oracle database 11g oracle label security and the data masking pack
TRANSCRIPT
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
1/59
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
2/59
Access to every table in the database is controlled by DA. +n this e*ample, oe issues a
SELECTstatement against the emptable. -ecause oe has received the SELECT
privileges on the emptable, he sees a result returned.
-ecause reds access privilege is revo%ed, when he issues a SELECTstatement against
the emptable, he sees the error message /Table or view does not e*ist./
The granularity of DA is at the object level by privilege. There are four basic privileges
0SELECT,
INSERT, UPDATE, and DELETE1 plus several more that depend on the object type. +n
most databases, DA is sufficient to handle the access control needs.
"rap#ic
The command to grant SELECT privileges on the emp table to Joe is the
following:
G!"T SELECT #" emp T# J#E$
The command to revoke access privilege from %red on the emp table is the
following:
E'E SELECT #" emp %#( %E)$
+f viewing certain columns is limited to certain individuals or job functions, you can use
DA to limit viewing of certain columns to certain individuals or job functions. $lace those
columns in a separate table and join on a %ey value, or hide the columns from all but
authori2ed users by defining a view of all but the sensitive columns.
Even in situations where DA does not meet the needs for access control, there are
seldom more
than a few tables that re3uire row"level access control. +f the data in a row determines
who is allowed to access the row, DA is inade3uate. or these situations, row"level
access control is re3uired.
O&' does not bypass DA but supplements it. or all users ma%ing a '4& re3uest, DA
is applied first. DA denies access to all users without the correct privileges.
After DA is applied, Oracle Database chec%s whether an O&' policy is applied.
Additional predicates can easily be added to the policies to further refine access because
O&' is built on the same infrastructure as the #$D.
The objects in the database can have rows that are labeled. Access to rows is restricted
on the basis of O&' authori2ations.
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
3/59
"rap#ic
*n this e+ample, the first two rows in the table are assigned the #LS labels -
Sensitive and ighl/ sensitive. The third row is assigned the #LS label
Confidential. 0ased on )!C, the user is granted the Select ob1ect privilege. 0ased
on the #LS access mediation, the user can access onl/ the row with the
Confidential #LS label.
There are however, a few conditions under which O&' is not enforced. +t is not enforced
during the DIRECTpath e*port and cannot be applied to objects in the SYSschema.
Also note that the SYSuser and users with the special EXEMPTACCESSPOLICY
database privilege are e*empt from both O&' and #$D enforcement. The EXEMPT
ACCESSPOLICYprivilege is a powerful database privilege and should be managed
carefully.
+f your site re3uires that the SYSuser and users with D-A type privileges are not allowed
to view
application data, D# has the facilities to meet this re3uirement. D# and O&' are designed
to wor% together.
To use the sensitivity labels, you perform the following actions5
specify data sensitivity
&abels are used to specify the sensitivity of data. These are %nown as data labels. Each
row has a data label. +n the e*ample, the row has a label of Secret::.
specify label aut#ori$ations, and
&abels are used to specify a users security clearance or label authori2ation. Each user is
assigned a set of labels that indicate the range of data labels that the user is allowed to
read and write. +n this e*ample, the user has a label of TopSecret::.
i!ple!ent access !ediation
The user label and the data labels are compared in a process %nown as access mediation
that uses a set of algorithms supplied by O&'. (sers are allowed to view the row when
their label dominates the data label of that row. Otherwise, they are not able to see the
row.
+n this e*ample, the users label of TopSecret::dominates the data label of Secret::
and access is allowed. 6hether a particular label dominates another is determined by the
security administrator when the labels are created.
%. &nstalling and using OLS
To install O&', perform the following steps5
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
4/59
use t#e Oracle 'niversal &nstaller, also known as O'&, Custo! &nstall option
(se the ustom +nstall option of O(+ to add the &abel 'ecurity option to a base
installation.
use Database Configuration Assistant, co!!only known as D(CA, to configure
OLS, andOracle highly recommends that you use D-A to configure the &abel 'ecurity option.
This configuration creates the LBACSYSuser and LBAC_DBArole, and more than 788
objects. The database must be restarted after the configuration is complete.
use )nterprise *anager to !anage t#e Label Security policies
(se Enterprise 9anager to manage the &abel 'ecurity policies. Enterprise 9anager has
pages that enable you to create policies and manage labels and policies. These pages are
available in the 'ecurity section under the 'erver tab on the database home page of the
database control in Oracle ))g. The same pages can be seen in :rid ontrol )8g!elease
; by navigating to a target database, and clic%ing the Ad!inistrationtab.
O&' is a pac%aged system that provides an easy"to"implement row"level security
solution, where access control is based on data sensitivity. 'ecurity re3uirements are
complicated by data restrictions generated by regulatory compliance.
or e*ample, medical data can be viewed only by attending medical professionals and by
the person whose data it is.
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
5/59
installation of O&' with O+D allows label authori2ations to be part of your standard
provisioning process.
+ote
#LS integration with #racle *dentit/ (anagement was first available in #racle
)atabase 22g elease 2.
or sites that use O+D, databases retrieve the O&' policy information from the directory.
Administrators use the olsadmitoolpolicy administration tool to operate directly on
the directory to insert, alter, or remove metadata as needed.
-ecause enterprise users can log in to multiple databases by using the credentials stored
in O+D, it is logical to store their O&' policy authori2ations and privileges there as well.
An administrator can then modify these authori2ations and privileges simply by updating
metadata in the directory. Other aspects of managing enterprise users are performed
through the Oracle +dentity 9anagement $rovisioning console.
or distributed databases, centrali2ed policy management removes the need for
replicating policies because the appropriate policy information is available in the directory.
$olicy changes in the directory are synchroni2ed with policy information in the databases
by means of Directory +ntegration $latform and are effective without re3uiring further
effort.
The following O&' information is stored in the directory5
policy information, namely, policy name, column name, policy enforcement options, and audit
options
user profiles identifying their labels and privileges
policy label components = levels, compartments, and groups, and
policy data labels
The database"specific metadata is not stored in the directory. E*amples include
lists of schemas or tables, with associated policy information and
program units, with associated policy privileges
uestion
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
6/59
+dentify the features of O&'.
Options-
). +t provides an easy"to"implement row"level security solution
7. +t relies on the database as the central repository for policy authori2ation
>. +t is built on the fine"grained access control technology of #$D
;. +t stores tables and their associated policy information in the directory
Answer
Option 1:This option is correct. #LS is a packaged s/stem that provides an eas/3
to3implement row3level securit/ solution, where access control is based on data
sensitivit/.
Option 2:This option is incorrect. 4revious releases of #LS have relied on #racle
)atabase as the central repositor/ for polic/ and user label authori5ations. "ow
#LS is integrated with #racle *dentit/ (anagement.
Option 3:This option is correct. #LS relies on the fine3grained access control
technolog/ of &4), and an advantage of using #LS is that it is a complete s/stem
and a read/3to3use &4).
Option 4:This option is incorrect. Lists of schemas or tables with their associated
polic/ information, as well as program units and their associated polic/ privileges,
are not stored in the director/.
Correct answers/-
). +t provides an easy"to"implement row"level security solution
>. +t is built on the fine"grained access control technology of #$D
#$D provides an A$+ for implementing row"level security by using application conte*t.
The policy procedures, the application conte*t, and the rules for control access to the
data must be created by developers.
To implement this, O&' provides a complete system comprising various components
such as
access rules
O&' comes with predefined access rules. These rules meet the re3uirements of many
applications without modification. These rules can be customi2ed to meet special
circumstances.
co!!on criteria
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
7/59
O&' has been evaluated under the +nternational ommon riteria 0+'O )?;8@1 at
Evaluation Assurance &evel, commonly %nown as EA&, ;. The ommon riteria standard
has superseded the DOD Orange -oo% standard and other European and !ussian
standards.
co!plete data dictionary, and
The complete data dictionary is provided in the database to manage the aspects of O&'.
a co!plete user interface
Enterprise 9anager provides a graphical interface that allows point"and"clic% control. The
SA_!pac%ages provide a complete command"line interface.
O&' is built on the same technology as that used for the #$D. owever, there are certain
differences in some features.
Access control
O&' does not depend on pre"e*isting data attributes as the basis for access control, butdepends on assigned data labels and user clearances.
Every application of #$D is custom built. #$D provides row"level access control by using
application conte*t and a "#ereclause that is added to every '4& statement.
Client re0uire!ents i!ple!entation
O&' provides the pac%ages re3uired to implement the customer re3uirements and so no
coding is re3uired.
#$D implements customer re3uirements with user"programmed policies.
able c#anges
O&' adds a column to every table protected. This column can be a hidden column.
+n #$D, no columns are added.
+ew data classification
O&' classifies new data automatically.
#$D does not classify new data automatically.
2olicy application
6hen new data is added to the protected table, O&' assigns data labels based on the
user clearance automatically.
+f new values are placed in the columns used by #$D, the "#ereclause in the policy may
need to be changed. The updated policy can then be automatically applied.
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
8/59
Colu!nlevel control
O&' is designed to wor% with column"level #$D and D#. A column"level policy can be
applied to further restrict column access, and user clearances can be used as factors in
D# to limit access to schemas and commands.
#$D uses only column"level #$D.
6hen analy2ing the need for O&', you need to first identify the application tables that
need O&'. (sually, only very few tables hold data that re3uire the protection provided by
O&'.
Do not apply O&' where it is not needed. (se the appropriate security technology for
your problem. O&' has a performance cost. +dentify the most resource"intensive
application 3ueries and tune them for use in the O&' environment.
The following technologies typically meet most access control re3uirements5
DAC
DA is always applied before the O&' policies. DA specifies access control privileges at
the object level.
stored procedures and functions, and
'tored procedures and functions can be used to encapsulate objects, allowing the owner
to e*pose only certain methods of accessing the object. This techni3ue can provide very
tight control over data integrity.
D3
Oracle Database #ault, commonly %nown as D#, can be used to e*tend DA in ways that
O&' cannot.
uestion
6hich statements best describe evaluating the need for O&'B
Options-
). ew tables hold data that re3uire the protection provided by O&'
7. DA is sufficient for all tables>. 'tored procedures and functions can be used to encapsulate objects
;. There is no performance cost associated with O&'
Answer
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
9/59
Option 1:This option is correct. 6ou should identif/ the tables that need #LS,
because usuall/ ver/ few tables do. 6ou should not appl/ #LS where it is not
needed.
Option 2:This option is incorrect. )!C is sufficient for most but not all tables. *t is
alwa/s applied before the #LS policies and specifies access control privileges at
the ob1ect level.
Option 3:This option is correct. Stored procedures and functions can be used to
encapsulate ob1ects, allowing the owner to e+pose onl/ certain methods of
accessing the ob1ect.
Option 4:This option is incorrect. #LS has a performance cost. 6ou should
identif/ the most resource3intensive application 7ueries and tune them for use in
the #LS environment.
Correct answers/-
). ew tables hold data that re3uire the protection provided by O&'
>. 'tored procedures and functions can be used to encapsulate objects
Su!!ary
+n this topic, youCve learned how Oracle &abel 'ecurity wor%s.
Creating 2olicies
Learning Objective
After completing this topic, you should be able to
recognize how to create a policy
1. &!ple!enting t#e OLS policy
To implement Oracle &abel 'ecurity, also %nown as O&', policy, develop a strategy.
-efore developing the strategy, tal% to the right people. +dentify those individuals in yourorgani2ation who really understand the business"security problem. 9a%e sure that you
understand the problem before adding additional security to your application.
After developing the strategy, analy2e the data to be protected. As% 3uestions such as
6here does the sensitive data reside in the application 0which tables1B
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
10/59
6ho needs access to this dataB
6ho owns the dataB
6ho should be able to read the dataB
6ho should be able to ma%e updatesB
The analysis includes a grouping of the user community by access needs such as
Does that grouping follow organi2ational linesB
Does it depend on the job functionB
+ote
This process is repeated for each set of data that is to be protected.
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
11/59
The security officer must be given specific permissions to create and administer policies
and labels. These actions are performed by using the Oracle $olicy 9anager interface or
$&'4& pac%aged procedures.
inally, you perform these steps to complete the implementation of the O&' policy5
assign user aut#ori$ations and
A user authori2ation is the range of labels that a user can access. They are created and
assigned to the user on the basis of access re3uirements. 'pecial privileges are included
in this set of authori2ations.
After the policy has been applied, no user can access the data without a set of
authori2ations. This step is independent of applying the policyF user authori2ations can be
assigned before or after the policy is applied.
review and docu!ent your policy decisions
The policy decisions are reviewed and documented. This documentation provides a
reference point for future changes and audits. +mplementing label security can be comple*.
9any seemingly small decisions are made for ease of use or performance. 6hen these
policies are called into 3uestion, the documentation saves many hours of reanaly2ing the
application.
%. Creating policies
The first step in setting up Oracle &abel 'ecurity, also %nown as O&', is to create
policies. The named policy is a container for all the information that is associated with apolicy = labels, tables, views, privileges, and procedures.
(se the CREATE_POLICYprocedure to create a new O&' policy to define a policy"
specific column name and specify a set of default policy options. The column is added to
every table associated with the policy. The policy can be created using Enterprise
9anager or $&'4& using this synta*.
Synta4
$!OED(!E !EATEG$O&+ 0 policyGname +< #A!A!7, columnGname
+< #A!A!7 DEA(&T
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
12/59
Code
BE%IN
SA_SYSDBA&CREATE_POLICY'
POLICY_NAME )*+$ACILITY+,
COLUMN_NAME )* +$ACLAB+,DE$AULT_OPTIONS )*
+READ_CONTROL,C-EC._CONTROL,LABEL_DE$AULT,-IDE+/0
END0
A basic policy with full enforcement would have three enforcement options enforced5
READ_CONTROL
1RITE_CONTROL, and
LABEL_DE$AULT
The interaction of these various enforcement options should be well understood for
effectively designing an O&' system.
Access"control enforcement controls read and write access to the data.
The policies can be set for each type of data manipulation language, abbreviated as
D9&, with two options5
READ_CONTROLand
READ_CONTROLenforces the policy for all 3ueries, controlling which data rows are
accessible for SELECT, UPDATE, and DELETE. +f READ_CONTROLis O$$on a policy, for
any table protected by the policy, all rows are accessible to all users.
WRITE_CONTROL
1RITE_CONTROLdetermines the ability to insert, update, and delete data in a row. +f this
option is active, it enforces INSERT_CONTROL, UPDATE_CONTROL, and
DELETE_CONTROL.
ou can apply INSERT_CONTROL, UPDATE_CONTROL, and DELETE_CONTROLseparately.
&abel"management enforcement ensures that data labels written for inserted or updated
rows do not violate policies set for such labels with these three options5
LABEL_DEFAULT
LABEL_DE$AULTuses the sessions default row label value unless the user e*plicitly
specifies a label on INSERT.
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
13/59
LABEL_UPDATE, and
LABEL_UPDATEapplies policy enforcement to the UPDATEoperations that set or change
the value of a label attached to a row. The 1RITEUP, 1RITEDO1N, and 1RITEACROSS
privileges are enforced only if the LABEL_UPDATEoption is active.
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
14/59
>. C-EC._CONTROL
;. NO_CONTROL
Answer
Option 1:This option is incorrect. READ_CONTROLenforces the polic/ for all
7ueries, controlling which data rows are accessible to SELECT, UPDATE, and
DELETE.
Option 2:This option is incorrect. LABEL_UPDATEapplies polic/ enforcement to
the UPDATEoperations that set or change the value of a label attached to a row.
Option 3:This option is correct. C-EC._LABELis considered a label3
management enforcement option. *t applies the READ_CONTROLpolic/
enforcement to ensure the new row label is read3accessible to the user that is
changing it when using INSERTand UPDATEstatements.
Option 4:This option is incorrect. NO_CONTROLapplies no enforcement options.
Correct answers/-
>. C-EC._CONTROL
5. Defining labels
Each data label can have three parts = a level, one or more compartments, and one or
more groups. Every label must have a level, but the compartment and group portions of
the label are optional.
Each level, compartment, and group that will be used in a label must be created before it
can be used in a label.
Defining the needed levels, groups, and compartments follows the analysis of the data"
security needs. Each part of the label is defined.
Every label must have a level defined, and by implication, every row protected by Oracle
&abel 'ecurity, also %nown as O&', must be assigned to a level.
"rap#ic
! level is a ranking that denotes the sensitivit/ of the information it labels. The
more sensitive the information, the higher its level. Ever/ label must include one
level. !lthough both long and short names for the level 8and for each of the other
label components9 can be defined, onl/ the short name is displa/ed upon retrieval.
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
15/59
#nl/ the short names are used during label manipulation.
Levels can be assigned in the Levels page, which is currentl/ opened. The page
contains a table with the columns - Select, Long "ame, Short "ame, and "umeric
Tag and the Select !ll and Select "one links.
&evels have many characteristics5
A level is an arbitrary name, such as SENSITI2Eor CLASSI$IED. igher and lower levels are
determined by the tag 0the numeric form of the level1. The numeric form can range from 8 through
HHHH. A user with a higher level can access lower levels. &evels have ran%ing determined by the
numeric tag.
The arbitrar/ names are listed in the Long "ame column and the numeric tag in the "umeric Tag
column.
Assume that only levels are used. A user with a label of SENSITI2Ecan access data with a
SENSITI2Elevel or below.#ther levels listed are 40L*C, C#"%*)E"T*!L, and *GL6 SE"S*T*&E.
Each policy has its own set of levels, which are part of the label that is assigned to users and
data.
+n this e*ample, the SENSITI2Edata level has a 'hort name of ' and a 88.
The 40L*C level has the short name of 4 and a numeric tag of 2;;, the C#"%*)E"T*!L level
has the short name of C and a numeric tag of
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
16/59
$!OED(!E !EATEG&E#E& 0
policyGname +< #A!A!7,
levelGnum +< +
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
17/59
BE%IN
SA_COMPONENTS&CREATE_%ROUP'+$ACILITY+,3444,
+1R+,+1ESTERN_RE%ION+/0
SA_COMPONENTS&CREATE_%ROUP'+$ACILITY+,3844,
+1R_$IN+,+1R_$INANCE+,+1R+/0
SA_COMPONENTS&CREATE_%ROUP'+$ACILITY+,3834,
+1R_AP+,+1R_ACCT_PAYABLE+,+1R_$IN+/0
END0
Synta4
$!OED(!E !EATEG:!O($ 0
policyGname +< #A!A!7,
groupGnum +< +
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
18/59
Optional compartments are OP, C-, and $IN. $INcould appear in the ompartment field
of the
le5el:compartmet:6ro7plabel.
To define compartments, the D-A or security administrator uses theCREATE_COMPARTMENTprocedure of the SA_COMPONENTSpac%age or Enterprise
9anager.
This is the synta* and an e*ample of the procedure being used to define a compartment.
Code
BE%IN
SA_COMPONENTS&CREATE_COMPARTMENT'
POLICY_NAME )*+$ACILITY+,
COMP_NUMBER )* +9+,
S-ORT_NAME )* +$IN+,
LON%_NAME )* +$iacial+/0
END0
Synta4
$!OED(!E !EATEGO9$A!T9E
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
19/59
-I%-LY_SENSITI2E:$INANCIAL:
SENSITI2E::1ESTERN_RE%ION
6hen a valid data label is created, two actions occur5
Code
LE2EL:COMPARMENT:%ROUP
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
20/59
Option 1:This option is incorrect. >hen a valid data label is created, it is
automaticall/ designated as a valid data label. This functionalit/ limits the labels
that can be assigned to data.
Option 2:This option is incorrect. *t is the numeric label tag, and not the te+t
string that represents the label, that is stored in the polic/ label column of the
protected table.
Option 3:This option is correct. ! numeric label tag is associated with the te+t
string that represents the label. This tag must be uni7ue across all policies in the
database.
Option 4:This option is correct. The ma+imum length of the short form of the
label is =;;; characters. The short form is used in the LABEL_2ALUEparameter
of the CREATE_LABELprocedure.
Correct answers/-
>. The numeric label tag must be uni3ue across all database policies
;. The ma*imum length of the short form of the label is ;888 characters
Su!!ary
+n this topic, youCve learned how to create a policy.
Creating Data Labels
Learning Objective
After completing this topic, you should be able to
recognize how data labels are created
1. Creating and !anaging data labels
-efore creating a label, a policy is created. +n this e*ample, the policy $ACILITYis
created. 6hen the $ACILITYpolicy is created, a role named $ACILITY_DBAis alsocreated with the EXECUTEprivilege on several pac%ages owned by LBACSYS.
The D-A or a user who is assigned the =polic>*_DBArole can create labels by using
the CREATE_LABELprocedure in the SA_LABEL_ADMINpac%age or by using Enterprise
9anager, abbreviated as E9. The =polic>*_DBArole is created when the policy is
created.
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
21/59
This is the synta* and e*ample code for creating labels using the CREATE_LABEL
procedure in the SA_LABEL_ADMINpac%age.
Code
BE%IN
SA_LABEL_ADMIN&CREATE_LABEL'+$ACILITY+,3444,+P+/0
SA_LABEL_ADMIN&CREATE_LABEL'+$ACILITY+,8343,+S::US+/0
SA_LABEL_ADMIN&CREATE_LABEL'+$ACILITY+,?343,+-S::US+/0
END0
Synta4
$!OED(!E !EATEG&A-E& 0
policyGname +< #A!A!7,
labelGtag +< +
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
22/59
Oracle &abel 'ecurity, also %nown as O&', provides administrative interfaces to define
and manage the labels used in a database. ou can define labels in an Oracle database
by using O&' pac%ages or E9.
+nitially, administrators must define the levels, compartments, and groups that compose
the labels, and then they can define the set of valid data labels for the contents of the
database.
The administrator can apply a policy to individual tables in the database, or to the entire
application
schemas. inally, the administrator assigns to each database user the label components
0and
privileges, if needed1 that are appropriate for the personCs job function.
The administrator sets the privileges that allow data labels to be changed by certain
users, if appropriate. 'ome sites may not allow anyone to change a label. 'ome
customers may have specific individuals who are responsible for reviewing and assigning
the appropriate labels.
(sers are allowed to change their session label as well as row label, within the range of
their minimum and ma*imum labels by using the SET_LABELand SET_RO1_LABEL
procedures of the SA_SESSION pac%age.
The components of the labels have been created. The data labels have been created and
mar%ed as valid. or access mediation to wor% properly, the individual rows must have a
label assigned.
To do this, the steps to perform are
define labels
The labels that are assigned to data rows must first be created. There are usually many
more permutations of the different components of the labels than are actually used. 9ost
sites re3uire that the labels that are actually used be created by an administrator to control
the proliferation of labels.
#ave labels for all rows, and
6hen creating policies, the label column for e*isting rows is initially NULL. The NULLvalue
does not match any label, so the data is not accessible, e*cept by users with the $ULL
access privilege.
set labels by updating rows
or e*isting rows, a user who has $ULLaccess privileges 0typically, the security
administrator1 updates the rows, setting the label column to the proper label value for that
row. or new rows, users or the application supply the label, either directly by a pic% list, by
session label default values, or by a policy function.
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
23/59
6hen you appl/a policy to a table or schema, the policy is automatically enabled. To
disablea policy is to turn off its protections, although it is still applied. To enablea policy
is to turn on and enforce its protections for a particular table or schema.
To removea policy is to ta%e it entirely away from the table or schema.
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
24/59
a set of authori2ed groups 0and, implicitly, authori2ation for any subgroups1
Each user has a session label and a row label. The session label is the particular
combination of levels, compartments, and groups on which a user wor%s at any given
time. (sers can change the session label to any combination of components for which
they are authori2ed.
6hen a user writes data without specifying its label, a row label is assigned automatically,
using the users session label. owever, users can set the label for the written row within
certain restrictions on the components of the label that they specify with the
SA_SESSION&SET_RO1_LABELprocedure.
Code
BE%IN
SA_USER_ADMIN&SET_USER_LABELS '
POLICY_NAME )*+$ACILITY+,
USER_NAME )* +MYCO_M%R+,
MAX_READ_LABEL )*+S::US,EU,ASIA+/0
END0
The administrator specifies the users initial session label and an initial default row label
when setting up user authori2ations.
These authori2ations are %ept in the O&' data dictionary tables for each user. To define
user authori2ations, the D-A or security administrator uses the SA_USER_ADMIN
pac%age as in this e*ample or the E9 interface.
Code
BE%IN
SA_USER_ADMIN&SET_USER_LABELS '
+$ACILITY+,+MYCO_EMP+,+P+/0
SA_USER_ADMIN&SET_USER_LABELS '
+$ACILITY+,+MYCO_M%R+,+S::US,EU,ASIA+/0
SA_USER_ADMIN&SET_USER_LABELS '
+$ACILITY+,+MYCO_PLANNIN%+,+-S::%LOBAL+/0
END0
This is the synta* for the SA_USER_ADMINpac%age.
Synta4
$!OED(!E 'ETG('E!G&A-E&' 0
policyGname +< #A!A!7,
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
25/59
userGname +< #A!A!7,
ma*GreadGlabel +< #A!A!7,
ma*GwriteGlabel +< #A!A!7 DEA(&T _amespecifies the polic/.
7ser_amespecifies the username.
sers insert if the/ do not specif/ the data label as a field in the INSERTstatement.
*f ro"_la;elis not specified, it is set to de_la;el, with onl/ the compartments and
groups authori5ed for write access.
uestion
6hat should you consider when assigning user authori2ation labelsB
Options-
). A user can access data only within the range of their own label authori2ations
7. Each user has a session label or a row label
>. A session label is assigned automatically when a user writes data without specifying
its label
;. The administrator specifies the users initial session label
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
26/59
Answer
Option 1:This option is correct. ! user has ma+imum and minimum labels, a set
of authori5ed compartments, and a set of authori5ed groups. The/ can onl/
access data the/ have been authori5ed to access.
Option 2:This option is incorrect. Each user has both a session label and a row
label. The session label is the particular combination of levels, compartments, and
groups on which a user works at an/ given time.
Option 3:This option is incorrect. >hen a user writes data without specif/ing its
label, a row label is automaticall/ assigned, using the user?s session label.
Option 4:This option is correct. The administrator specifies the user?s initial
session label and an initial default row label when setting up user authori5ations.
Correct answers/-
). A user can access data only within the range of their own label authori2ations
;. The administrator specifies the users initial session label
%. OLS special user privileges
The first set of &abel 'ecurity privileges are set with the
SA_USER_ADMIN&SET_USER_PRI2Sprocedure.
These privileges are
READ
The READprivilege allows read access to all data protected by the policy.
FULL, and
The $ULLprivilege allows full read and write access to all data protected by the policy.
COMPACCESS
The COMPACCESSprivilege allows a session access to data authori2ed by the rows
compartments, independent of the row groups.
The PRO$ILE_ACCESSprivilege is set with the
SA_POLICY_ADMIN&SET_ACCESS_PRO$ILE
procedure.
The PRO$ILE_ACCESSallows a user to change the O&' authori2ations and privileges of
the database session to those of the specified user.
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
27/59
+n this e*ample, the READprivilege enables the user to bypass the O&' policy entirely for
read access to data. (sers with the READprivilege can read all data protected by the
policy, regardless of their authori2ations or session label.
The user does not even need to have label authori2ations. owever, access mediation is
still enforced on the UPDATE, INSERT, and DELETEoperations. (sers with the READprivilege can write only to data rows for which they have write access, based on any label
authori2ations.
The application uses of the READprivilege are data e*port, report generation, and
e*ecutive management privilege.
+n this e*ample, the $ULLprivilege has the same effect and benefits as the READ
privilege, with one difference, a user with the $ULLprivilege can also write to all the data.
The ability to write effectively bypasses all O&' controls.
Oracle discretionary access controls still protect the underlying table. or e*ample, if auser does not have the UPDATEprivilege on the underlying table and attempts to update
a table directly with an UPDATESLstatement, the statement would fail.
This is a very powerful privilege and should be reserved only for users that re3uire it. A
classifier 0someone who reviews data to determine its security classification1 would need
this privilege to be allowed to see the data and change the classification freely.
+n this e*ample, the COMPACCESSprivilege allows a session to access rows on the basis
of the rows compartments, independent of the row groups. +f a row has no
compartments, access is determined by the group authori2ations.
owever, when compartments e*ist, and access to them is authori2ed, the group
authori2ation is bypassed. &evel authori2ations are still enforced. +f the row has a data
label of Coidetial:Operatios:1ester_Re6io and the user label is
Coidetial:Operatios:Cetral_Re6io , the user can access the row on the
basis of the compartment. The group is ignored.
This privilege is re3uired only in special situations. or e*ample, where a compartment is
created for a project that crosses groups but does not include all members of each group.
The SA_SESSION&SET_ACCESS_PRO$ILEprocedure sets the O&' authori2ations and
privileges of the database session to those of the specified user. 0
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
28/59
That user assumes only the authori2ations and privileges of the specified user. -y
contrast, the O&' username is changed.
Code
SL* coect app7serm>pass"ordSL* ;e6i
8 sa_sessio&set_access_proile'+iace+,+maa6er+/0
? ed0
(ser accounts defined in Oracle +nternet Directory, also %nown as O+D, cannot be given
individual O&' authori2ations. owever, authori2ations can be given to the shared
schema to which the directory users are mapped.
The O&' SET_ACCESS_PRO$ILEfunction can be used programmatically to set the label
authori2ation profile to use after a user has been authenticated and mapped to a shared
schema. O&' does not enforce a mapping between users who are given label
authori2ations in O&' and actual database users.
Code
SL* coect app7serm>pass"ord
SL* ;e6i
8 sa_sessio&set_access_proile'+iace+,+maa6er+/0
? ed0
This administrative procedure is useful for various tas%s5
Synta4
$!OED(!E 'ETGAE''G$!O+&E 0
policyGname +< #A!A!7,
userGname +< #A!A!71F
6ith SET_ACCESS_PRO$ILE, the administrator can see the result of the authori2ation and
privilege settings for a particular user.
Synta4
$!OED(!E 'ETGAE''G$!O+&E 0
policyGname +< #A!A!7,
userGname +< #A!A!71F
Applications that have pro*y accounts connect as 0and assume the identity of1 application users
for purposes of accessing labeled data. 6ith the SET_ACCESS_PRO$ILEprivilege, the pro*y
account can act on behalf of application users.
Synta4
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
29/59
$!OED(!E 'ETGAE''G$!O+&E 0
policyGname +< #A!A!7,
userGname +< #A!A!71F
A trusted stored program unit is a stored procedure, function, or pac%age that has been
granted one or more O&' privileges. Trusted stored program units are typically used to
enable users to downgrade information in a controlled manner, or update data at several
labels.
This is the optimal way in which users can be enabled to access data beyond their
authori2ation. To grant privileges to a stored program unit, you must have the special
polic/GD-A role 0wherepolic/is the name of a policy1 and the EXECUTEpermission on
the program unit.
(se either Enterprise 9anager or the SA_USER_ADMINpac%age to grant privileges to a
program unit. The SA_USER_ADMIN&SET_PRO%_PRI2Sprocedure sets policy"specific
privileges for program units.
+n this e*ample, the s7m_p7rc#asesprocedure has been granted the READprivilege.
6hen the s7m_p7rc#asesprocedure is called, it e*ecutes with the READprivilege as
well as the current users O&' privileges. This allows the total purchases to be calculated.
Code
SL* EXECUTE SA_USER_ADMIN&SET_PRO%_PRI2S'. Define in the import database all the label components and individual labels used in the tables being
imported. Tag values assigned to the policy labels in each database must be the same.
To successfully import data under O&', the user running the import operation must be
authori2ed for all the labels re3uired to insert the data and labels contained in the e*port
file.
The following re3uirements must be met5
re0uire!ent 1 and
The user must have thepolic/_DBArole for all policies with data being imported. After
each schema or table is imported, any policies from the e*port database are reapplied to
the imported objects.
re0uire!ent %
The user must have the ability to write all rows that have been e*ported.
6hen implementing O&', follow these performance tips5
li!it policies to re0uired tables
+n most cases, only a small subset of the tables in a database re3uires row"level security.
arefully identify these tables and limit the policies to these.
plan a label tag strategy
or optimal performance, you can plan a strategy for assigning values to label tags. +ngeneral, it is best to assign higher numeric values to labels with higher sensitivity levels.
(sually, many more users can see data at comparatively low levels. ewer users at higher
levels can see many levels of data. 6ith READ_CONTROLset, O&' generates a predicate
that uses a BET1EENclause to restrict the rows to be processed by the 3uery. +f the
higher"sensitivity labels do not have a higher label tag than the lower"sensitivity labels, the
3uery potentially e*amines a larger set of rows. This affects performance by re3uiring more
reads.
analy$e t#e LBACSYSsc#e!a
!un the DBMS_STATS&%AT-ER_SC-EMA_STATSprocedure on the LBACSYSschema, so
that the cost"based optimi2er can improve e*ecution plans on 3ueries. aving the statistic
for the O&' data dictionary tables improves O&' performance.
inde4 t#e policy label colu!n, and
reate a bitmap inde* on the policy label column on the basis of the number of distinct
values.
partition on t#e basis of t#e label
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
32/59
+f you are using a numeric ordering strategy with the numeric label tags that you have
applied to the labels, you can use this as a basis for data partitioning. Depending on the
application, partitioning data on the basis of label values may or may not be useful.
Also, allow time to tune your application after applying the O&'.
uestion
6hich actions may help to improve system performance when using O&'B
Options-
). $lanning a label tag strategy
7. onsidering the use of a bitmap inde* on the label column
>. Applying policies to all tables
;. !emoving label columns from e*isting inde*es
Answer
Option 1:This option is correct. %or optimal performance, /ou can plan a strateg/
for assigning values to label tags. *n general, it is best to assign higher numeric
values to labels with higher sensitivit/ levels.
Option 2:This option is correct. Creating a bitmap inde+ on the polic/ label
column on the basis of the number of distinct values ma/ help to improve
performance.
Option 3:This option is incorrect. *n most cases, onl/ a small subset of the tables
in a database re7uire row3level securit/. The policies /ou add will directl/ affect
performance, so the/ should be used wisel/.
Option 4:This option is incorrect. 6ou should consider adding a label column to
e+isting inde+es to improve performance.
Correct answers/-
). $lanning a label tag strategy
7. onsidering the use of a bitmap inde* on the label column
Su!!ary
+n this topic, youCve learned how data labels are created.
&!ple!enting Oracle Label Security
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
33/59
Learning Objectives
After completing this topic, you should be able to
create labels and policies in Oracle Database 11g
apply policies in Oracle Database 11g
test access control
)4ercise overview
The data in the !.&OAT+O
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
34/59
Steps list
&nstructions
>. Type PRI2LABin the &abel olumn te*t bo*
;. 'elect the 6ide Label Colu!nchec%bo*
?. 'elect the Apply 2olicy )nforce!entsradio button
I. 'elect the 7or all 0ueries 8)AD9CO+8OL/chec%bo*
J. 'elect the 7or update and insert operations so t#at !odified or new rows are read accessible
C6)C:9CO+8OL/chec%bo*
@. lic% O:
ask %- Creating levels and labels
ou now want to create the levels and labels for the $!+#A policy. ou have already
accessed the &abel omponents tab and added the first level. Add a second level with along name of /'E
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
35/59
$!+#A policy. Add the ! user to the list of users who are authori2ed for the $!+#A
policy. 'earch for the ! user, who appears in the second page of the results. Allows the
user to assume the profile of another user and bypass all &abel 'ecurity chec%s. Accept
all default selections on the remaining screens and confirm the configuration.
Steps list&nstructions
). Ensure Aut#ori$ationis selected from the Actions drop"down menu and clic% "o
7. lic% Add 'sers
>. lic% Add
;. lic% the +e4t 1. lic% Create
;. lic% the 7las#lig#ticon
?. Type -Rin the 'chema te*t bo* and clic% "o
I. 'elect the Selectradio button for the O-G+'TO! row and clic% Select
J. lic% O:
ask >- esting a policy
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
36/59
. $ress )nter
;. $ress )nter
'sing t#e Data *asking 2ack
Learning Objectives
After completing this topic, you should be able to
recognize how data masking works
create and use data masking
1. &!ple!enting data !asking
A number of regulations mandate that a companyCs confidential, sensitive, and personally
identifiable data must be protected and access to this data must be restricted.
There is often a need to provide production data, or realistic"loo%ing data to in"house
developers and testing organi2ations during application development.
Data mas%ing is a way to meet these two conflicting needs. Data mas%ing is the act of
anon/mi5ingcustomer, financial, or company confidential data to create new, legible
data, which retains the original datas properties, such as width, type, and format.
+n this e*ample, three columns of the -R&EMPLOYEEStable have been mas%ed so thatthe data can be provided for testing or development without compromising the security of
the information.
"rap#ic
The columns of the .E(4L#6EES table are E(4L#6EE@*), L!ST@"!(E,
)E4!T(E"T@*), and 4#"E@"(0E. The E(4L#6EE@*)s are specified
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
37/59
as 2;;, 2;A, and 22;. The L!ST@"!(Es are 'ing, !ustin, and Chen. The
)E4!T(E"T@*)s are B;, ;, and 2;;. !nd the 4#"E@"(0Es are
A2A.2
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
38/59
During this implementation, different types of administrators perform various functions.
Security ad!inistrator
The security administrator reviews the application database and identifies the sensitive
data.
Application database ad!inistrator
The application database administrator defines the mas% formats for sensitive data and
creates a mas%ing definition to associate table columns to the defined mas% formats.
Database ad!inistrator
The database administrator clones the production database to a staging database, creates
a mas%ing definition if this tas% is not performed by the application database administrator,
and e*ecutes the mas%ing job.
The security administrator performs two tas%s5
verify that the mas%ed data meets the information security re3uirements and
refine the mas%ing definition as necessary
+f the mas%ing definition is changed, the database administrator restores the altered
tables and reapplies the mas%ing definition until the optimal mas%ing definitions are
identified.
The application database administrator, business analyst, and users test the application.
And the database administrator e*ports the mas%ing definition for future use and clones
the staging database to a test database.
%. *asking data
The security administrator would typically direct the process of identifying sensitive data
for mas%ing by identifying what types of information must be mas%ed to comply with
various regulations.
The application database administrator can use this techni3ue to identify specific columns
in database tables that should be mas%ed. The application database administrator
determines specific columns and flags columns with column comment. This techni3ue will
enable the database administrator to easily identify columns that are to be mas%ed when
creating mas%ing definitions with the Data 9as%ing $ac%.
Code
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
39/59
COMMENT ON COLUMN #r&emplo>ees&emplo>ee_id IS +MAS.
cadidate: -R Beeits Polic>+0
COMMENT ON COLUMN #r&emplo>ees&irst_ame IS +MAS.
cadidate: -R Pri5ac> Polic>+0
COMMENT ON COLUMN #r&emplo>ees&last_ame IS +MAS.
cadidate: -R Pri5ac> Polic>+0
COMMENT ON COLUMN #r&emplo>ees&salar> IS +MAS.
cadidate: -R Compesatio Polic>+0
The Data 9as%ing $ac% format library contains predefined mas%ing formats that are used
to
create a mas%ing definition. A mas%ing definition associates a mas%ing format with a
column in a database table.
There are built"in data mas%ing primitives in the format library and you can define
additional format mas%s.
The format library can be saved to an L9& file so that it can be reused or shared with
another installation of Enterprise 9anager :rid ontrol that uses a different repository.
The Data 9as%ing $ac% includes built"in mas%ing primitives for various types of data. The
built"in data mas%ing primitives are described in this table.
+n addition to the built"in mas%ing primitives, you can use built"in mas%ing routines, such
as shuffling. This routine is useful when the range of values in a column is not %nown and
you determine that the shuffling of values in the same table provides a sufficient degree
of privacy and protection.
"rap#ic
The T/pes of 0uilt3in (asking 4rimitives and outines table contains two columns
- T/pe and )efinition. The T/pe column lists the different t/pes of built3in masking
primitives and routines, and their corresponding definitions are listed in the
)efinition column. The different t/pes of primitives and routines and their
corresponding definitions listed in the table are !rra/ List - List of values that will
be selected randoml/$ %i+ed "umber - "umber that will be used$ %i+ed String -
Literal string that will be used$ andom )ates - ange of dates that will be used
randoml/$ andom )igits - andom digits in the specified range$ andom
"umbers - ange of numbers that will be used randoml/$ andom Strings -Literals in the specified range$ Shuffle - Shuffling of original data$ Substring -
Literal with the specified start position and length$ and Table Column - The
specified column that is used randoml/.
uestion
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
40/59
6hich data mas%ing primitive or routine is best suited to mas% data with a literal
stringB
Options-
). Array &ist
7. i*ed 'tring
>. !andom Digits
;. 'ubstring
Answer
Option 1:This option is incorrect. The !rra/ List primitive is used to mask data
using a list of values that will be selected randoml/.
Option 2:This option is correct. The %i+ed String primitive is used to mask data
using a literal string. %or e+ample, /ou can use this to specif/ where a h/phen
should appear in a telephone number.
Option 3:This option is incorrect. The andom )igits primitive is used to mask
data with random digits in a specified range.
Option 4:This option is incorrect. The Substring routine is used to mask data
using a literal with the specified start position and length.
Correct answers/-
7. i*ed 'tring
The Data 9as%ing $ac% also contains built"in mas%ing primitives that can be used directly
to mas% column data. ou can also use the built"in mas%ing routines to directly mas% the
column data.
The built"in mas%ing primitives and routines can also be used to build a more
sophisticated mas%ing format. +f the built"in mas%ing primitives and routines do not satisfy
your data mas%ing re3uirements, you can create a $&'4& function to use for mas%ing.
This is an e*ample of data mas%ing of the EMPLOYEEStable.
EMPLOYEE_ID
9as%ing of the EMPLOYEE_IDcolumn is accomplished by using one of the built"in
mas%ing primitives = !andom
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
41/59
The mas% for the LAST_NAMEcolumn is constructed by referencing another column in the
database = Anglo"American last name.
The original values in the L!ST@"!(E column of the E(4L#6EES table are 'ing, !ustin,
and Chen. !nd the masked values are Jefferies, Smith, and !llen.
PHONE_NUMBER
The P-ONE_NUMBERcolumn data mas% is built from the mas%ing primitives = -ay Area
phone number.
The original values in the 4#"E@"(0E column of the E(4L#6EES table are
A2A.2
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
42/59
??? was specified as the value for the i*ed 'tring mas% primitive.
The description given is String &alue: AAA3
!andom Digits was specified with a length of ;.
The description given is )igits Length ange: = 3 =
+ote
Sample values for this format are provided so that /ou can verif/ /our
specifications.
A $&'4& function of your own design can be used to mas% data. This function is used to
generate a mas% for the e"mail address. This code is e*ecuted on the target database.
Code
CREATE OR REPLACE $UNCTION #r&email_masG
'ori6_5al7e 2ARC-AR8/ RETURN 2ARC-AR8
IS
emailadd 5arc#ar8'344/0
BE%IN
SELECT irst_ame HH +&+ HH emplo>ee_id HH +&+ HH
last_ame HH +ot_realco&com+ INTO emailadd
$ROM #r&emplo>ees
1-ERE email ) ori6_5al7e0
RETURN emailadd0
END0
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
43/59
BE%IN
SELECT irst_ame HH +&+ HH emplo>ee_id HH +&+ HH
last_ame HH +ot_realco&com+ INTO emailadd
$ROM #r&emplo>ees
1-ERE email ) ori6_5al7e0
RETURN emailadd0
END0
After creating the $&'4& function that you intend to use for mas%ing, you can specify it
in a data mas% format.
+n this e*ample, you specify (ser Defined unction as the format entry type and specify
the previously created function.
"rap#ic
6ou specif/ the function name as hr.email@mask in the ser )efined %unctionfield.
The user"defined function created is applied and the sample mas%ed data is listed in the
9as%ing Definition5 Define ormat page.
"rap#ic
*n this e+ample, the database is p
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
44/59
The domain name used in this e+ample is in an illegal format. The @ character is
not allowed in domain names.
A predefined $&'4& function can be specified as a postprocessing function. This
function will e*ecute against the data after it is mas%ed.
This function is created in the Enterprise 9anager repository.
"rap#ic
6ou specif/ this function in the 4ost 4rocessing %unction field in the (asking
)efinition: )efine %ormat page.
ou can create a $&'4& function such as the chec%sum function. This function is
e*ecuted after the data is mas%ed.
The p;7parameter is the mas%ed data 0new value1.
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
45/59
+n this e*ample, the chec%sum function is applied to the mas%ed data. The results are
listed in the sample mas%ed data.
"rap#ic
The results listed under the Sample (asked )ata section are the following:
Susan.
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
46/59
in the E(4L#6EES.E(4L#6EE@*) column which is listed under the Sample
(asked )ata section:
FBAB;;
=B2=;2
The following are the initial steps to create the mas%ing definition5
"rap#ic
The )atabase *nstance: orcl< page is opened.
). on the Administration tabbed page, select Definitionsin the Data 9as%ing region
The )ata (asking region also contains one other link - %ormat Librar/.
7. on the 9as%ing Definitions page, clic% *ask
The (asking )efinitions page contains a Search drop3down list, a te+t field, and the Go and *mportbuttons. *t also contains a table with the columns - Select, (asking )efinition, )atabase, )escription,
Columns, and (ost ecent Job Ended.
>. specify a name for the mas% and the database name, and
These details are entered in the fields - "ame and )atabase. *n this e+ample, the name entered for the
mask is (!S'*"G@)E%@2 and the database name is orcl
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
47/59
enter a start value of 344444and an end value of KKKKKKand clic% O:
These values are entered in the Start &alue and End &alue fields respectivel/ in the andom
"umbers section of the (asking )efinition: !dd %ormat Entr/ page.
The Data 9as%ing $ac% automatically identifies all columns related to the selected
column based on referential integrity constraints defined in the data dictionary.
The mas%ing rule defined for the primary %ey column is also automatically applied to the
associated columns as listed in this e*ample.
"rap#ic
These details are listed in two tables. The first table contains the columns -
Select, #wner, Table, Column, )ata T/pe, %ormat, %oreign 'e/ Columns, and
)ependent Columns. The )ependent Columns is further subdivided into two
columns - Count and !dd. *n this e+ample, the owner is mentioned as , the
table is mentioned as E(4L#6EES, column is mentioned as E(4L#6EE@*),
data t/pe is mentioned as "(0E89, and the foreign ke/ column is mentioned
as A.
The second table - %oreign 'e/ Columns contains the columns - #wner, Table,
Column, 4arent #wner, 4arent Table, and 4arent Column. *n this e+ample, this
table contains three rows. The owner specified in all the three rows is , the
table names specified in each row is )E4!T(E"TS, E(4L#6EES, !")
J#0@*ST#6, the column specified in each row is (!"!GE@*),
(!"!GE@*), and E(4L#6EE@*), the parent owner, parent table, and parent
column specified in all the three rows is , E(4L#6EES, and E(4L#6EE@*)
respectivel/.
+f the relationships between tables are defined in the application, you can use the
Dependent olumn feature to add associated columns.
"rap#ic
The (asking )efinition: !dd Columns page is opened. 6ou can search and add
dependent columns that do not have foreign ke/ constraints defined in this page.
To do this, /ou specif/ the schema, table, and column name and click Search.
ou can also create a mas%ing definition for a column by using a previously defined data
mas%ing format.
To do this, perform the following steps5
"rap#ic
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
48/59
The (asking )efinition: )efine %ormat page is opened.
after selecting the table and column for mas%ing, clic% &!port7ro!Libraryto import the
mas%ing definitions from the library and
*n this e+ample, the database is orcl
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
49/59
Option 1:This option is correct. 6ou can create a masking definition for a column
b/ using a previousl/ defined data masking format. To do this, /ou use the *mport
%rom Librar/ feature.
Option 2:This option is incorrect. The )ata (asking 4ack automaticall/ identifies
all columns related to the selected column based on referential integrit/
constraints defined in the data dictionar/.
Option 3:This option is correct. ! 4LSML function of /our own design can be
used to mask data. 6ou should review the masking functions and their results to
ensure that the function actuall/ provides the level of protection re7uired.
Option 4:This option is incorrect. 6ou can create a data mask format b/ using
multiple built3in data mask primitives. %or e+ample, /ou could use !rra/ List, %i+ed
String, and andom )igits to mask telephone numbers.
Correct answers/-
). ou can create a mas%ing definition using a previously defined format
>. ou can use a $&'4& function you design to mas% data
>. 'sing t#e *ask ?i$ard
The 9as% 6i2ard generates a mas%ing script and produces an impact report that you can
review before submitting the data mas%ing job. The 9as% 6i2ard chec%s whether there is
sufficient space for the mas%ing operation. +f error"level messages result during this step,
mas%ing cannot continue. ou must correct any errors before proceeding.
The 9as% 6i2ard also ensures that uni3ueness can be maintained and that data mas%
formats match column data types. +t warns about chec% constraints and chec%s for the
presence of default partitions.
"rap#ic
The 4rocessing: Generating )ata (asking Script page is opened. *t lists the
database details. The database is p
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
50/59
The original table, the new table plus mapping tables, and inde*es on both original and
new tables e*ist at the same time during the mas%ing process.
"rap#ic
These details are displa/ed in the (ask: *mpact eport, which is currentl/
opened. *n addition to the database details, this page also lists the script
generation summar/ and information.
nder the Script Generation Summar/ section, information about the (ost
Serious (essage Severit/ and date and time when the generation started and
completed is listed. *n this e+ample, the (ost Serious (essage Severit/ is listed
as *"%#(!T*#".
nder the Script Generation *nformation section, a table provides information
about the ob1ects and resources e+amined during script generation and lists
details of an/ warnings or errors detected. The table contains the columns -#b1ect "ame, #b1ect T/pe, (essage Severit/, (essage T/pe, and (essage.
The script generation step of the wi2ard produces a script that you can review and save.
"rap#ic
The script is listed under the Script section. 6ou can opt to view the full script or
the script summar/ b/ selecting the radio buttons - Script Summar/ and %ull
Script. The Script Summar/ option is selected in this e+ample. The script
summar/ is a list of the database commands that will be used to mask theselected columns. The full script is a 4LSML script that includes functions,
procedures, and other commands needed during the masking operation. The full
script will be created when /ou submit the 1ob and will be e+ecuted b/ the 1ob to
perform the masking operation.
The data mas%ing job performs bul% operations to rapidly replace the table containing
sensitive data with an identical table containing mas%ed data while retaining the original
database constraints, referential integrity and associated access structures, such as
ide@es, partitios, and access permissions, such as 6rats.
The script ta%es advantage of the built"in optimi2ations in the database. +t disablesdatabase logging and runs in parallel to 3uic%ly create a mas%ed replacement for the
original table. The original table containing sensitive data is dropped from the database
completely and is no longer accessible.
These are the steps in the mas%ing process5
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
51/59
). build a mapping table for each column to be mas%edF the mapping table contains
0ori6ial_5al7e, masG_5al7e1
7. drop constraints and revo%e grants
>. rename the table
;. create a new table using mapping tables joined to the original table
?. create inde*es on the new table
I. collect statistics
J. replace constraints and grants
@. drop inde*es on the original table and drop the original table with the purge option, and
H. drop mapping tables
uestion
6hat are the characteristics of the data mas%ing processB
Options-
). +t runs in parallel with database logging enabled
7. +t performs bul% operations to create a table containing mas%ed data
>. The new table and the original table e*ist in the database when complete
;. The mapping table contains the original value and mas%ed value
Answer
Option 1:This option is incorrect. The data masking definitions script takes
advantage of the built3in optimi5ations in the database. *t disables database
logging and runs in parallel to 7uickl/ create a masked replacement for the original
table.
Option 2:This option is correct. The data masking 1ob performs bulk operations to
rapidl/ replace the table containing sensitive data with an identical tablecontaining masked data. >hile retaining the original database constraints,
referential integrit/ and associated access structures, such as inde+es, partitions,
and access permissions, such as grants.
Option 3:This option is incorrect. )uring the mapping process, the original table
containing sensitive data is dropped from the database completel/ and is no
longer accessible.
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
52/59
Option 4:This option is correct. The first step in the masking process is to build a
mapping table for each column to be masked. The mapping table contains the
original value and the masked value.
Correct answers/-
7. +t performs bul% operations to create a table containing mas%ed data
;. The mapping table contains the original value and mas%ed value
After you have completed the mas%ing definition, you can save the definition in a portable
L9& format called Application 9as%ing Template. This enables you to restore the
mas%ing definition if needed and to share the mas%ing definition with another Enterprise
9anager :rid ontrol installation.
Application 9as%ing Template is created by using the E*port 9as% Definition feature.
"rap#ic
To use this feature, /ou click the E+port button in the (asking )efinitions page,
which is currentl/ opened.
ou can import a previously e*ported mas%ing definition that is stored in an L9& file into
the Enterprise 9anager :rid ontrol repository. This enables you to use the mas%ing
definition for new mas%ing definitions.
"rap#ic
6ou do this using the *mport (asking )efinition: Select %ile page, which is
opened. 6ou use this page to import a masking definition that was previousl/
e+ported from the )ata (asking page. Select the e+ported file and continue to
import the masking definition into a repositor/. 6ou can select the file b/ clicking
the 0rowse button beside the %ile field. The page also contains the Cancel and
Continue buttons.
reate custom reports by using Enterprise 9anager :rid ontrol !eports. The )8.7.8.;
version of Data 9as%ing allows you to create custom reports to monitor and audit data
mas%ing operations.
Auditors need to review the following types of information with respect to data mas%ing5
number of mas%ing sessions
columns that were mas%ed
mas%ing formats used, and
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
53/59
dependent columns that were mas%ed 0that were not identified by e*isting constraints1
Although there are no predefined data mas%ing reports in Enterprise 9anager :rid
ontrol, you
can create data mas%ing reports by using the !eports Definition capability.
To create data mas%ing reports, perform these initial steps5
"rap#ic
The ome tabbed page of Enterprise (anager Grid Control is opened. The other
tabs in the Grid Control are Targets, )eplo/ments, !lerts, Compliance, Jobs, and
eports.
). clic% the 8eportstab in Enterprise 9anager :rid ontrol
7. clic% Createin the !eport Definitions page
This page contains the Search section that comprises the fields - Title, #wner, Target T/pe, and Target
"ame, and the buttons - )elete, Create Like, Edit, and Create. *t also displa/s a table with the various
reports. The table contains the columns - Select, Title, )escription, )ate Generated, and #wner.
>. specify a report title such as, Data 9as%ing !eport in the reate !eport Definition page
The page has four tabs - General, Elements, Schedule, and !ccess. The Title field is available in the
General tabbed page. #ther fields are the drop3down lists - Categor/ and Subcategor/, and the
)escription bo+. *t also contains the buttons - !dd Categor/ and !dd Subcategor/.
;. select Securityfrom the ategory drop"down list, or create another category such as ustom, and
#ther options in the Categor/ drop3down list are )eplo/ment and Configuration, E(, Enterprise(anager Setup, (onitoring, and Storage. To create a new categor/, /ou click the !dd Categor/ button.
?. select Security2olicyOverviewfrom the 'ubcategory drop"down list or create a new
subcategory such as, Data 9as%ing
#ther options in the Subcategor/ drop3down list include !lerts and 4olic/ &iolations, #racle !pplication
Server Software, #racle )atabase Configuration, #racle )atabase Software, #racle )atabase Space
*ssues, #racle )atabase Space sage, #racle ome 4atch !dvisories, 4olic/ Groups, and oot Cause
!nal/sis.
These are the remaining steps to create data mas%ing reports5
"rap#ic
The Create eport )efinition page is opened.
). clic% the )le!entstab
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
54/59
7. on the Elements tabbed page, clic% Add
The page contains a table with columns - T/pe, eader, Targets, Set 4arameter, and emove. *t also
contains the La/out button, which is currentl/ disabled.
>. select an element type = Table from '4&
&arious element t/pes are displa/ed in the table. The element t/pe is selected b/ selecting the radio
button against the element t/pe.
;. clic% Continue
?. clic% Set2ara!eters
This is done b/ selecting the icon in the Set 4arameters column.
I. enter a header and '4& statement, and then clic% Continuein the 'et $arameters page, and
The header is entered in the eader field as )ata (asking eport. !nd the SML statement is entered in
the Statement field. The SML statement enables creating a customi5ed table to return the result set to be
displa/ed.
J. clic% O:
#ther buttons present are 4review and Cancel.
This is an e*ample of the elements of a Data 9as%ing Auditors report.
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
55/59
(se the learning aidSa!ple Data *asking Auditors 8eportto view other
e*amples of the elements of a sample Data 9as%ing Auditors report.
Su!!ary
+n this topic, youCve learned how to use data mas%ing.
Sample Data Masking Auditors Report
2urpose-se this learning aid to view the elements of a sample )ata (asking !uditors report.
This is an e*ample of the elements of a Data 9as%ing Auditors report. _order SeF7ece,
decode'e&r7le_t>pe,+RN+,+Radom N7m;er+,+CC+, +Ta;le
Col7m+,+DT+,+Radom
Date+,+AL+,+Arra> List+,+$N+,+$i@ed N7m;er+,+$S+,+$i@ed Stri6+,
+RD+,+Radom Di6its+,+RS+, +Radom Stri6+,+S-+,+S#7li6+,
+U$+,+User Deied $7ctio+,+UT+,+Post,
decode'e&r7le_t>pe,
+RN+, +Start Le6t#: +HHr7le_lo"HH+ Ed Le6t#: +HHr7le_#i6#,
+CC+, +Sc#ema o"er: +HHe&ta;le_sc#emaHH+ So7rce ta;le ad
col7m:
+HHe&ta;le_ameHH+&+HHe&col7m_ame,
+AL+,a&arra>list_item,
+$S+,i@ed_stri6,
+RD+,+Start Di6its: +HHr7le_lo"HH+ Ed Di6its: +HHr7le_#i6#,
7ll/ $ormat Etr> Parametersrom s>sma&m6mt_dm_r7leetr> e, s>sma&m6mt_dm_scopespecs s,
s>sma&m6mt_dm_ss_col7ms c,
s>sma&m6mt_dm_alitems a, s>sma&m6mt_dm_o;_e@ec7tios
"#ere e&r7le_67id ) c&r7le_67id
ad e&r7le_67id ) a&r7le_67id '/
ad e&etr>_order ) a&etr>_order '/
http://dowindow%28%27../html/la_od_odsc_a08_it_enus_t1601_frame.html')http://dowindow%28%27../html/la_od_odsc_a08_it_enus_t1601_frame.html')http://dowindow%28%27../html/la_od_odsc_a08_it_enus_t1601_frame.html') -
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
56/59
ad s&ss_67id ) &ss_67id
ad s&ss_67id ) c&ss_67id
ad s&so7rce_id ) EMIP_BIND_TAR%ET_%UID
order ;> s&ss_ame, c&ta;le_sc#ema, c&ta;le_ame, c&col7m_ame,
e&etr>_order
select c&paret_sc#ema Primar> Sc#ema, c&paret_ta;le Primar>
Ta;le,
paret_col7m Primar> Col7m, c&ta;le_sc#ema Depedat
Sc#ema,
c&ta;le_ame Depedat Ta;le, c&col7m_ame Depedat Col7m
rom s>sma&m6mt_dm_icos_col7ms c, s>sma&m6mt_dm_scopespecs
d
"#ere d&ss_67id ) c&ss_67id
ad d&so7rce_id ) EMIP_BIND_TAR%ET_%UID
&!ple!enting Data *asking
Learning Objective
After completing this topic, you should be able to
use the Data Masking ack
)4ercise overview
ou want to apply data mas%ing to the !GTE'T schema. ou have identified the
columns with sensitive data, and want to create a phone number mas% for
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
57/59
generating a data"mas%ing job
ask 1- Creating a !asking for!at
ou have started the creation of a mas%ing format named . 'elect 7i4ed Stringfrom the Add drop"down list and clic% "o
;. Type
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
58/59
ask 5- Creating a !asking definition
ou now want to create a mas%ing definition for a specific column in the E9$&OEE'
table. reate a mas%ing definition for the E9$&OEEG+D column of the
!GTE'T.E9$&OEE' table. 'pecify a name of !G9A'M and a description of /!
9as%ing $olicy./ To return the list of columns, search for the E9$&OEE' table using the
!GTE'T schema. Define and add the format for the E9$&OEEG+D column, specifying
a random number entry from )8888 to HHHHH. Then confirm and save the mas%ing
definition. Accept all other default selections.
Steps list
&nstructions
). lic% *ask
7. Type -R_MAS.in the . Type -R MasGi6 Polic>in the Description te*t bo* and clic% Add
;. Type #r_testin the 'chema te*t bo*, type emplo>eesin the Table . Type oraclein the (sername te*t bo*
;. Type oraclein the $assword te*t bo* and clic% +e4t
?. lic% Sub!it
I. lic% 3iew @ob Details
-
8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack
59/59