19.6 Masking with an Application Data Model and Workloads

Before creating a masking definition, note the following prerequisites and advisory information:

  • Ensure that you have the following minimum privileges for data masking:

    • EM_ALL_OPERATOR for Enterprise Manager Cloud Control users

    • SELECT_CATALOG_ROLE for database users

    • SELECT ANY DICTIONARY privilege for database users

    • EXECUTE privileges for the DBMS_CRYPTO package

  • Ensure the format you select does not violate check constraints and does not break any applications that use the data.

  • For triggers and PL/SQL packages, data masking recompiles the object.

  • Exercise caution when masking partitioned tables, especially if you are masking the partition key. In this circumstance, the row may move to another partition.

  • Data Masking does not support clustered tables, masking information in object tables, XML tables, and virtual columns. Relational tables are supported for masking.

  • If objects are layered on top of a table such as views, materialized views, and PL/SQL packages, they are recompiled to be valid.

If you plan to mask a test system intended for evaluating performance, the following practices are recommended:

  • Try to preserve the production statistics and SQL profiles after masking by adding a pre-masking script to export the SQL profiles and statistics to a temporary table, then restoring after masking completes.

  • Run a SQL Performance Analyzer evaluation to understand the masking impact on performance. Any performance changes other than what appears in the evaluation report are usually related to application-specific changes on the masked database.

To create a masking definition:

  1. From the Enterprise menu, select Quality Management, then Data Masking Definitions.

    The Data Masking Definitions page appears, where you can create and schedule new masking definitions and manage existing masking definitions.

  2. Click Create to go to the Create Masking Definition page.

    A masking definition includes information regarding table columns and the format for each column. You can choose which columns to mask, leaving the remaining columns intact.

  3. Provide a required Name, Application Data Model, and Reference Database.

    When you click the search icon and select an Application Data Model (ADM) name from the list, the system automatically populates the Reference Database field.

    • Optional: Check Ensure Workload Masking Compatibility if you want to mask Capture files and SQL Tuning Sets.

      When you enable this check box, the masking definition is evaluated to determine if the SQL Expression format or conditional masking is being used. If either is in use when you click OK, the option becomes unchecked and an error message appears asking you to remove these items before selecting this option.


      Before proceeding to the next step, one or more sensitive columns must already be defined in the Application Data Model. See "Managing Sensitive Column Types" for more information.

  4. Click Add to go to the Add Columns page, where you can choose which sensitive columns in the ADM you want to mask. See "Adding Columns for Masking" for information on adding columns.

    The results appear in the Columns table. Primary key and foreign key columns appear below the sensitive columns.

  5. Use filtering criteria to refine sensitive column results. For example, perhaps you want to isolate all columns that have order in the name (column name=order%). You first may have to expose the filter section (Show Filters).

  6. Use the disable feature to exclude certain columns from masking consideration. All columns are enabled by default. You can disable selected or all columns. You can also search for a subset of columns (column name=order%) to disable. The Status column on the right changes to reflect a column's disabled state. Note that a column's disabled state persists on export of a data masking definition.

  7. Optional. Click the edit icon in the Format column to review and edit the masking format.

  8. Expand Show Advanced Options and decide whether the selected default data masking options are satisfactory.

    For more information, see "Selecting Data Masking Advanced Options".

  9. Click OK to save your definition and return to the Data Masking Definitions page.

    At this point, super administrators can see each other's masking definitions.

  10. Select the definition and click Generate Script. The schedule job dialog opens. You may have to log in to the database first. For information on script generation, see "Scheduling a Script Generation Job".

    Complete the schedule job dialog by providing the required information, then click Submit.

  11. A message appears denoting that the job was submitted successfully and you return to the Data Masking Definitions page, where the status is "Generating Script." Click View Job Details to open the job summary page.

    When the job completes, click Log Report to check whether sufficient disk space is available for the operation, and to determine the impact on other destination objects, such as users, after masking. If any tables included in the masking definition have columns of data type LONG, a warning message may appear. For more information, see "Using Data Masking with LONG Columns".

  12. When the status on the Data Masking Definitions page is "Script Generated," select the script and choose from the following actions:

    • Clone Database–to clone and mask the database using the Clone Database wizard (this requires a Database Lifecycle Management Pack license). For more information, see "Cloning the Production Database".

    • Save Script–to save the entire PL/SQL script to your desktop.

    • Save Mask Bundle–to download a zip file containing the SQL files generated as part of the At source masking script generation option. You can then extract and execute the script to create a masked dump of the database.

    • View Script–to view the PL/SQL script, which you can edit and save. You can also view errors and warnings, if any, in the impact report.

    Click Go to execute the selected action.

  13. If you are already working with a test database and want to directly mask the data in this database, click Schedule Job. For information on masking a database, see "Scheduling a Data Masking Job".

    • Provide the requisite information and desired options. You can specify the database at execution time to any database. The system assumes that the database you select is a clone of the source database. By default, the source database from the ADM is selected.

    • Click Submit.

      The Data Masking Definitions page appears. The job has been submitted to Enterprise Manager and the masking process appears. The Status column on this page indicates the current stage of the process.

Note that you can also perform data masking at the source as part of a data subsetting definition. See "Creating a Data Subset Definition" for more information.

Editing a Data Masking Definition

Use the following procedure to edit or otherwise work with a masking definition:

  1. From the Data Masking Definitions page, click the radio button next to the definition you want to edit, then click Edit.

  2. Add columns or edit format entries as you would when creating a new definition, which is explained starting in Step 3 above.

  3. Click OK on the Edit Masking Definitions page when you have finished editing.

  4. Perform these other actions with an existing masking definition by choosing the respective menu item from the Actions menu:

    • Create Like–to display the masking definition in the Create Masking Definition page where you can customize the definition.

    • Grant Designer–to grant Designer privileges on the masking definition to selected roles or administrators, which means the grantees can view and edit the definition. Privileges granted can also be revoked.

    • Grant Operator–to grant Operator privileges on the masking definition to selected roles or administrators, which means the grantees can view and copy but not edit the definition. Privileges granted can also be revoked.

    • Export–to export the definition as an XML file for use in other repositories.

    Click Go to execute the selected action.