Pre-Masking Check

Prior to initiating a masking job, a pre-masking check must be run. The pre-masking check performs a number of checks on the selected target database to determine if it is properly configured for a masking job.

The pre-masking check performs the following checks:

Table 7-5 Pre-masking checks

Check Description
Database target user has been granted all required privileges Check if the Data Safe service account on the target database has sufficient privileges to perform masking.

For more information see, Grant Roles to the Oracle Data Safe Service Account on Your Target Database.

Maximum space required 65536 bytes. Tablespace DATA and the TEMP tablespace have the required free space Check whether the user's default tablespace and TEMP tablespace have sufficient free space for masking. Masking requires the TEMP tablespace to be at least twice the size of the largest table being masked, and the default tablespace to be at least three times its size.

For more information see, Create an Oracle Data Safe Service Account on a Target Database.

No invalid objects found Check if there are invalid dependent objects of the tables being masked. Masking involves dropping and recreating the existing tables being masked and their dependent objects. Masking might run into issues recreating the invalid objects.
Database/system level triggers Check if there are database/system-level triggers. Masking involves dropping and recreating the existing tables being masked and their dependent objects, such as triggers. Masking users may not have the privileges to drop database/system-level triggers, so masking might run into errors.
Tables in the masking policy have statistics up-to-date Check if the tables being masked have up-to date statistics. Current statistics allow precise computation of space usage and other operations which rely on dictionary statistics.

For more information see, GATHER_TABLE_STATS Procedure in the Oracle Database PL/SQL Packages and Types Reference guide.

Tables in the masking policy have no Oracle Label Security (OLS) policies Check if the tables being masked have Oracle Label Security (OLS) policies applied. Masking drops security policies and users need to recreate these policies as a post-masking action.
Tables in the masking policy have no Virtual Private Database (VPD) policies Check if the tables being masked have Virtual Private Database (VPD) policies applied. Masking drops security policies and users need to recreate these policies as a post-masking action.
No active masking jobs on target database Check if there are active masking jobs on the target database. Masking does not allow concurrent masking jobs on the same target database.
Masking policy contains columns with the deterministic_encryption format with maximum column length less than 27 characters Check if masking policy contains columns with the deterministic_encryption format having maximum column length greater than 27 characters.

For more information see, Deterministic Encryption.

AUTOEXTEND is disabled for the undo tablespace, but there is still available space remaining Check whether AUTOEXTEND is enabled on UndoTablespace.
Database has Database Vault (DV) disabled When Database Vault is enabled on your database, this check ensures that the Data Safe user has all the necessary privileges to use the Data Masking feature. Additional privileges are required to mask objects if they are Database Vault Enabled.

For more information see, Grant Roles to the Oracle Data Safe Service on an Autonomous Database.

If any of the above checks fail, it is recommended to perform the remediation actions listed in the pre-masking report. Once the issues have been remediated, perform the pre-masking check again to determine if the database is properly configured for the masking job. Once all of the checks have passed, you can perform a masking job.

Performing a Pre-masking Check

Prior to initiating a masking job, you must perform a pre-masking check to determine if the database is properly configured for the masking job. If the pre-masking check produces any failures then you should perform the remediation recommendations.

  1. Under Security center, click Data masking.
  2. Click Pre-masking check.

    The Pre-masking check window is displayed.

  3. Select a target database. If needed, click Change compartment and browse to and select a different compartment.
  4. Select a masking policy. If needed, click Change compartment and browse to and select a different compartment.
  5. (Optional) Enter the tablespace that you want to use for masking if is different than the default tablespace of the Data Safe service account.
  6. Click Submit.
  7. Wait for the pre-masking check to finish. Perform any remediation actions and ensure all checks pass prior to initiating a masking job. This may require running an additional pre-masking check.

    Note:

    Though it is not recommended, a masking job can be performed even if there are invalid objects.

View a Pre-masking Check Report

After performing a pre-masking check, you will need to view the report to determine if checks were failed or passed. If the pre-masking check produces any failures then you should perform the remediation recommendations.

  1. Under Security center, click Data masking.
  2. Under Related resources, click Pre-masking reports.
  3. (Optional) Under List scope, select the compartment that contains your target database. Optionally select Include child compartments to include target database in the list from child compartments.
  4. (Optional) Under Filters, narrow down the scope of reports by selecting a Policy name, Target database, or entering a Report name.
  5. From the list of reports, select the one you want to view.