Create Sensitive Types and Categories

In Oracle Data Safe, you can create your own sensitive types, sensitive categories, and sensitive type groups.

Create a Sensitive Type

When creating a sensitive type, you can provide one or more patterns (regular expressions) that should be used to discover sensitive columns. You can provide a column name pattern, column comment pattern, column data pattern, and a search type (AND/OR). Data Discovery performs case-insensitive pattern matching.

For a user-defined sensitive type, you can assign a default masking format, is used to mask the columns discovered using this sensitive type. When creating a user-defined sensitive type, you must assign it to a compartment.

  1. Under Data Safe - Database Security, select Data discovery.
  2. Under Data discovery, select Sensitive types.
  3. Select Create sensitive type/category.

    The Create sensitive type/category window is displayed.

  4. In the Name field, enter a name for your sensitive type.
  5. From the Compartment drop-down list, select the compartment in which you want to store the sensitive type.
  6. (Optional) Enter a brief description of your sensitive type.
  7. Select a different compartment if the Parent sensitive category you want to select is located in a different compartment.
  8. From the Parent sensitive category drop-down list, select the sensitive category to which you want your sensitive type to belong. You can choose a user-defined sensitive category as a parent category, but not a category used by predefined sensitive types.
  9. Leave the Sensitive type tile selected.
  10. (Optional) To use a predefined sensitive type as a starting point, select a predefined sensitive type from the Create like sensitive type drop-down list. If you want to select a user-defined sensitive type and it is located in a different compartment, click Create like sensitive type compartment, browse to and select the correct compartment. The compartment does not matter if you are selecting an Oracle predefined sensitive type.
  11. Configure one or more of the following patterns:
    • Column Name Pattern: Enter a regular expression that should be used to match column names.
    • Column Comment Pattern: Enter a regular expression that should be used to match column comments.
    • Column Data Pattern: Enter a regular expression that should be used to match column data.
  12. For Search Type, select AND or OR.
    • The AND operator means that all of the patterns must match for a candidate sensitive column.
    • The OR operator means that any of the patterns can match for a candidate sensitive column.
    • If the column doesn't include a comment, the column comment pattern matching is skipped. Similarly, if the column doesn’t contain data, the data pattern matching is also skipped.
  13. (Optional) From the Default masking format drop-down list, select a masking format for Oracle Data Safe to use by default when masking sensitive columns discovered by your sensitive type. If you want to select a default masking format and it is located in a different compartment, click Default masking format compartment, browse to and select the correct compartment.
  14. (Optional) Select Add tag to organize your resources.
    1. Select a Namespace from the drop-down list.
    2. Select or enter a Key.
    3. Select or enter a Value.
  15. Select Create sensitive type.

    The Sensitive type details page is displayed.

Create a Sensitive Category

  1. Under Data Safe - Database Security, select Data discovery.
  2. Under Data discovery, select Sensitive types.
  3. Select Create sensitive type/category.

    The Create sensitive type/category window is displayed.

  4. In the Name field, enter a name for your sensitive category.
  5. From the Compartment drop-down list, select the compartment in which you want to store the sensitive category.
  6. (Optional) Enter a brief description of your sensitive category.
  7. Select a different compartment if the Parent sensitive category you want to select is located in a different compartment.
  8. From the Parent sensitive category drop-down list, select the sensitive category to which you want your sensitive category to belong. You can choose a user-defined sensitive category as a parent category, but not a category used by predefined sensitive types.
  9. Select the Sensitive category tile.
  10. (Optional) Select Add tag to organize your resources.
    1. Select a Namespace from the drop-down list.
    2. Select or enter a Key.
    3. Select or enter a Value.
  11. Select Create sensitive category.

    The Sensitive category details page is displayed.

Create and Manage a Sensitive Type Group

Creating a sensitive type group allows you to select a subset of sensitive types that can be used throughout Data discovery. Oracle has created a Common sensitive types group consisting of commonly used sensitive types that is available in all compartments.

Ensure you have the proper permissions to use sensitive type groups, see data-safe-sensitive-type-group Resource in the Administering Oracle Data Safe for more information.

Create a Sensitive Type Group

  1. Under Data Safe - Database Security, select Data discovery.
  2. Under Data discovery, select Sensitive types.
  3. Select the Sensitive type groups tab.
  4. Select Create sensitive type group.
  5. Name your sensitive type group.
  6. Select which compartment the sensitive type group will be stored in.
  7. (Optional) Enter a brief description of your sensitive type group.
  8. Select the sensitive types that you want included in the sensitive type group.
  9. (Optional) Select Add tag to organize your resources.
    1. Select a Namespace from the drop-down list.
    2. Select or enter a Key.
    3. Select or enter a Value.
  10. Click Create sensitive type group.

Manage a Sensitive Type Group

Sensitive types can be added or removed from a sensitive type group after it is created.

  1. Under Data Safe - Database Security, select Data discovery.
  2. Under Data discovery, select Sensitive types.
  3. Click the Sensitive type groups tab.
  4. Select the name of the sensitive type group you want to manage from the list.
  5. To add sensitive types, click Add sensitive type.
  6. To remove sensitive types, select the sensitive type(s) to remove and click Remove sensitive type.

Tips for Creating Sensitive Types

The following topics help you to write patterns for sensitive types. For more information about regular expressions, see Regular Expressions.

Column Name Pattern

A column name pattern is a regular expression that is used to match column names during data discovery. For example, to search for columns containing Social Security numbers, you could define the following column name pattern: 

(^|[_-])SSN($|[_-])|(SSN|SOC.*SEC.*).?(ID|NO|NUMBERS?|NUM|NBR|#)

The regular expression checks for specific keywords in column names. It matches column names, such as PATIENT_SSN, SSN#, SOCIAL_SECURITY_NUMBER, and EMPLOYEE_SOC_SEC_NO.

Tips for creating column name patterns:

  • Consider when to use .? and .*. Use .? if you want to allow zero or one character, and use .* to allow any number of characters. For example, you could use SOCIAL.?SECURITY.?NUMBER or SOC.*SEC.*NUMBER depending upon how strict you want the regular expression to be.
  • To get an exact match of a word or a match if the word is part of a column name, use (^|[_-])<WORD>($|[_-]). The pattern finds an exact match and variations of <WORD> plus the characters _- before or after the word.
  • Whenever searching for columns containing numbers, you could use keywords like (ID|NO|NUMBERS?|NUM|NBR|#).
  • To match singular and plural words, if applicable, use S?. For example, use CODES? to match CODE and CODES.
  • To match dates, use (DT|DATE) and the reverse pattern. For example, you could use the following pattern to match BIRTH_DATE and DATE_OF_BIRTH: 
    BIRTH.?(DT|DATE)|(DT|DATE).*BIRTH

Column Comment Pattern

A column comment pattern is a regular expression that is used to match column comments during data discovery. Sometimes column names are obscure and therefore, metadata is entered as a comment for a database column. Data Discovery can search these comments and potentially find more sensitive data. For example, to search for columns containing Social Security numbers, you could define the following column comment pattern:

\bSSN#?\b|SOCIAL SECURITY (ID|NUM|\bNO\b|NBR)

The regular expression checks for specific keywords in column comments. For example, it matches the column comment Contains social security numbers of employees.

Tips for creating column comment patterns:

  • Avoid using .* in column comments to reduce false positives.
  • Use \b<word>\b to search for a specific word. It avoids matching words that contain <word>. For example, the regular expression \bNO\b matches social security no but not social security notification. Similarly, the regular expression \bSECT\b does not match the word SECTOR, and \bCULT\b does not match the word CULTURE.
  • Whenever searching for columns containing numbers, you can use keywords like (ID|\bNO\b|NUM|NBR|#).

Column Data Pattern

A column data pattern is a regular expression that is used to match the actual column data during data discovery. For example, to search for columns containing Social Security numbers, you could define the following column data pattern:

^[0-9]{3}[ -]?[0-9]{2}[ -]?[0-9]{4}$

The regular expression checks for 9-digit numbers. A number can be either numeric or can have three parts separated by hyphens or spaces. It matches numbers like 383368610 and 383-36-8610.

Tips for creating column data patterns:

  • Ensure that the data pattern is as specific as possible to avoid false positives.
  • See whether it is logical to have a data pattern. If the data pattern is too broad, it can result in false positives. If it does not add any value, you could decide not to add the data pattern for a sensitive type.
  • If you want to use a broad data pattern, you could use the And search operator to reduce false positives.

Search Pattern

The search pattern indicates how the column name, comment and data patterns of a sensitive type should be used to discover sensitive columns. There are two search options: AND and OR.

The AND search option ensures that all the provided patterns of a sensitive type must match for identifying a column as sensitive. For example, if a sensitive type has name, comment, and data patterns, they must match a column's name, comment, and data respectively, for identifying that column as sensitive. The following table covers the various possible combination of the patterns provided for a sensitive type and the corresponding AND search behavior.

Patterns Present in a Sensitive Type Search Behavior
Name, Comment, and Data Name AND Comment AND Data
Name and Data Name AND Data
Name and Comment Name AND Comment
Comment and Data Comment AND Data
Name Name
Comment Comment
Data Data

The OR search option provides some flexibility to identify a column as sensitive even if only some of the patterns of a sensitive type match. For example, if a sensitive type has name and comment patterns, a column is identified as sensitive even if only the name pattern (or comment pattern) matches the column's name (or comment). If a sensitive type has all three patterns, the data pattern must match along with either the name pattern or the comment pattern (or both). The following table covers the various possible combination of the patterns provided for a sensitive type and the corresponding OR search behavior.

Patterns Present in a Sensitive Type Search Behavior
Name, Comment, and Data Data OR (Name AND Data) OR (Comment AND Data)
Name and Data Data OR (Name AND Data)
Name and Comment Name OR Comment
Comment and Data Data OR (Comment AND Data)
Name Name
Comment Comment
Data Data