Data Masking

Introduction

The Oracle Data Masking and Subsetting Pack is an Enterprise Manager cost option

The pack incorporates the previous Data Masking and Test Data Management Pack

Data Masking is designed to mask regulated or confidential data in test or development systems.

A data mask must be associated with an application data model

Data masks can only be defined for columns marked as sensitive in the application data model

EMCLI Commands

To list masking definitions that are currently defined in the Management Repository use:

$OMS_HOME/bin/emcli list_masking_definitions
DEFINITION           APPLICATION DATA MODEL  TARGET     STATUS
MASKING_DEFINITION1  ADM1                    DB1        Masking Job Succeeded
MASKING_DEFINITION2  ADM2                    DB3        Masking Job Succeeded
MASKING_DEFINITION3  ADM1                    DB2        Script Generated
MASKING_DEFINITION4  ADM3                    DB1        Script Generated

To export a masking definition use export_masking_definition. For example:

$OMS_HOME/bin/emcli export_masking_definition \
-definition_name="MASKING_DEFINITION2" -path=`pwd` 
Export masking definition completed successfully

The above command creates a file with a system-generated name in the current working directory. For example masking_def201505271433.xml

To specify an output file name use the -file option. For example:

$OMS_HOME/bin/emcli export_masking_definition \
-definition_name="MASKING_DEFINITION2" -file=/tmp/MASKING_DEFINITION2.xml
Export masking definition completed successfully

To import a masking definition, use import_masking_definition. For example:

$OMS_HOME/bin/emcli import_masking_definition \
-file=/tmp/MASKING_DEFINITION3.xml -definition_name="MASKING_DEFINITION3"
Import masking definition completed successfully

To generate a masking script use generate_masking_script. For example:

$OMS_HOME/bin/emcli generate_masking_script \
-definition_name="MASKING_DEFINITION2" -credential_name=SYS
Data masking script generation completed successfully.

Masking Formats

The following table shows masking formats available for common data types:

FormatVARCHAR2NUMBERDATE
Array ListYesYesYes
DeleteYesYesYes
EncryptYesYesYes
Fixed NumberYesYesNo
Fixed StringYesNoNo
Null ValueYesYesYes
Post-Processing FunctionYesYesYes
Preserve Original DataYesYesYes
Random DatesNoNoYes
Random Decimal NumbersYesYesNo
Random DigitsYesNoNo
Random NumbersYesYesNo
Random StringsYesNoNo
Regular ExpressionYesNoNo
ShuffleYesYesYes
SQL ExpressionYesYesYes
SubstituteYesYesYes
SubstringYesNoNo
Table ColumnYesYesYes
TruncateYesYesYes
User Defined FunctionYesYesYes

Repository Tables

The following repository tables are used by data masking:

MGMT_DM_SCOPESPECS

Contains one row for each data masking definition

Column Name Data Type Notes
SS_GUIDRAW(16) 
SS_OWNERVARCHAR2(256) 
SS_NAMEVARCHAR2(40) 
DDRM_IDNUMBER 
SOURCE_IDRAW(16) 
SOURCE_NAMEVARCHAR2(256) 
DESCRIPTIONVARCHAR2(2000) 
MODIFY_DATEDATE 
SCRIPT_DATEDATE 
DISABLE_LOGSVARCHAR2(1) 
REFRESH_STATSVARCHAR2(1) 
DROP_TEMP_TABLESVARCHAR2(1) 
PARALLEL_DEGREEVARCHAR2(10) 
DM_FLAGSNUMBER 
POST_MASK_SCRIPTCLOB 
FULL_SCRIPTCLOB 
PRE_MASK_SCRIPTCLOB 
RAT_COMPATIBLEVARCHAR2(1) 
ENSURE_RAT_COMPATIBLEVARCHAR2(1) 
DSD_IDNUMBER 
INLINE_MASKCLOB 
GRAPH_DATACLOB 
SUBSET_PARAMSCLOB 

SS_NAME is data masking definition name

SS_OWNER is EM owner e.g. SYSMAN

Primary key based on MGMT_DM_SCOPESPECS_PK (SS_GUID)

Unique index based on MGMT_DM_SCOPESPECS_UC (SS_OWNER,SS_NAME)

MGMT_DM_SS_COLUMNS

Contains one row for each column in each data masking definition

Column Name Data Type Notes
SS_GUIDRAW(16) 
RULE_GUIDRAW(16) 
TABLE_SCHEMAVARCHAR2(30) 
TABLE_NAMEVARCHAR2(128) 
COLUMN_NAMEVARCHAR2(128) 
COLUMN_GROUPVARCHAR2(30) 
SENSITIVE_TYPE_IDNUMBER 
ENABLENUMBER 

Primary key based on MGMT_DM_COLUMNS_PK (SS_GUID,TABLE_SCHEMA,TABLE_NAME,COLUMN_NAME)

MGMT_DM_COLUMN_RULES

Contains multiple rows for each column in each data masking definition

Column Name Data Type Notes
SS_GUIDRAW(16) 
TABLE_SCHEMAVARCHAR2(30) 
TABLE_NAMEVARCHAR2(128) 
COLUMN_NAMEVARCHAR2(128) 
RULE_GUIDRAW(16) 

No primary key

Non-unique index MGMT_DM_COLUMN_RULES_IX1 (SS_GUID)

Non-unique index MGMT_DM_COLUMN_RULES_IX2 (RULE_GUID)

Non-unique index MGMT_DM_COLUMN_RULES_IX3 (TABLE_SCHEMA,TABLE_NAME,COLUMN_NAME)

MGMT_DM_RULETEMPLATES

Contains supplied and user-defined rule templates

Column Name Data Type Notes
RULE_GUIDRAW(16) 
RULE_OWNERVARCHAR2(256) 
SENSITIVE_TYPE_IDNUMBER 
RULE_NAMEVARCHAR2(40) 
DESCRIPTIONVARCHAR2(4000) 
OUTPUT_TYPENUMBER 
IS_LIBRARYNUMBER 
RULE_ORDERNUMBER 
RULE_CONDITIONVARCHAR2(4000) 

For user-defined rules RULE_NAME = RULE_GUID

Primary key index MGMT_DM_RULETEMPLATES_PK (RULE_GUID)

Unique index MGMT_DM_RULETEMPLATES_UC (RULE_OWNER,RULE_NAME)

MGMT_DM_RULEENTRY

Column Name Data Type Notes
RULE_GUIDRAW(16) 
ENTRY_ORDERNUMBER 
RULE_TYPEVARCHAR2(30) 
RULE_OPTIONVARCHAR2(2) 
RULE_LOWNUMBER 
RULE_HIGHNUMBER 
START_DATEDATE 
END_DATEDATE 
FIXED_STRINGVARCHAR2(4000) 
FIXED_NUMBERNUMBER 
TABLE_SCHEMAVARCHAR2(4000) 
TABLE_NAMEVARCHAR2(30) 
COLUMN_NAMEVARCHAR2(4000) 
UDF_NAMEVARCHAR2(512) 

Primary key is index MGMT_DM_RULEENTRY_PK (RULE_GUID,ENTRY_ORDER)