Oracle Cloud Infrastructure Documentation

Create Data Masking Jobs

The Data Masking wizard guides you through the process of defining a masking policy for a sensitive data model and then masks the data on the database.

This task is divided into the following parts:

Part 1: Select a Target Database

This part gets you started by accessing the Data Masking wizard and selecting the target database that you want to mask.

  1. In the left pane, click Data Masking to launch the Data Masking wizard.
  2. (Optional) If you haven't granted the Data Masking role on your target database, do the following:
    1. If your target database is a DB system, click Download Privilege Script, download the datasafe_privileges.sql script to your local computer, and then run the script on your target database.
    2. If your target database is an Autonomous Database, run the DS_TARGET_UTIL PL/SQL package on your Autonomous Database.
  3. On the Select Target for Data Masking page, select the target database that you want to mask, and click Continue.
    You can select only one target database.
  4. If your target database is not listed, click Register and follow the steps to register a target database.
    The Select Masking Policy page is displayed.

Parent topic: Create Data Masking Jobs

Part 2: Define the Masking Policy and Sensitive Data Model

This part walks you through how to configure the Select Masking Policy page. This page provides options to create, upload, and reuse masking policies and sensitive data models. Decide on one of the following options.

Parent topic: Create Data Masking Jobs

Option 1: Create a Masking Policy and Sensitive Data Model

This option is an all-in-one workflow where you configure a data discovery job and a data masking job.

  1. Make sure you are on the Select Masking Policy page.
  2. For Masking Policy, leave Create selected.
  3. Leave the default masking policy name as is or enter your own.
  4. For Sensitive Data Model, leave Create selected.
  5. Leave the default sensitive data model name as is or enter your own.
  6. If you want to retrieve sample data for sensitive columns during data discovery, move the Show and save sample data slider to the right.
  7. Select the compartment to which you want the new masking policy and new sensitive data model to belong.
  8. Click Continue.
    The Select Target for Sensitive Data Discovery page is displayed.
  9. Select the target database on which you want to discover sensitive data, and click Continue.
    The Select Schemas for Sensitive Data Discovery page is displayed.
  10. Select one or more schemas, and click Continue.
    The Select Sensitive Types for Sensitive Data Discovery page is displayed.
  11. Select the sensitive types and/or sensitive categories that you want to discover.
  12. (Optional) Select Use non-dictionary referential relationships for sensitive column discovery.
  13. Click Continue to run the data discovery job.
  14. When the job is completed and the status reads FINISHED, click Continue.
  15. If you opted to search for non-dictionary referential relationships, the Non-Dictionary Referential Relationships page is displayed. Review the sensitive columns, deselect the columns that you do not want to include in the sensitive data model, and click Save and Continue.
    The Sensitive Data Discovery Result page is displayed.
  16. Continue to Part 3.

Option 2: Create a Masking Policy with a Sensitive Data Model from the Library

You can create a masking policy that reuses an existing sensitive data model from the Library. Use this approach if you have already discovered sensitive data on your target database.

  1. Make sure you are on the Select Masking Policy page.
  2. For Masking Policy, leave Create selected.
  3. Leave the default masking policy name as is, or enter your own.
  4. For Sensitive Data Model, select Pick from Library.
  5. Select the compartment to which you want the new masking policy to belong.
  6. Click Continue.
  7. On the Select Sensitive Data Model page, do the following:
    1. Select a sensitive data model.
    2. Select Update the SDM with the target, Verify if SDM is compatible with the target, or View SDM without update/verification.
    3. Click Continue.
  8. If you chose to verify your sensitive data model:
    1. When the job is completed, verify that the Detail column reads Data model verification job finished successfully, and click Continue.
    2. On the Data Model Verification Result page, review the differences between your sensitive data model and the target database that you want to mask.
    3. If there are differences, make note of them, and then either exit the wizard or click Back and choose to update the sensitive data model instead.
    4. If there are no differences between your sensitive data model and the target database that you want to mask, click Continue.
  9. If you chose to update your Library sensitive data model:
    1. Wait for the sensitive data model to update.
    2. When the Status reads FINISHED, click Continue.
  10. If you chose to view the SDM without updating or verifying it, continue to Part 3.

Option 3: Create a Masking Policy with an Uploaded Sensitive Data Model

Use this option if the sensitive data model that you want to use for your masking policy is in XML file format. The following steps include uploading the sensitive data model into the Library.

  1. For Masking Policy, leave Create selected.
  2. Leave the default masking policy name as is, or enter your own.
  3. For Sensitive Data Model, click Upload.
  4. Leave the default sensitive data model name as is or enter your own name.
  5. Click Choose File, select your sensitive data model file, and click Open.
  6. Select the compartment to which you want the new masking policy to belong.
  7. Click Continue.
    The sensitive data model is uploaded into the Library and automatically verified against the selected target database.
  8. Click Continue.
  9. Continue to Part 3.

Option 4: Reuse a Masking Policy from the Library

Use this option if you already have a masking policy in the Library that you want to reuse for the selected target database.

  1. On the Select Masking Policy page, for Masking Policy, select Pick from Library.
  2. Click Continue.
    The Select Masking Policy page is displayed.
  3. Select a masking policy and click Save and Continue.
    The Masking Policy page is displayed.
  4. Continue to Part 4.

Option 5: Upload a Masking Policy and Sensitive Data Model

You can reuse an existing file-based sensitive data model and/or masking policy. This approach uploads your file(s) into the Library. To avoid waiting for large files to upload, Oracle recommends that you upload your files separately, beginning with the sensitive data model file. You can use the Data Discovery wizard or the Data Masking wizard to upload a sensitive data model file. During the upload, you can exit either wizard to continue with other work. From the Jobs page, you can verify that the upload has completed.

TIP: If you use the Data Masking wizard to upload your sensitive data model file, you need to choose the Upload (separate files for Masking Policy and SDM) option on the Select Masking Policy page. Select both your sensitive data model file and your masking policy file; however, during the upload, exit the wizard and only your sensitive data model will upload. After your sensitive data model has uploaded, return to the Data Masking wizard and select the Upload (file does not include SDM) option to upload your masking policy file. Also select the sensitive data model that you just imported into the Library. During the masking policy upload, you can exit the wizard and return to it later after the upload has completed. With your sensitive data model and masking policy now uploaded into the Library, start a new data masking job and select your masking policy from the Library.

  1. On the Select Masking Policy page, for Masking Policy, select Upload (file includes an SDM) or Upload (separate files for Masking Policy and SDM).
  2. Click Browse for the masking policy file and sensitive data model file (if needed), select your files, and click Open.
  3. Leave the default masking policy name and sensitive data model name as is or enter new names.
  4. Select the compartment to which you want the new masking policy and sensitive data model to belong.
  5. Click Continue.
    The masking policy and sensitive data model are uploaded into the Library and the sensitive data model is verified against the target database that you want to mask. The Data Model Verification Result page is displayed.
  6. If there are differences between the sensitive data model and the target database that you want to mask, exit the wizard and update the sensitive data model. Otherwise, click Continue.
    The Sensitive Data Model page is displayed.
  7. Continue to Part 3.

Option 6: Upload a Masking Policy and Select a Sensitive Data Model from the Library

With this option, you can upload a file-based masking policy and select a sensitive data model from the Libary.

  1. On the Select Masking Policy page, for Masking Policy, select Upload (file does not include SDM).
  2. Click Browse for the masking policy file, select your file, and then click Open.
  3. Leave the default masking policy name as is or enter a new name.
  4. Select the compartment to which you want the new masking policy to belong.
  5. Notice that for Sensitive Data Model, Pick from Library is automatically selected.
  6. Click Continue.
  7. On the Select Sensitive Data Model page, select a sensitive data model, and then click Continue.
    The Sensitive Data Model page is displayed.
  8. Continue to Part 3.

Part 3: Review the Sensitive Data Model

This part walks you through the Sensitive Data Model page (or Sensitive Data Discovery Result page), where you can review the sensitive data model and add and remove sensitive columns as needed.

  1. On the Sensitive Data Model page (or Sensitive Data Discovery Result page), move the Expand All slider to the right to review the list of sensitive columns.
  2. (Optional) In the drop-down list, select Category View or Schema View.
  3. (Optional) Deselect the sensitive categories, sensitive types, and/or sensitive columns that you do not want to include in your sensitive data model.
  4. (Optional) Add sensitive columns:
    1. Click Add to add new sensitive columns.
      The Add Sensitive Columns dialog box is displayed.
    2. In the dialog box, select one or more columns from the schemas.
    3. Select a sensitive type that describes the selected columns.
    4. Click Add to Result.
  5. To continue to data masking, click Save and Continue.
    The Masking Policy page is displayed.
  6. To save and view the Data Discovery report before continuing to data masking, do the following:
    1. Click Save and View Report.
    2. Review the report.
    3. Click Continue.
    The Masking Policy page is displayed.
  7. Continue to Part 4.

Parent topic: Create Data Masking Jobs

Part 4: Configure the Masking Formats

This part walks you through the Masking Policy page where you configure a masking format for the sensitive columns in your sensitive data model.

  1. (Optional) On the Masking Policy page, move the Expand All slider to the right to show all the sensitive columns and their masking formats.
  2. Review the default masking formats configured for each sensitive column.
  3. If you do not want to mask a sensitive column, deselect it.
  4. To add sensitive columns to the sensitive data model, click Add, select columns, and click Add To Policy.
  5. To edit a masking format for a sensitive column, perform the following steps:
    1. Select a different masking format from the drop-down list or click the pencil icon.
      The Edit Format dialog box is displayed.
    2. To add a condition, move the Conditional Masking slider to the right, and then configure the condition. In the first field, enter the name of the column that you are masking or another column from the same table. In the drop-down list, select an operator. In the second field, enter a value. Below the condition, configure a masking format.
    3. To remove a condition, click Delete Condition.
    4. If your condition requires multiple masking formats, you can add another masking format by clicking Add Format. A new masking format template is added below the existing masking formats. Select a masking format from the drop-down list and configure its parameter values.
    5. To remove a masking format, click Delete Format next to the masking format that you want to remove.
      The masking format is immediately removed.
    6. Click Save.
  6. To configure group masking:
    1. Select Group Masking from the drop-down list for one of the sensitive columns that is part of the group.
      The Edit Format dialog box is displayed. By default, the Group Name field, Masking Format drop-down list, and the sensitive column is displayed. You can add and remove sensitive columns from the group.
    2. In the Group Name field, enter a new group name if this is the beginning of a group masking configuration. Or, select an existing group name if you want to add the sensitive column to an existing group masking configuration.
    3. From the Masking Format drop-down list, select the masking format that you want to apply to the sensitive columns in the group. You can select Shuffle, User Defined Function, Deterministic Substitution, or Random Substitution.
    4. If you selected Shuffle as the masking format in step 3, you can optionally enter "group by" column names.
    5. If you selected User Defined Function as the masking format in step 3, enter the name of the schema and function for each column listed. Optionally, you can also enter a package name.
    6. If you selected Deterministic Substitution as the masking format in step 3, enter the name of the substitution schema and table. Also, for each column listed, enter the name of the substitution column. Before you can submit the data masking job, you need to enter a seed value because you are configuring deterministic substitution.
    7. If you selected Random Substitution as the masking format in step 3, enter the name of the substitution schema and table. Also, for each column listed, enter the name of the substitution column. You do not need to enter a seed value before you submit the data masking job.
    8. To add another sensitive column to the group, click Add Column. You can repeat this step until all columns in the table are listed, after which point the Add Column button becomes unavailable. Make sure that the column you initially selected to configure in step 1 is listed.
    9. To remove a sensitive column from the group, select the check box for the sensitive column, and then click Remove Column.
    10. Click Save.
  7. If you have existing pre-masking or post-masking scripts that you want to upload, click Upload Pre/Post Masking Scripts.
  8. Click Confirm Policy to create the masking policy.
  9. Continue to Part 5.

Parent topic: Create Data Masking Jobs

Part 5: Schedule the Job

This part walks you through the Schedule the Masking Job page where you can choose to run the job immediately or schedule it for later.

  1. On the Schedule the Masking Job page, click Right Now or Later.
    If you choose to run the masking job later, specify the date and time at which it must be run.
  2. Click Review to verify the masking job details.
    The Review and Submit page is displayed.
  3. Click Submit to start the data masking job.
    You can monitor the status of a job, or suspend or abort the job from the Jobs page. If the data masking job fails, the masked tables are not restored.
  4. (Optional) Click Download Masking logs to download the log files for the data masking job.
  5. (Optional) Click Report to view the Data Masking report.
  6. (Optional) Click Exit to exit the wizard.
  7. To ensure that all of the sensitive data is successfully masked, review the masked data on your database.

Parent topic: Create Data Masking Jobs