oracle database 11g oracle label security and the data masking pack

8/10/2019 Oracle Database 11g Oracle Label Security and the Data Masking Pack

1/59


2/59

Access to every table in the database is controlled by DA. +n this e*ample, oe issues a

SELECTstatement against the emptable. -ecause oe has received the SELECT

privileges on the emptable, he sees a result returned.

-ecause reds access privilege is revo%ed, when he issues a SELECTstatement against

the emptable, he sees the error message /Table or view does not e*ist./

The granularity of DA is at the object level by privilege. There are four basic privileges

0SELECT,

INSERT, UPDATE, and DELETE1 plus several more that depend on the object type. +n

most databases, DA is sufficient to handle the access control needs.

"rap#ic

The command to grant SELECT privileges on the emp table to Joe is the

following:

G!"T SELECT #" emp T# J#E$

The command to revoke access privilege from %red on the emp table is the

following:

E'E SELECT #" emp %#( %E)$

+f viewing certain columns is limited to certain individuals or job functions, you can use

DA to limit viewing of certain columns to certain individuals or job functions. $lace those

columns in a separate table and join on a %ey value, or hide the columns from all but

authori2ed users by defining a view of all but the sensitive columns.

Even in situations where DA does not meet the needs for access control, there are

seldom more

than a few tables that re3uire row"level access control. +f the data in a row determines

who is allowed to access the row, DA is inade3uate. or these situations, row"level

access control is re3uired.

O&' does not bypass DA but supplements it. or all users ma%ing a '4& re3uest, DA

is applied first. DA denies access to all users without the correct privileges.

After DA is applied, Oracle Database chec%s whether an O&' policy is applied.

Additional predicates can easily be added to the policies to further refine access because

O&' is built on the same infrastructure as the #$D.

The objects in the database can have rows that are labeled. Access to rows is restricted

on the basis of O&' authori2ations.


3/59

"rap#ic

*n this e+ample, the first two rows in the table are assigned the #LS labels -

Sensitive and ighl/ sensitive. The third row is assigned the #LS label

Confidential. 0ased on )!C, the user is granted the Select ob1ect privilege. 0ased

on the #LS access mediation, the user can access onl/ the row with the

Confidential #LS label.

There are however, a few conditions under which O&' is not enforced. +t is not enforced

during the DIRECTpath e*port and cannot be applied to objects in the SYSschema.

Also note that the SYSuser and users with the special EXEMPTACCESSPOLICY

database privilege are e*empt from both O&' and #$D enforcement. The EXEMPT

ACCESSPOLICYprivilege is a powerful database privilege and should be managed

carefully.

+f your site re3uires that the SYSuser and users with D-A type privileges are not allowed

to view

application data, D# has the facilities to meet this re3uirement. D# and O&' are designed

to wor% together.

To use the sensitivity labels, you perform the following actions5

specify data sensitivity

&abels are used to specify the sensitivity of data. These are %nown as data labels. Each

row has a data label. +n the e*ample, the row has a label of Secret::.

specify label aut#ori$ations, and

&abels are used to specify a users security clearance or label authori2ation. Each user is

assigned a set of labels that indicate the range of data labels that the user is allowed to

read and write. +n this e*ample, the user has a label of TopSecret::.

i!ple!ent access !ediation

The user label and the data labels are compared in a process %nown as access mediation

that uses a set of algorithms supplied by O&'. (sers are allowed to view the row when

their label dominates the data label of that row. Otherwise, they are not able to see the

row.

+n this e*ample, the users label of TopSecret::dominates the data label of Secret::

and access is allowed. 6hether a particular label dominates another is determined by the

security administrator when the labels are created.

%. &nstalling and using OLS

To install O&', perform the following steps5


4/59

use t#e Oracle 'niversal &nstaller, also known as O'&, Custo! &nstall option

(se the ustom +nstall option of O(+ to add the &abel 'ecurity option to a base

installation.

use Database Configuration Assistant, co!!only known as D(CA, to configure

OLS, andOracle highly recommends that you use D-A to configure the &abel 'ecurity option.

This configuration creates the LBACSYSuser and LBAC_DBArole, and more than 788

objects. The database must be restarted after the configuration is complete.

use )nterprise *anager to !anage t#e Label Security policies

(se Enterprise 9anager to manage the &abel 'ecurity policies. Enterprise 9anager has

pages that enable you to create policies and manage labels and policies. These pages are

available in the 'ecurity section under the 'erver tab on the database home page of the

database control in Oracle ))g. The same pages can be seen in :rid ontrol )8g!elease

; by navigating to a target database, and clic%ing the Ad!inistrationtab.

O&' is a pac%aged system that provides an easy"to"implement row"level security

solution, where access control is based on data sensitivity. 'ecurity re3uirements are

complicated by data restrictions generated by regulatory compliance.

or e*ample, medical data can be viewed only by attending medical professionals and by

the person whose data it is.


5/59

installation of O&' with O+D allows label authori2ations to be part of your standard

provisioning process.

+ote

#LS integration with #racle *dentit/ (anagement was first available in #racle

)atabase 22g elease 2.

or sites that use O+D, databases retrieve the O&' policy information from the directory.

Administrators use the olsadmitoolpolicy administration tool to operate directly on

the directory to insert, alter, or remove metadata as needed.

-ecause enterprise users can log in to multiple databases by using the credentials stored

in O+D, it is logical to store their O&' policy authori2ations and privileges there as well.

An administrator can then modify these authori2ations and privileges simply by updating

metadata in the directory. Other aspects of managing enterprise users are performed

through the Oracle +dentity 9anagement $rovisioning console.

or distributed databases, centrali2ed policy management removes the need for

replicating policies because the appropriate policy information is available in the directory.

$olicy changes in the directory are synchroni2ed with policy information in the databases

by means of Directory +ntegration $latform and are effective without re3uiring further

effort.

The following O&' information is stored in the directory5

policy information, namely, policy name, column name, policy enforcement options, and audit

options

user profiles identifying their labels and privileges

policy label components = levels, compartments, and groups, and

policy data labels

The database"specific metadata is not stored in the directory. E*amples include

lists of schemas or tables, with associated policy information and

program units, with associated policy privileges

uestion


6/59

+dentify the features of O&'.

Options-

). +t provides an easy"to"implement row"level security solution

7. +t relies on the database as the central repository for policy authori2ation

>. +t is built on the fine"grained access control technology of #$D

;. +t stores tables and their associated policy information in the directory

Answer

Option 1:This option is correct. #LS is a packaged s/stem that provides an eas/3

to3implement row3level securit/ solution, where access control is based on data

sensitivit/.

Option 2:This option is incorrect. 4revious releases of #LS have relied on #racle

)atabase as the central repositor/ for polic/ and user label authori5ations. "ow

#LS is integrated with #racle *dentit/ (anagement.

Option 3:This option is correct. #LS relies on the fine3grained access control

technolog/ of &4), and an advantage of using #LS is that it is a complete s/stem

and a read/3to3use &4).

Option 4:This option is incorrect. Lists of schemas or tables with their associated

polic/ information, as well as program units and their associated polic/ privileges,

are not stored in the director/.

Correct answers/-

). +t provides an easy"to"implement row"level security solution

>. +t is built on the fine"grained access control technology of #$D

#$D provides an A$+ for implementing row"level security by using application conte*t.

The policy procedures, the application conte*t, and the rules for control access to the

data must be created by developers.

To implement this, O&' provides a complete system comprising various components

such as

access rules

O&' comes with predefined access rules. These rules meet the re3uirements of many

applications without modification. These rules can be customi2ed to meet special

circumstances.

co!!on criteria


7/59

O&' has been evaluated under the +nternational ommon riteria 0+'O )?;8@1 at

Evaluation Assurance &evel, commonly %nown as EA&, ;. The ommon riteria standard

has superseded the DOD Orange -oo% standard and other European and !ussian

standards.

co!plete data dictionary, and

The complete data dictionary is provided in the database to manage the aspects of O&'.

a co!plete user interface

Enterprise 9anager provides a graphical interface that allows point"and"clic% control. The

SA_!pac%ages provide a complete command"line interface.

O&' is built on the same technology as that used for the #$D. owever, there are certain

differences in some features.

Access control

O&' does not depend on pre"e*isting data attributes as the basis for access control, butdepends on assigned data labels and user clearances.

Every application of #$D is custom built. #$D provides row"level access control by using

application conte*t and a "#ereclause that is added to every '4& statement.

Client re0uire!ents i!ple!entation

O&' provides the pac%ages re3uired to implement the customer re3uirements and so no

coding is re3uired.

#$D implements customer re3uirements with user"programmed policies.

able c#anges

O&' adds a column to every table protected. This column can be a hidden column.

+n #$D, no columns are added.

+ew data classification

O&' classifies new data automatically.

#$D does not classify new data automatically.

2olicy application

6hen new data is added to the protected table, O&' assigns data labels based on the

user clearance automatically.

+f new values are placed in the columns used by #$D, the "#ereclause in the policy may

need to be changed. The updated policy can then be automatically applied.


8/59

Colu!nlevel control

O&' is designed to wor% with column"level #$D and D#. A column"level policy can be

applied to further restrict column access, and user clearances can be used as factors in

D# to limit access to schemas and commands.

#$D uses only column"level #$D.

6hen analy2ing the need for O&', you need to first identify the application tables that

need O&'. (sually, only very few tables hold data that re3uire the protection provided by

O&'.

Do not apply O&' where it is not needed. (se the appropriate security technology for

your problem. O&' has a performance cost. +dentify the most resource"intensive

application 3ueries and tune them for use in the O&' environment.

The following technologies typically meet most access control re3uirements5

DAC

DA is always applied before the O&' policies. DA specifies access control privileges at

the object level.

stored procedures and functions, and

'tored procedures and functions can be used to encapsulate objects, allowing the owner

to e*pose only certain methods of accessing the object. This techni3ue can provide very

tight control over data integrity.

D3

Oracle Database #ault, commonly %nown as D#, can be used to e*tend DA in ways that

O&' cannot.

uestion

6hich statements best describe evaluating the need for O&'B

Options-

). ew tables hold data that re3uire the protection provided by O&'

7. DA is sufficient for all tables>. 'tored procedures and functions can be used to encapsulate objects

;. There is no performance cost associated with O&'

Answer


9/59

Option 1:This option is correct. 6ou should identif/ the tables that need #LS,

because usuall/ ver/ few tables do. 6ou should not appl/ #LS where it is not

needed.

Option 2:This option is incorrect. )!C is sufficient for most but not all tables. *t is

alwa/s applied before the #LS policies and specifies access control privileges at

the ob1ect level.

Option 3:This option is correct. Stored procedures and functions can be used to

encapsulate ob1ects, allowing the owner to e+pose onl/ certain methods of

accessing the ob1ect.

Option 4:This option is incorrect. #LS has a performance cost. 6ou should

identif/ the most resource3intensive application 7ueries and tune them for use in

the #LS environment.

Correct answers/-

). ew tables hold data that re3uire the protection provided by O&'

>. 'tored procedures and functions can be used to encapsulate objects

Su!!ary

+n this topic, youCve learned how Oracle &abel 'ecurity wor%s.

Creating 2olicies

Learning Objective

After completing this topic, you should be able to

recognize how to create a policy

1. &!ple!enting t#e OLS policy

To implement Oracle &abel 'ecurity, also %nown as O&', policy, develop a strategy.

-efore developing the strategy, tal% to the right people. +dentify those individuals in yourorgani2ation who really understand the business"security problem. 9a%e sure that you

understand the problem before adding additional security to your application.

After developing the strategy, analy2e the data to be protected. As% 3uestions such as

6here does the sensitive data reside in the application 0which tables1B


10/59

6ho needs access to this dataB

6ho owns the dataB

6ho should be able to read the dataB

6ho should be able to ma%e updatesB

The analysis includes a grouping of the user community by access needs such as

Does that grouping follow organi2ational linesB

Does it depend on the job functionB

+ote

This process is repeated for each set of data that is to be protected.


11/59

The security officer must be given specific permissions to create and administer policies

and labels. These actions are performed by using the Oracle $olicy 9anager interface or

$&'4& pac%aged procedures.

inally, you perform these steps to complete the implementation of the O&' policy5

assign user aut#ori$ations and

A user authori2ation is the range of labels that a user can access. They are created and

assigned to the user on the basis of access re3uirements. 'pecial privileges are included

in this set of authori2ations.

After the policy has been applied, no user can access the data without a set of

authori2ations. This step is independent of applying the policyF user authori2ations can be

assigned before or after the policy is applied.

review and docu!ent your policy decisions

The policy decisions are reviewed and documented. This documentation provides a

reference point for future changes and audits. +mplementing label security can be comple*.

9any seemingly small decisions are made for ease of use or performance. 6hen these

policies are called into 3uestion, the documentation saves many hours of reanaly2ing the

application.

%. Creating policies

The first step in setting up Oracle &abel 'ecurity, also %nown as O&', is to create

policies. The named policy is a container for all the information that is associated with apolicy = labels, tables, views, privileges, and procedures.

(se the CREATE_POLICYprocedure to create a new O&' policy to define a policy"

specific column name and specify a set of default policy options. The column is added to

every table associated with the policy. The policy can be created using Enterprise

9anager or $&'4& using this synta*.

Synta4

$!OED(!E !EATEG$O&+ 0 policyGname +< #A!A!7, columnGname

+< #A!A!7 DEA(&T


12/59

Code

BE%IN

SA_SYSDBA&CREATE_POLICY'

POLICY_NAME )*+$ACILITY+,

COLUMN_NAME )* +$ACLAB+,DE$AULT_OPTIONS )*

+READ_CONTROL,C-EC._CONTROL,LABEL_DE$AULT,-IDE+/0

END0

A basic policy with full enforcement would have three enforcement options enforced5

READ_CONTROL

1RITE_CONTROL, and

LABEL_DE$AULT

The interaction of these various enforcement options should be well understood for

effectively designing an O&' system.

Access"control enforcement controls read and write access to the data.

The policies can be set for each type of data manipulation language, abbreviated as

D9&, with two options5

READ_CONTROLand

READ_CONTROLenforces the policy for all 3ueries, controlling which data rows are

accessible for SELECT, UPDATE, and DELETE. +f READ_CONTROLis O$$on a policy, for

any table protected by the policy, all rows are accessible to all users.

WRITE_CONTROL

1RITE_CONTROLdetermines the ability to insert, update, and delete data in a row. +f this

option is active, it enforces INSERT_CONTROL, UPDATE_CONTROL, and

DELETE_CONTROL.

ou can apply INSERT_CONTROL, UPDATE_CONTROL, and DELETE_CONTROLseparately.

&abel"management enforcement ensures that data labels written for inserted or updated

rows do not violate policies set for such labels with these three options5

LABEL_DEFAULT

LABEL_DE$AULTuses the sessions default row label value unless the user e*plicitly

specifies a label on INSERT.


13/59

LABEL_UPDATE, and

LABEL_UPDATEapplies policy enforcement to the UPDATEoperations that set or change

the value of a label attached to a row. The 1RITEUP, 1RITEDO1N, and 1RITEACROSS

privileges are enforced only if the LABEL_UPDATEoption is active.


14/59

>. C-EC._CONTROL

;. NO_CONTROL

Answer

Option 1:This option is incorrect. READ_CONTROLenforces the polic/ for all

7ueries, controlling which data rows are accessible to SELECT, UPDATE, and

DELETE.

Option 2:This option is incorrect. LABEL_UPDATEapplies polic/ enforcement to

the UPDATEoperations that set or change the value of a label attached to a row.

Option 3:This option is correct. C-EC._LABELis considered a label3

management enforcement option. *t applies the READ_CONTROLpolic/

enforcement to ensure the new row label is read3accessible to the user that is

changing it when using INSERTand UPDATEstatements.

Option 4:This option is incorrect. NO_CONTROLapplies no enforcement options.

Correct answers/-

>. C-EC._CONTROL

5. Defining labels

Each data label can have three parts = a level, one or more compartments, and one or

more groups. Every label must have a level, but the compartment and group portions of

the label are optional.

Each level, compartment, and group that will be used in a label must be created before it

can be used in a label.

Defining the needed levels, groups, and compartments follows the analysis of the data"

security needs. Each part of the label is defined.

Every label must have a level defined, and by implication, every row protected by Oracle

&abel 'ecurity, also %nown as O&', must be assigned to a level.

"rap#ic

! level is a ranking that denotes the sensitivit/ of the information it labels. The

more sensitive the information, the higher its level. Ever/ label must include one

level. !lthough both long and short names for the level 8and for each of the other

label components9 can be defined, onl/ the short name is displa/ed upon retrieval.


15/59

#nl/ the short names are used during label manipulation.

Levels can be assigned in the Levels page, which is currentl/ opened. The page

contains a table with the columns - Select, Long "ame, Short "ame, and "umeric

Tag and the Select !ll and Select "one links.

&evels have many characteristics5

A level is an arbitrary name, such as SENSITI2Eor CLASSI$IED. igher and lower levels are

determined by the tag 0the numeric form of the level1. The numeric form can range from 8 through

HHHH. A user with a higher level can access lower levels. &evels have ran%ing determined by the

numeric tag.

The arbitrar/ names are listed in the Long "ame column and the numeric tag in the "umeric Tag

column.

Assume that only levels are used. A user with a label of SENSITI2Ecan access data with a

SENSITI2Elevel or below.#ther levels listed are 40L*C, C#"%*)E"T*!L, and *GL6 SE"S*T*&E.

Each policy has its own set of levels, which are part of the label that is assigned to users and

data.

+n this e*ample, the SENSITI2Edata level has a 'hort name of ' and a 88.

The 40L*C level has the short name of 4 and a numeric tag of 2;;, the C#"%*)E"T*!L level

has the short name of C and a numeric tag of


16/59

$!OED(!E !EATEG&E#E& 0

policyGname +< #A!A!7,

levelGnum +< +


17/59

BE%IN

SA_COMPONENTS&CREATE_%ROUP'+$ACILITY+,3444,

+1R+,+1ESTERN_RE%ION+/0


+1R_$IN+,+1R_$INANCE+,+1R+/0


+1R_AP+,+1R_ACCT_PAYABLE+,+1R_$IN+/0

END0

Synta4

$!OED(!E !EATEG:!O($ 0


groupGnum +< +


18/59

Optional compartments are OP, C-, and $IN. $INcould appear in the ompartment field

of the

le5el:compartmet:6ro7plabel.

To define compartments, the D-A or security administrator uses theCREATE_COMPARTMENTprocedure of the SA_COMPONENTSpac%age or Enterprise

9anager.

This is the synta* and an e*ample of the procedure being used to define a compartment.

Code

BE%IN

SA_COMPONENTS&CREATE_COMPARTMENT'


COMP_NUMBER )* +9+,

S-ORT_NAME )* +$IN+,

LON%_NAME )* +$iacial+/0

END0

Synta4

$!OED(!E !EATEGO9$A!T9E


19/59

-I%-LY_SENSITI2E:$INANCIAL:

SENSITI2E::1ESTERN_RE%ION

6hen a valid data label is created, two actions occur5

Code

LE2EL:COMPARMENT:%ROUP


20/59

Option 1:This option is incorrect. >hen a valid data label is created, it is

automaticall/ designated as a valid data label. This functionalit/ limits the labels

that can be assigned to data.

Option 2:This option is incorrect. *t is the numeric label tag, and not the te+t

string that represents the label, that is stored in the polic/ label column of the

protected table.

Option 3:This option is correct. ! numeric label tag is associated with the te+t

string that represents the label. This tag must be uni7ue across all policies in the

database.

Option 4:This option is correct. The ma+imum length of the short form of the

label is =;;; characters. The short form is used in the LABEL_2ALUEparameter

of the CREATE_LABELprocedure.

Correct answers/-

>. The numeric label tag must be uni3ue across all database policies

;. The ma*imum length of the short form of the label is ;888 characters

Su!!ary

+n this topic, youCve learned how to create a policy.

Creating Data Labels

Learning Objective


recognize how data labels are created

1. Creating and !anaging data labels

-efore creating a label, a policy is created. +n this e*ample, the policy $ACILITYis

created. 6hen the $ACILITYpolicy is created, a role named $ACILITY_DBAis alsocreated with the EXECUTEprivilege on several pac%ages owned by LBACSYS.

The D-A or a user who is assigned the =polic>*_DBArole can create labels by using

the CREATE_LABELprocedure in the SA_LABEL_ADMINpac%age or by using Enterprise

9anager, abbreviated as E9. The =polic>*_DBArole is created when the policy is

created.


21/59

This is the synta* and e*ample code for creating labels using the CREATE_LABEL

procedure in the SA_LABEL_ADMINpac%age.

Code

BE%IN

SA_LABEL_ADMIN&CREATE_LABEL'+$ACILITY+,3444,+P+/0

SA_LABEL_ADMIN&CREATE_LABEL'+$ACILITY+,8343,+S::US+/0

SA_LABEL_ADMIN&CREATE_LABEL'+$ACILITY+,?343,+-S::US+/0

END0

Synta4

$!OED(!E !EATEG&A-E& 0


labelGtag +< +


22/59

Oracle &abel 'ecurity, also %nown as O&', provides administrative interfaces to define

and manage the labels used in a database. ou can define labels in an Oracle database

by using O&' pac%ages or E9.

+nitially, administrators must define the levels, compartments, and groups that compose

the labels, and then they can define the set of valid data labels for the contents of the

database.

The administrator can apply a policy to individual tables in the database, or to the entire

application

schemas. inally, the administrator assigns to each database user the label components

0and

privileges, if needed1 that are appropriate for the personCs job function.

The administrator sets the privileges that allow data labels to be changed by certain

users, if appropriate. 'ome sites may not allow anyone to change a label. 'ome

customers may have specific individuals who are responsible for reviewing and assigning

the appropriate labels.

(sers are allowed to change their session label as well as row label, within the range of

their minimum and ma*imum labels by using the SET_LABELand SET_RO1_LABEL

procedures of the SA_SESSION pac%age.

The components of the labels have been created. The data labels have been created and

mar%ed as valid. or access mediation to wor% properly, the individual rows must have a

label assigned.

To do this, the steps to perform are

define labels

The labels that are assigned to data rows must first be created. There are usually many

more permutations of the different components of the labels than are actually used. 9ost

sites re3uire that the labels that are actually used be created by an administrator to control

the proliferation of labels.

#ave labels for all rows, and

6hen creating policies, the label column for e*isting rows is initially NULL. The NULLvalue

does not match any label, so the data is not accessible, e*cept by users with the $ULL

access privilege.

set labels by updating rows

or e*isting rows, a user who has $ULLaccess privileges 0typically, the security

administrator1 updates the rows, setting the label column to the proper label value for that

row. or new rows, users or the application supply the label, either directly by a pic% list, by

session label default values, or by a policy function.


23/59

6hen you appl/a policy to a table or schema, the policy is automatically enabled. To

disablea policy is to turn off its protections, although it is still applied. To enablea policy

is to turn on and enforce its protections for a particular table or schema.

To removea policy is to ta%e it entirely away from the table or schema.


24/59

a set of authori2ed groups 0and, implicitly, authori2ation for any subgroups1

Each user has a session label and a row label. The session label is the particular

combination of levels, compartments, and groups on which a user wor%s at any given

time. (sers can change the session label to any combination of components for which

they are authori2ed.

6hen a user writes data without specifying its label, a row label is assigned automatically,

using the users session label. owever, users can set the label for the written row within

certain restrictions on the components of the label that they specify with the

SA_SESSION&SET_RO1_LABELprocedure.

Code

BE%IN

SA_USER_ADMIN&SET_USER_LABELS '


USER_NAME )* +MYCO_M%R+,

MAX_READ_LABEL )*+S::US,EU,ASIA+/0

END0

The administrator specifies the users initial session label and an initial default row label

when setting up user authori2ations.

These authori2ations are %ept in the O&' data dictionary tables for each user. To define

user authori2ations, the D-A or security administrator uses the SA_USER_ADMIN

pac%age as in this e*ample or the E9 interface.

Code

BE%IN


+$ACILITY+,+MYCO_EMP+,+P+/0


+$ACILITY+,+MYCO_M%R+,+S::US,EU,ASIA+/0


+$ACILITY+,+MYCO_PLANNIN%+,+-S::%LOBAL+/0

END0

This is the synta* for the SA_USER_ADMINpac%age.

Synta4

$!OED(!E 'ETG('E!G&A-E&' 0



25/59

userGname +< #A!A!7,

ma*GreadGlabel +< #A!A!7,

ma*GwriteGlabel +< #A!A!7 DEA(&T _amespecifies the polic/.

7ser_amespecifies the username.

sers insert if the/ do not specif/ the data label as a field in the INSERTstatement.

*f ro"_la;elis not specified, it is set to de_la;el, with onl/ the compartments and

groups authori5ed for write access.

uestion

6hat should you consider when assigning user authori2ation labelsB

Options-

). A user can access data only within the range of their own label authori2ations

7. Each user has a session label or a row label

>. A session label is assigned automatically when a user writes data without specifying

its label

;. The administrator specifies the users initial session label


26/59

Answer

Option 1:This option is correct. ! user has ma+imum and minimum labels, a set

of authori5ed compartments, and a set of authori5ed groups. The/ can onl/

access data the/ have been authori5ed to access.

Option 2:This option is incorrect. Each user has both a session label and a row

label. The session label is the particular combination of levels, compartments, and

groups on which a user works at an/ given time.

Option 3:This option is incorrect. >hen a user writes data without specif/ing its

label, a row label is automaticall/ assigned, using the user?s session label.

Option 4:This option is correct. The administrator specifies the user?s initial

session label and an initial default row label when setting up user authori5ations.

Correct answers/-

). A user can access data only within the range of their own label authori2ations

;. The administrator specifies the users initial session label

%. OLS special user privileges

The first set of &abel 'ecurity privileges are set with the

SA_USER_ADMIN&SET_USER_PRI2Sprocedure.

These privileges are

READ

The READprivilege allows read access to all data protected by the policy.

FULL, and

The $ULLprivilege allows full read and write access to all data protected by the policy.

COMPACCESS

The COMPACCESSprivilege allows a session access to data authori2ed by the rows

compartments, independent of the row groups.

The PRO$ILE_ACCESSprivilege is set with the

SA_POLICY_ADMIN&SET_ACCESS_PRO$ILE

procedure.

The PRO$ILE_ACCESSallows a user to change the O&' authori2ations and privileges of

the database session to those of the specified user.


27/59

+n this e*ample, the READprivilege enables the user to bypass the O&' policy entirely for

read access to data. (sers with the READprivilege can read all data protected by the

policy, regardless of their authori2ations or session label.

The user does not even need to have label authori2ations. owever, access mediation is

still enforced on the UPDATE, INSERT, and DELETEoperations. (sers with the READprivilege can write only to data rows for which they have write access, based on any label

authori2ations.

The application uses of the READprivilege are data e*port, report generation, and

e*ecutive management privilege.

+n this e*ample, the $ULLprivilege has the same effect and benefits as the READ

privilege, with one difference, a user with the $ULLprivilege can also write to all the data.

The ability to write effectively bypasses all O&' controls.

Oracle discretionary access controls still protect the underlying table. or e*ample, if auser does not have the UPDATEprivilege on the underlying table and attempts to update

a table directly with an UPDATESLstatement, the statement would fail.

This is a very powerful privilege and should be reserved only for users that re3uire it. A

classifier 0someone who reviews data to determine its security classification1 would need

this privilege to be allowed to see the data and change the classification freely.

+n this e*ample, the COMPACCESSprivilege allows a session to access rows on the basis

of the rows compartments, independent of the row groups. +f a row has no

compartments, access is determined by the group authori2ations.

owever, when compartments e*ist, and access to them is authori2ed, the group

authori2ation is bypassed. &evel authori2ations are still enforced. +f the row has a data

label of Coidetial:Operatios:1ester_Re6io and the user label is

Coidetial:Operatios:Cetral_Re6io , the user can access the row on the

basis of the compartment. The group is ignored.

This privilege is re3uired only in special situations. or e*ample, where a compartment is

created for a project that crosses groups but does not include all members of each group.

The SA_SESSION&SET_ACCESS_PRO$ILEprocedure sets the O&' authori2ations and

privileges of the database session to those of the specified user. 0


28/59

That user assumes only the authori2ations and privileges of the specified user. -y

contrast, the O&' username is changed.

Code

SL* coect app7serm>pass"ordSL* ;e6i

8 sa_sessio&set_access_proile'+iace+,+maa6er+/0

? ed0

(ser accounts defined in Oracle +nternet Directory, also %nown as O+D, cannot be given

individual O&' authori2ations. owever, authori2ations can be given to the shared

schema to which the directory users are mapped.

The O&' SET_ACCESS_PRO$ILEfunction can be used programmatically to set the label

authori2ation profile to use after a user has been authenticated and mapped to a shared

schema. O&' does not enforce a mapping between users who are given label

authori2ations in O&' and actual database users.

Code

SL* coect app7serm>pass"ord

SL* ;e6i

8 sa_sessio&set_access_proile'+iace+,+maa6er+/0

? ed0

This administrative procedure is useful for various tas%s5

Synta4

$!OED(!E 'ETGAE''G$!O+&E 0


userGname +< #A!A!71F

6ith SET_ACCESS_PRO$ILE, the administrator can see the result of the authori2ation and

privilege settings for a particular user.

Synta4




Applications that have pro*y accounts connect as 0and assume the identity of1 application users

for purposes of accessing labeled data. 6ith the SET_ACCESS_PRO$ILEprivilege, the pro*y

account can act on behalf of application users.

Synta4


29/59




A trusted stored program unit is a stored procedure, function, or pac%age that has been

granted one or more O&' privileges. Trusted stored program units are typically used to

enable users to downgrade information in a controlled manner, or update data at several

labels.

This is the optimal way in which users can be enabled to access data beyond their

authori2ation. To grant privileges to a stored program unit, you must have the special

polic/GD-A role 0wherepolic/is the name of a policy1 and the EXECUTEpermission on

the program unit.

(se either Enterprise 9anager or the SA_USER_ADMINpac%age to grant privileges to a

program unit. The SA_USER_ADMIN&SET_PRO%_PRI2Sprocedure sets policy"specific

privileges for program units.

+n this e*ample, the s7m_p7rc#asesprocedure has been granted the READprivilege.

6hen the s7m_p7rc#asesprocedure is called, it e*ecutes with the READprivilege as

well as the current users O&' privileges. This allows the total purchases to be calculated.

Code

SL* EXECUTE SA_USER_ADMIN&SET_PRO%_PRI2S'. Define in the import database all the label components and individual labels used in the tables being

imported. Tag values assigned to the policy labels in each database must be the same.

To successfully import data under O&', the user running the import operation must be

authori2ed for all the labels re3uired to insert the data and labels contained in the e*port

file.

The following re3uirements must be met5

re0uire!ent 1 and

The user must have thepolic/_DBArole for all policies with data being imported. After

each schema or table is imported, any policies from the e*port database are reapplied to

the imported objects.

re0uire!ent %

The user must have the ability to write all rows that have been e*ported.

6hen implementing O&', follow these performance tips5

li!it policies to re0uired tables

+n most cases, only a small subset of the tables in a database re3uires row"level security.

arefully identify these tables and limit the policies to these.

plan a label tag strategy

or optimal performance, you can plan a strategy for assigning values to label tags. +ngeneral, it is best to assign higher numeric values to labels with higher sensitivity levels.

(sually, many more users can see data at comparatively low levels. ewer users at higher

levels can see many levels of data. 6ith READ_CONTROLset, O&' generates a predicate

that uses a BET1EENclause to restrict the rows to be processed by the 3uery. +f the

higher"sensitivity labels do not have a higher label tag than the lower"sensitivity labels, the

3uery potentially e*amines a larger set of rows. This affects performance by re3uiring more

reads.

analy$e t#e LBACSYSsc#e!a

!un the DBMS_STATS&%AT-ER_SC-EMA_STATSprocedure on the LBACSYSschema, so

that the cost"based optimi2er can improve e*ecution plans on 3ueries. aving the statistic

for the O&' data dictionary tables improves O&' performance.

inde4 t#e policy label colu!n, and

reate a bitmap inde* on the policy label column on the basis of the number of distinct

values.

partition on t#e basis of t#e label


32/59

+f you are using a numeric ordering strategy with the numeric label tags that you have

applied to the labels, you can use this as a basis for data partitioning. Depending on the

application, partitioning data on the basis of label values may or may not be useful.

Also, allow time to tune your application after applying the O&'.

uestion

6hich actions may help to improve system performance when using O&'B

Options-

). $lanning a label tag strategy

7. onsidering the use of a bitmap inde* on the label column

>. Applying policies to all tables

;. !emoving label columns from e*isting inde*es

Answer

Option 1:This option is correct. %or optimal performance, /ou can plan a strateg/

for assigning values to label tags. *n general, it is best to assign higher numeric

values to labels with higher sensitivit/ levels.

Option 2:This option is correct. Creating a bitmap inde+ on the polic/ label

column on the basis of the number of distinct values ma/ help to improve

performance.

Option 3:This option is incorrect. *n most cases, onl/ a small subset of the tables

in a database re7uire row3level securit/. The policies /ou add will directl/ affect

performance, so the/ should be used wisel/.

Option 4:This option is incorrect. 6ou should consider adding a label column to

e+isting inde+es to improve performance.

Correct answers/-

). $lanning a label tag strategy

7. onsidering the use of a bitmap inde* on the label column

Su!!ary

+n this topic, youCve learned how data labels are created.

&!ple!enting Oracle Label Security


33/59

Learning Objectives


create labels and policies in Oracle Database 11g

apply policies in Oracle Database 11g

test access control

)4ercise overview

The data in the !.&OAT+O


34/59

Steps list

&nstructions

>. Type PRI2LABin the &abel olumn te*t bo*

;. 'elect the 6ide Label Colu!nchec%bo*

?. 'elect the Apply 2olicy )nforce!entsradio button

I. 'elect the 7or all 0ueries 8)AD9CO+8OL/chec%bo*

J. 'elect the 7or update and insert operations so t#at !odified or new rows are read accessible

C6)C:9CO+8OL/chec%bo*

@. lic% O:

ask %- Creating levels and labels

ou now want to create the levels and labels for the $!+#A policy. ou have already

accessed the &abel omponents tab and added the first level. Add a second level with along name of /'E


35/59

$!+#A policy. Add the ! user to the list of users who are authori2ed for the $!+#A

policy. 'earch for the ! user, who appears in the second page of the results. Allows the

user to assume the profile of another user and bypass all &abel 'ecurity chec%s. Accept

all default selections on the remaining screens and confirm the configuration.

Steps list&nstructions

). Ensure Aut#ori$ationis selected from the Actions drop"down menu and clic% "o

7. lic% Add 'sers

>. lic% Add

;. lic% the +e4t 1. lic% Create

;. lic% the 7las#lig#ticon

?. Type -Rin the 'chema te*t bo* and clic% "o

I. 'elect the Selectradio button for the O-G+'TO! row and clic% Select

J. lic% O:

ask >- esting a policy


36/59

. $ress )nter

;. $ress )nter

'sing t#e Data *asking 2ack

Learning Objectives


recognize how data masking works

create and use data masking

1. &!ple!enting data !asking

A number of regulations mandate that a companyCs confidential, sensitive, and personally

identifiable data must be protected and access to this data must be restricted.

There is often a need to provide production data, or realistic"loo%ing data to in"house

developers and testing organi2ations during application development.

Data mas%ing is a way to meet these two conflicting needs. Data mas%ing is the act of

anon/mi5ingcustomer, financial, or company confidential data to create new, legible

data, which retains the original datas properties, such as width, type, and format.

+n this e*ample, three columns of the -R&EMPLOYEEStable have been mas%ed so thatthe data can be provided for testing or development without compromising the security of

the information.

"rap#ic

The columns of the .E(4L#6EES table are E(4L#6EE@*), L!ST@"!(E,

)E4!T(E"T@*), and 4#"E@"(0E. The E(4L#6EE@*)s are specified


37/59

as 2;;, 2;A, and 22;. The L!ST@"!(Es are 'ing, !ustin, and Chen. The

)E4!T(E"T@*)s are B;, ;, and 2;;. !nd the 4#"E@"(0Es are

A2A.2


38/59

During this implementation, different types of administrators perform various functions.

Security ad!inistrator

The security administrator reviews the application database and identifies the sensitive

data.

Application database ad!inistrator

The application database administrator defines the mas% formats for sensitive data and

creates a mas%ing definition to associate table columns to the defined mas% formats.

Database ad!inistrator

The database administrator clones the production database to a staging database, creates

a mas%ing definition if this tas% is not performed by the application database administrator,

and e*ecutes the mas%ing job.

The security administrator performs two tas%s5

verify that the mas%ed data meets the information security re3uirements and

refine the mas%ing definition as necessary

+f the mas%ing definition is changed, the database administrator restores the altered

tables and reapplies the mas%ing definition until the optimal mas%ing definitions are

identified.

The application database administrator, business analyst, and users test the application.

And the database administrator e*ports the mas%ing definition for future use and clones

the staging database to a test database.

%. *asking data

The security administrator would typically direct the process of identifying sensitive data

for mas%ing by identifying what types of information must be mas%ed to comply with

various regulations.

The application database administrator can use this techni3ue to identify specific columns

in database tables that should be mas%ed. The application database administrator

determines specific columns and flags columns with column comment. This techni3ue will

enable the database administrator to easily identify columns that are to be mas%ed when

creating mas%ing definitions with the Data 9as%ing $ac%.

Code


39/59

COMMENT ON COLUMN #r&emplo>ees&emplo>ee_id IS +MAS.

cadidate: -R Beeits Polic>+0

COMMENT ON COLUMN #r&emplo>ees&irst_ame IS +MAS.

cadidate: -R Pri5ac> Polic>+0

COMMENT ON COLUMN #r&emplo>ees&last_ame IS +MAS.

cadidate: -R Pri5ac> Polic>+0

COMMENT ON COLUMN #r&emplo>ees&salar> IS +MAS.

cadidate: -R Compesatio Polic>+0

The Data 9as%ing $ac% format library contains predefined mas%ing formats that are used

to

create a mas%ing definition. A mas%ing definition associates a mas%ing format with a

column in a database table.

There are built"in data mas%ing primitives in the format library and you can define

additional format mas%s.

The format library can be saved to an L9& file so that it can be reused or shared with

another installation of Enterprise 9anager :rid ontrol that uses a different repository.

The Data 9as%ing $ac% includes built"in mas%ing primitives for various types of data. The

built"in data mas%ing primitives are described in this table.

+n addition to the built"in mas%ing primitives, you can use built"in mas%ing routines, such

as shuffling. This routine is useful when the range of values in a column is not %nown and

you determine that the shuffling of values in the same table provides a sufficient degree

of privacy and protection.

"rap#ic

The T/pes of 0uilt3in (asking 4rimitives and outines table contains two columns

- T/pe and )efinition. The T/pe column lists the different t/pes of built3in masking

primitives and routines, and their corresponding definitions are listed in the

)efinition column. The different t/pes of primitives and routines and their

corresponding definitions listed in the table are !rra/ List - List of values that will

be selected randoml/$ %i+ed "umber - "umber that will be used$ %i+ed String -

Literal string that will be used$ andom )ates - ange of dates that will be used

randoml/$ andom )igits - andom digits in the specified range$ andom

"umbers - ange of numbers that will be used randoml/$ andom Strings -Literals in the specified range$ Shuffle - Shuffling of original data$ Substring -

Literal with the specified start position and length$ and Table Column - The

specified column that is used randoml/.

uestion


40/59

6hich data mas%ing primitive or routine is best suited to mas% data with a literal

stringB

Options-

). Array &ist

7. i*ed 'tring

>. !andom Digits

;. 'ubstring

Answer

Option 1:This option is incorrect. The !rra/ List primitive is used to mask data

using a list of values that will be selected randoml/.

Option 2:This option is correct. The %i+ed String primitive is used to mask data

using a literal string. %or e+ample, /ou can use this to specif/ where a h/phen

should appear in a telephone number.

Option 3:This option is incorrect. The andom )igits primitive is used to mask

data with random digits in a specified range.

Option 4:This option is incorrect. The Substring routine is used to mask data

using a literal with the specified start position and length.

Correct answers/-

7. i*ed 'tring

The Data 9as%ing $ac% also contains built"in mas%ing primitives that can be used directly

to mas% column data. ou can also use the built"in mas%ing routines to directly mas% the

column data.

The built"in mas%ing primitives and routines can also be used to build a more

sophisticated mas%ing format. +f the built"in mas%ing primitives and routines do not satisfy

your data mas%ing re3uirements, you can create a $&'4& function to use for mas%ing.

This is an e*ample of data mas%ing of the EMPLOYEEStable.

EMPLOYEE_ID

9as%ing of the EMPLOYEE_IDcolumn is accomplished by using one of the built"in

mas%ing primitives = !andom


41/59

The mas% for the LAST_NAMEcolumn is constructed by referencing another column in the

database = Anglo"American last name.

The original values in the L!ST@"!(E column of the E(4L#6EES table are 'ing, !ustin,

and Chen. !nd the masked values are Jefferies, Smith, and !llen.

PHONE_NUMBER

The P-ONE_NUMBERcolumn data mas% is built from the mas%ing primitives = -ay Area

phone number.

The original values in the 4#"E@"(0E column of the E(4L#6EES table are

A2A.2


42/59

??? was specified as the value for the i*ed 'tring mas% primitive.

The description given is String &alue: AAA3

!andom Digits was specified with a length of ;.

The description given is )igits Length ange: = 3 =

+ote

Sample values for this format are provided so that /ou can verif/ /our

specifications.

A $&'4& function of your own design can be used to mas% data. This function is used to

generate a mas% for the e"mail address. This code is e*ecuted on the target database.

Code

CREATE OR REPLACE $UNCTION #r&email_masG

'ori6_5al7e 2ARC-AR8/ RETURN 2ARC-AR8

IS

emailadd 5arc#ar8'344/0

BE%IN

SELECT irst_ame HH +&+ HH emplo>ee_id HH +&+ HH

last_ame HH +ot_realco&com+ INTO emailadd

$ROM #r&emplo>ees

1-ERE email ) ori6_5al7e0

RETURN emailadd0

END0


43/59

BE%IN

SELECT irst_ame HH +&+ HH emplo>ee_id HH +&+ HH

last_ame HH +ot_realco&com+ INTO emailadd

$ROM #r&emplo>ees

1-ERE email ) ori6_5al7e0

RETURN emailadd0

END0

After creating the $&'4& function that you intend to use for mas%ing, you can specify it

in a data mas% format.

+n this e*ample, you specify (ser Defined unction as the format entry type and specify

the previously created function.

"rap#ic

6ou specif/ the function name as hr.email@mask in the ser )efined %unctionfield.

The user"defined function created is applied and the sample mas%ed data is listed in the

9as%ing Definition5 Define ormat page.

"rap#ic

*n this e+ample, the database is p


44/59

The domain name used in this e+ample is in an illegal format. The @ character is

not allowed in domain names.

A predefined $&'4& function can be specified as a postprocessing function. This

function will e*ecute against the data after it is mas%ed.

This function is created in the Enterprise 9anager repository.

"rap#ic

6ou specif/ this function in the 4ost 4rocessing %unction field in the (asking

)efinition: )efine %ormat page.

ou can create a $&'4& function such as the chec%sum function. This function is

e*ecuted after the data is mas%ed.

The p;7parameter is the mas%ed data 0new value1.


45/59

+n this e*ample, the chec%sum function is applied to the mas%ed data. The results are

listed in the sample mas%ed data.

"rap#ic

The results listed under the Sample (asked )ata section are the following:

Susan.


46/59

in the E(4L#6EES.E(4L#6EE@*) column which is listed under the Sample

(asked )ata section:

FBAB;;

=B2=;2

The following are the initial steps to create the mas%ing definition5

"rap#ic

The )atabase *nstance: orcl< page is opened.

). on the Administration tabbed page, select Definitionsin the Data 9as%ing region

The )ata (asking region also contains one other link - %ormat Librar/.

7. on the 9as%ing Definitions page, clic% *ask

The (asking )efinitions page contains a Search drop3down list, a te+t field, and the Go and *mportbuttons. *t also contains a table with the columns - Select, (asking )efinition, )atabase, )escription,

Columns, and (ost ecent Job Ended.

>. specify a name for the mas% and the database name, and

These details are entered in the fields - "ame and )atabase. *n this e+ample, the name entered for the

mask is (!S'*"G@)E%@2 and the database name is orcl


47/59

enter a start value of 344444and an end value of KKKKKKand clic% O:

These values are entered in the Start &alue and End &alue fields respectivel/ in the andom

"umbers section of the (asking )efinition: !dd %ormat Entr/ page.

The Data 9as%ing $ac% automatically identifies all columns related to the selected

column based on referential integrity constraints defined in the data dictionary.

The mas%ing rule defined for the primary %ey column is also automatically applied to the

associated columns as listed in this e*ample.

"rap#ic

These details are listed in two tables. The first table contains the columns -

Select, #wner, Table, Column, )ata T/pe, %ormat, %oreign 'e/ Columns, and

)ependent Columns. The )ependent Columns is further subdivided into two

columns - Count and !dd. *n this e+ample, the owner is mentioned as , the

table is mentioned as E(4L#6EES, column is mentioned as E(4L#6EE@*),

data t/pe is mentioned as "(0E89, and the foreign ke/ column is mentioned

as A.

The second table - %oreign 'e/ Columns contains the columns - #wner, Table,

Column, 4arent #wner, 4arent Table, and 4arent Column. *n this e+ample, this

table contains three rows. The owner specified in all the three rows is , the

table names specified in each row is )E4!T(E"TS, E(4L#6EES, !")

J#0@*ST#6, the column specified in each row is (!"!GE@*),

(!"!GE@*), and E(4L#6EE@*), the parent owner, parent table, and parent

column specified in all the three rows is , E(4L#6EES, and E(4L#6EE@*)

respectivel/.

+f the relationships between tables are defined in the application, you can use the

Dependent olumn feature to add associated columns.

"rap#ic

The (asking )efinition: !dd Columns page is opened. 6ou can search and add

dependent columns that do not have foreign ke/ constraints defined in this page.

To do this, /ou specif/ the schema, table, and column name and click Search.

ou can also create a mas%ing definition for a column by using a previously defined data

mas%ing format.

To do this, perform the following steps5

"rap#ic


48/59

The (asking )efinition: )efine %ormat page is opened.

after selecting the table and column for mas%ing, clic% &!port7ro!Libraryto import the

mas%ing definitions from the library and

*n this e+ample, the database is orcl


49/59

Option 1:This option is correct. 6ou can create a masking definition for a column

b/ using a previousl/ defined data masking format. To do this, /ou use the *mport

%rom Librar/ feature.

Option 2:This option is incorrect. The )ata (asking 4ack automaticall/ identifies

all columns related to the selected column based on referential integrit/

constraints defined in the data dictionar/.

Option 3:This option is correct. ! 4LSML function of /our own design can be

used to mask data. 6ou should review the masking functions and their results to

ensure that the function actuall/ provides the level of protection re7uired.

Option 4:This option is incorrect. 6ou can create a data mask format b/ using

multiple built3in data mask primitives. %or e+ample, /ou could use !rra/ List, %i+ed

String, and andom )igits to mask telephone numbers.

Correct answers/-

). ou can create a mas%ing definition using a previously defined format

>. ou can use a $&'4& function you design to mas% data

>. 'sing t#e *ask ?i$ard

The 9as% 6i2ard generates a mas%ing script and produces an impact report that you can

review before submitting the data mas%ing job. The 9as% 6i2ard chec%s whether there is

sufficient space for the mas%ing operation. +f error"level messages result during this step,

mas%ing cannot continue. ou must correct any errors before proceeding.

The 9as% 6i2ard also ensures that uni3ueness can be maintained and that data mas%

formats match column data types. +t warns about chec% constraints and chec%s for the

presence of default partitions.

"rap#ic

The 4rocessing: Generating )ata (asking Script page is opened. *t lists the

database details. The database is p


50/59

The original table, the new table plus mapping tables, and inde*es on both original and

new tables e*ist at the same time during the mas%ing process.

"rap#ic

These details are displa/ed in the (ask: *mpact eport, which is currentl/

opened. *n addition to the database details, this page also lists the script

generation summar/ and information.

nder the Script Generation Summar/ section, information about the (ost

Serious (essage Severit/ and date and time when the generation started and

completed is listed. *n this e+ample, the (ost Serious (essage Severit/ is listed

as *"%#(!T*#".

nder the Script Generation *nformation section, a table provides information

about the ob1ects and resources e+amined during script generation and lists

details of an/ warnings or errors detected. The table contains the columns -#b1ect "ame, #b1ect T/pe, (essage Severit/, (essage T/pe, and (essage.

The script generation step of the wi2ard produces a script that you can review and save.

"rap#ic

The script is listed under the Script section. 6ou can opt to view the full script or

the script summar/ b/ selecting the radio buttons - Script Summar/ and %ull

Script. The Script Summar/ option is selected in this e+ample. The script

summar/ is a list of the database commands that will be used to mask theselected columns. The full script is a 4LSML script that includes functions,

procedures, and other commands needed during the masking operation. The full

script will be created when /ou submit the 1ob and will be e+ecuted b/ the 1ob to

perform the masking operation.

The data mas%ing job performs bul% operations to rapidly replace the table containing

sensitive data with an identical table containing mas%ed data while retaining the original

database constraints, referential integrity and associated access structures, such as

ide@es, partitios, and access permissions, such as 6rats.

The script ta%es advantage of the built"in optimi2ations in the database. +t disablesdatabase logging and runs in parallel to 3uic%ly create a mas%ed replacement for the

original table. The original table containing sensitive data is dropped from the database

completely and is no longer accessible.

These are the steps in the mas%ing process5


51/59

). build a mapping table for each column to be mas%edF the mapping table contains

0ori6ial_5al7e, masG_5al7e1

7. drop constraints and revo%e grants

>. rename the table

;. create a new table using mapping tables joined to the original table

?. create inde*es on the new table

I. collect statistics

J. replace constraints and grants

@. drop inde*es on the original table and drop the original table with the purge option, and

H. drop mapping tables

uestion

6hat are the characteristics of the data mas%ing processB

Options-

). +t runs in parallel with database logging enabled

7. +t performs bul% operations to create a table containing mas%ed data

>. The new table and the original table e*ist in the database when complete

;. The mapping table contains the original value and mas%ed value

Answer

Option 1:This option is incorrect. The data masking definitions script takes

advantage of the built3in optimi5ations in the database. *t disables database

logging and runs in parallel to 7uickl/ create a masked replacement for the original

table.

Option 2:This option is correct. The data masking 1ob performs bulk operations to

rapidl/ replace the table containing sensitive data with an identical tablecontaining masked data. >hile retaining the original database constraints,

referential integrit/ and associated access structures, such as inde+es, partitions,

and access permissions, such as grants.

Option 3:This option is incorrect. )uring the mapping process, the original table

containing sensitive data is dropped from the database completel/ and is no

longer accessible.


52/59

Option 4:This option is correct. The first step in the masking process is to build a

mapping table for each column to be masked. The mapping table contains the

original value and the masked value.

Correct answers/-

7. +t performs bul% operations to create a table containing mas%ed data

;. The mapping table contains the original value and mas%ed value

After you have completed the mas%ing definition, you can save the definition in a portable

L9& format called Application 9as%ing Template. This enables you to restore the

mas%ing definition if needed and to share the mas%ing definition with another Enterprise

9anager :rid ontrol installation.

Application 9as%ing Template is created by using the E*port 9as% Definition feature.

"rap#ic

To use this feature, /ou click the E+port button in the (asking )efinitions page,

which is currentl/ opened.

ou can import a previously e*ported mas%ing definition that is stored in an L9& file into

the Enterprise 9anager :rid ontrol repository. This enables you to use the mas%ing

definition for new mas%ing definitions.

"rap#ic

6ou do this using the *mport (asking )efinition: Select %ile page, which is

opened. 6ou use this page to import a masking definition that was previousl/

e+ported from the )ata (asking page. Select the e+ported file and continue to

import the masking definition into a repositor/. 6ou can select the file b/ clicking

the 0rowse button beside the %ile field. The page also contains the Cancel and

Continue buttons.

reate custom reports by using Enterprise 9anager :rid ontrol !eports. The )8.7.8.;

version of Data 9as%ing allows you to create custom reports to monitor and audit data

mas%ing operations.

Auditors need to review the following types of information with respect to data mas%ing5

number of mas%ing sessions

columns that were mas%ed

mas%ing formats used, and


53/59

dependent columns that were mas%ed 0that were not identified by e*isting constraints1

Although there are no predefined data mas%ing reports in Enterprise 9anager :rid

ontrol, you

can create data mas%ing reports by using the !eports Definition capability.

To create data mas%ing reports, perform these initial steps5

"rap#ic

The ome tabbed page of Enterprise (anager Grid Control is opened. The other

tabs in the Grid Control are Targets, )eplo/ments, !lerts, Compliance, Jobs, and

eports.

). clic% the 8eportstab in Enterprise 9anager :rid ontrol

7. clic% Createin the !eport Definitions page

This page contains the Search section that comprises the fields - Title, #wner, Target T/pe, and Target

"ame, and the buttons - )elete, Create Like, Edit, and Create. *t also displa/s a table with the various

reports. The table contains the columns - Select, Title, )escription, )ate Generated, and #wner.

>. specify a report title such as, Data 9as%ing !eport in the reate !eport Definition page

The page has four tabs - General, Elements, Schedule, and !ccess. The Title field is available in the

General tabbed page. #ther fields are the drop3down lists - Categor/ and Subcategor/, and the

)escription bo+. *t also contains the buttons - !dd Categor/ and !dd Subcategor/.

;. select Securityfrom the ategory drop"down list, or create another category such as ustom, and

#ther options in the Categor/ drop3down list are )eplo/ment and Configuration, E(, Enterprise(anager Setup, (onitoring, and Storage. To create a new categor/, /ou click the !dd Categor/ button.

?. select Security2olicyOverviewfrom the 'ubcategory drop"down list or create a new

subcategory such as, Data 9as%ing

#ther options in the Subcategor/ drop3down list include !lerts and 4olic/ &iolations, #racle !pplication

Server Software, #racle )atabase Configuration, #racle )atabase Software, #racle )atabase Space

*ssues, #racle )atabase Space sage, #racle ome 4atch !dvisories, 4olic/ Groups, and oot Cause

!nal/sis.

These are the remaining steps to create data mas%ing reports5

"rap#ic

The Create eport )efinition page is opened.

). clic% the )le!entstab


54/59

7. on the Elements tabbed page, clic% Add

The page contains a table with columns - T/pe, eader, Targets, Set 4arameter, and emove. *t also

contains the La/out button, which is currentl/ disabled.

>. select an element type = Table from '4&

&arious element t/pes are displa/ed in the table. The element t/pe is selected b/ selecting the radio

button against the element t/pe.

;. clic% Continue

?. clic% Set2ara!eters

This is done b/ selecting the icon in the Set 4arameters column.

I. enter a header and '4& statement, and then clic% Continuein the 'et $arameters page, and

The header is entered in the eader field as )ata (asking eport. !nd the SML statement is entered in

the Statement field. The SML statement enables creating a customi5ed table to return the result set to be

displa/ed.

J. clic% O:

#ther buttons present are 4review and Cancel.

This is an e*ample of the elements of a Data 9as%ing Auditors report.


55/59

(se the learning aidSa!ple Data *asking Auditors 8eportto view other

e*amples of the elements of a sample Data 9as%ing Auditors report.

Su!!ary

+n this topic, youCve learned how to use data mas%ing.

Sample Data Masking Auditors Report

2urpose-se this learning aid to view the elements of a sample )ata (asking !uditors report.

This is an e*ample of the elements of a Data 9as%ing Auditors report. _order SeF7ece,

decode'e&r7le_t>pe,+RN+,+Radom N7m;er+,+CC+, +Ta;le

Col7m+,+DT+,+Radom

Date+,+AL+,+Arra> List+,+$N+,+$i@ed N7m;er+,+$S+,+$i@ed Stri6+,

+RD+,+Radom Di6its+,+RS+, +Radom Stri6+,+S-+,+S#7li6+,

+U$+,+User Deied $7ctio+,+UT+,+Post,

decode'e&r7le_t>pe,

+RN+, +Start Le6t#: +HHr7le_lo"HH+ Ed Le6t#: +HHr7le_#i6#,

+CC+, +Sc#ema o"er: +HHe&ta;le_sc#emaHH+ So7rce ta;le ad

col7m:

+HHe&ta;le_ameHH+&+HHe&col7m_ame,

+AL+,a&arra>list_item,

+$S+,i@ed_stri6,

+RD+,+Start Di6its: +HHr7le_lo"HH+ Ed Di6its: +HHr7le_#i6#,

7ll/ $ormat Etr> Parametersrom s>sma&m6mt_dm_r7leetr> e, s>sma&m6mt_dm_scopespecs s,

s>sma&m6mt_dm_ss_col7ms c,

s>sma&m6mt_dm_alitems a, s>sma&m6mt_dm_o;_e@ec7tios

"#ere e&r7le_67id ) c&r7le_67id

ad e&r7le_67id ) a&r7le_67id '/

ad e&etr>_order ) a&etr>_order '/
http://dowindow%28%27../html/la_od_odsc_a08_it_enus_t1601_frame.html')http://dowindow%28%27../html/la_od_odsc_a08_it_enus_t1601_frame.html')http://dowindow%28%27../html/la_od_odsc_a08_it_enus_t1601_frame.html')


56/59

ad s&ss_67id ) &ss_67id

ad s&ss_67id ) c&ss_67id

ad s&so7rce_id ) EMIP_BIND_TAR%ET_%UID

order ;> s&ss_ame, c&ta;le_sc#ema, c&ta;le_ame, c&col7m_ame,

e&etr>_order

select c&paret_sc#ema Primar> Sc#ema, c&paret_ta;le Primar>

Ta;le,

paret_col7m Primar> Col7m, c&ta;le_sc#ema Depedat

Sc#ema,

c&ta;le_ame Depedat Ta;le, c&col7m_ame Depedat Col7m

rom s>sma&m6mt_dm_icos_col7ms c, s>sma&m6mt_dm_scopespecs

d

"#ere d&ss_67id ) c&ss_67id

ad d&so7rce_id ) EMIP_BIND_TAR%ET_%UID

&!ple!enting Data *asking

Learning Objective


use the Data Masking ack

)4ercise overview

ou want to apply data mas%ing to the !GTE'T schema. ou have identified the

columns with sensitive data, and want to create a phone number mas% for


57/59

generating a data"mas%ing job

ask 1- Creating a !asking for!at

ou have started the creation of a mas%ing format named . 'elect 7i4ed Stringfrom the Add drop"down list and clic% "o

;. Type


58/59

ask 5- Creating a !asking definition

ou now want to create a mas%ing definition for a specific column in the E9$&OEE'

table. reate a mas%ing definition for the E9$&OEEG+D column of the

!GTE'T.E9$&OEE' table. 'pecify a name of !G9A'M and a description of /!

9as%ing $olicy./ To return the list of columns, search for the E9$&OEE' table using the

!GTE'T schema. Define and add the format for the E9$&OEEG+D column, specifying

a random number entry from )8888 to HHHHH. Then confirm and save the mas%ing

definition. Accept all other default selections.

Steps list

&nstructions

). lic% *ask

7. Type -R_MAS.in the . Type -R MasGi6 Polic>in the Description te*t bo* and clic% Add

;. Type #r_testin the 'chema te*t bo*, type emplo>eesin the Table . Type oraclein the (sername te*t bo*

;. Type oraclein the $assword te*t bo* and clic% +e4t

?. lic% Sub!it

I. lic% 3iew @ob Details


59/59

oracle database 11g oracle label security and the data masking pack

Documents