includes dependent columns and recommended masking formats).

    3. Review suggested formats and edit as necessary.

    4. Save.

  2. Create a subset definition. Implies the following:

    1. Select an appropriate ADM.

    2. Submit the create subset job.

  3. Edit the subset definition.

    1. Define table rules, resulting in space estimates.

    2. On the Data Masking tab, search and select masking definitions. System validation checks for overlapping columns that use multiple masking definitions.

  4. Generate the subset using the In-Place Delete option.

Summarizing the outcome:

  • Copies subsetting and masking scripts to the target database.

  • Performs data subsetting based on subset rules, if specified.

  • Following subset completion, sequentially executes the pregenerated data masking scripts on the target database.

  • Applies masking definitions and subsetting rules, resulting in a masked database of reduced size.

Apply Column Rules

As the Security Administrator, you want to create a targeted subset by selecting large-sized columns and setting them to null or a fixed value. Table rules can also be used to further reduce database size. Impact of size reduction is immediately visible and applied to the final subset.

  1. Create a subset definition. Implies the following:

    1. Select an appropriate ADM.

    2. Submit the create subset job.

  2. Edit the subset definition.

    1. Click the Table Rules tab and select from existing options, if desired.

    2. Click the Column Rules tab, then click Create.

    3. Specify filtering criteria to search for large-sized columns and select the desired columns in the results table.

    4. Click Manage Masking Formats and select a format from the drop-down list. Enter a value if appropriate to the selection.

    5. Click OK and review the updated space estimates.

  3. Generate the subset, using either the Export or In-Place Delete option.

Summarizing the outcome:

  • Generates an export dump/subset of production data.

  • Column rules are applied on the target database.

  • If table rules were also applied, the resulting subset reflects the combined effect of table and column rules.

Export a Subset Definition That Uses Inline Masking

As the Security Administrator, you want to export a subset definition for reuse.

  1. Create a subset definition. Implies the following:

    1. Select an appropriate ADM.

    2. Submit the create subset job.

  2. Edit the subset definition.

    1. Create rules to compute space estimates.

    2. On the Data Masking tab, search and select masking definitions. System validation checks for overlapping columns that use multiple masking definitions.

  3. Select the subset definition on the Subset home page and export it.

The subset definition is saved on the client machine as an XML file that potentially contains the following:

  • Information on selected applications

  • Rules and rule parameters

  • Selected masking definitions

  • Columns to set to null

  • Pre- and post-scripts

Had column rules been used, they would replace the masking definitions in the list.

Import a Subset Definition That Uses Inline Masking

As the Security Administrator, you want to import a subset definition XML file to create replicas of the subset definition previously exported.

  1. Import a subset definition.

  2. Select an exported XML template that contains exported masking definitions. System validation:

    • Checks for overlapping columns that use multiple masking definitions.

    • Ensures that the masking definition specified is part of the same ADM as the current subset model.

  3. Submit the job to create the subset model.

Summarizing the outcome:

  • Creates a subset definition model

  • Applies specified rules and calculates space estimates

  • Remembers masking definitions that were part of the XML

Import a Subset Dump

As the Security Administrator, you want to import a subset dump, which might contain either or both of the following:

  • A masked version of a production database

  • A subset version of a production database

Note that this example assumes a previous export dump.

  1. On the subset home page, select Import Subset Dump from the Actions menu.

  2. Provide credentials, a dump name, and select the dump location.

  3. Provide the import type, tablespace options, and log file location details.

  4. Schedule the job and submit.

The job reads the dump files and loads the data into the selected target database.

Save Subset Script Bundle

As the Security Administrator, you want to save a subset script bundle so that it can be executed on a target database external to Enterprise Manager.

This example presupposes the existence of a subset model that has required table rules and masking definitions.

  1. On the subset home page, from the Actions menu, select Generate, then select Subset.

  2. Complete the mode page as follows:

    1. Indicate the method of subset creation.

    2. Specify which credentials to use.

    3. Provide rule parameters as appropriate.

    4. Click Continue.

  3. Complete the parameters page as follows:

    1. Select the location where to save the subset export.

    2. If the subset is to be stored externally, click the check box and select the location.

    3. Specify an export file name. Note that you can use the % wildcard.

    4. Specify the maximum file size and number of threads.

    5. Indicate whether to generate a log file and specify a log file name.

    6. Click Continue.

  4. Note the progress of the script file generation. When complete, click Download.

  5. Specify where to save the SubsetBundle.zip file.