Best Practice: Identifiers and Users for Masking (KBA1753)
Issue
This document covers the requirements and scope of Identifiers and Users required for the masking process, explaining the challenges and recommendations.
One of the primary requirements is the connectivity between Delphix and the databases. This document details the permissions required for different masking use case . While you can use existing ID’s, Delphix recommends creation of new ID’s specific to masking.
Challenges & Recommendation
Delphix connects to databases for two reasons:
- Discovering sensitive data
- Masking sensitive data
Permissions needed to execute the operations are different for each case. Clients may use a single ID that encompasses all required access or different ID’s for each action.
Delphix recommends a single ID where possible.
Delphix masking recommends that you do not connect to the production databases to reduce load and minimize risk to the production systems.
To ensure consistency of approach and execution, Delphix recommends running a masking project from a centralized Masking Center of Excellence (CoE).
Additional stakeholders include:
- DBA Groups(s)
- System administrators
- Information Security
- Infrastructures
- Project Management Organization
The below sections describe the required access type, the embedded table has more detailed specifications for the IDs.
Use Cases
Scenario 1: Data Discovery
Sensitive data discovery is a non-destructive process and reads metadata and/or data from databases only.
The discovery process has the following 2 or 3 characteristics:
- Access and read sensitive (production) data.
- Analyze metadata from selected schema/database
- May sample unmasked data if doing data level profiling
Hence, the ID used for profiling needs to be able to connect data, read data, and also maintain a full audit trail.
A User Id of this nature may need approval for access to production/sensitive data and may not need exclusive access while the profiling job but will put load on database.
This however is low priority and executed infrequently after masking is successfully configured and executed the first time.
Scenario 2: Data Masking
Masking operations change data in the database and hence needs an exclusive access on the target database while the masking job is running.
Along with changing data, the masking process sometimes needs to make DDL changes (mostly transient) and may need higher privileges than DML. This ID also needs be fully audit-able since it accesses sensitive data.
Scenario 3: File Masking
Masking operations also change data in files and hence needs an exclusive access on the file system while the masking job is running.
Masking workflow works in 2 modes:
- On-The-Fly (Recommended for file masking)
This mode involves creating 2 directories on the SFTP/FTP location with SOURCE – R or 400 TARGET – RWX or 755 - In-Place
Target – R or 400
Recommendation
Below are a few recommendations for creating IDs. These should be incorporated in the Masking CoE rule book during project setup.
Central Creation
Wherever possible the User ID(s) should be centrally created per company policy. This makes it easier to copy users to different databases.
Replication across Platforms
A template for the ID should be created within the company for easy ID provisioning across all platforms (as data masking happens across platforms). A common naming-convention is also highly recommended
It becomes very easy for all groups (mentioned) earlier if a common ID (over a common ID name) is used for the same purpose across company.
Auditable
The masking IDs will access and change sensitive data. As per company policy it may be needed that every action of these IDs is tracked and an audit trail is maintained. Audit log for ID activity may be maintained for the longest period per company’s Information Security policy.
Non-Interactive
Within the Delphix interface, users cannot see the underlying data. They are only allowed to see the metadata and data characteristics.
It is understood that certain users will need access to data to validate, verify, and oversee the masking operations. It is highly recommended that these users have separate IDs and do not use Delphix IDs designated for masking.
Delphix IDs should remain non-interactive as Delphix only establishes programmatic access to databases and not visual based.
Role Based Access Control (RBAC)
If RBAC for dynamic access is available, the Delphix ID/IDs should be included in a role that has access to the appropriate Databases. A masking role can also be created with the permissions needed.
Firewall Protection
Since masking operation executes a large number of queries and reads huge amount of sensitive data, the firewall or DLP (data leak prevention) systems in the company should be updated for activity using the Masking IDs. The masking activity is sometimes flagged as inappropriate by older systems and the processes are blocked.
Linkage
Many customers link the masking user IDs to third-party products designated for User ID management, recommendations for such use cases is below.
Central Authentication
Many firms use central authentication like LDAP and Kerberos. Delphix supports any JDBC based authentication mechanism. The Delphix engine may need to register with the company domain, this can be accomplished via Delphix professional services.
Privileged Password Management (PPM)
Many customers use central password repositories for privileged IDs which have access to production data. Delphix does not officially endorse any third party product but many of our clients have integrated with Cyber-ark, Cloak ware, and Powerbroker type of PPM solutions. Users may have to consult the PPM team in order to facilitate integration
Privileges
The table below highlights the permissions IDs need for most common database types.
Oracle | Function | Description |
Profiling | CREATE SESSION | Connect to the database. |
SELECT | Query the table with the SELECT statement. | |
Masking |
CONNECT, RESOURCE, and DBA |
These roles are provided for compatibility with previous versions of Oracle Database. You can determine the privileges encompassed by these roles by querying the DBA_SYS_PRIVS data dictionary view. |
CREATE SESSION | Connect to the database. | |
DELETE | Remove rows from the table with the DELETE statement. | |
INSERT | Add new rows to the table with the INSERT statement. | |
SELECT | Query the table with the SELECT statement. | |
UPDATE | Change data in the table with the UPDATE statement. | |
Masking Power User |
ALTER | Change the table definition with the ALTER TABLE statement. |
CONNECT, RESOURCE, and DBA | These roles are provided for compatibility with previous versions of Oracle Database. You can determine the privileges encompassed by these roles by querying the DBA_SYS_PRIVS data dictionary view. | |
CREATE SESSION | Connect to the database. | |
CREATE TABLE | Create a table in the grantee's schema. | |
DELETE | Remove rows from the table with the DELETE statement. | |
EXECUTE | Operations on job classes, programs, chains, and credentials. | |
INDEX | Create an index on the table with the CREATE INDEX statement. | |
INSERT | Add new rows to the table with the INSERT statement. | |
SELECT | Query the table with the SELECT statement. | |
UPDATE | Change data in the table with the UPDATE statement. |
Sybase |
Function |
Description |
Profiling | Profiling | Allows the user to connect to the database. See New user creation. |
SELECT | Allows the user to look at information in a table or a view. This permission can also be granted to individual columns in a table. See GRANT statement. | |
Masking
|
CONNECT | Allows the user to connect to the database. See New user creation. |
DELETE | Allows the user to delete rows from a table or view. See GRANT statement. | |
INSERT | Allows the user to insert rows into a table or view. See GRANT statement. | |
INTEGRATED LOGIN | Allows the user to connect to the database using an integrated login. See Windows integrated logins. | |
KERBEROS LOGIN | Allows the user to connect to the database using a Kerberos login. See Kerberos authentication. | |
SELECT | Allows the user to look at information in a table or a view. This permission can also be granted to individual columns in a table. See GRANT statement. | |
UPDATE | Allows the user to update rows in a table or view. This permission can also be granted to individual columns in a table. See GRANT statement. | |
Masking Power User
|
ALTER | Allows the user to alter the structure of a table or create a trigger on a table. Because this permission grants the user the permission to modify the database schema, it should not be granted to most users. See GRANT statement. |
CONNECT | Allows the user to connect to the database. See New user creation. | |
CREATE ON | Allows a user with RESOURCE authority to create database objects in the specified dbspace. See GRANT statement and RESOURCE authority. | |
DELETE | Allows the user to delete rows from a table or view. See GRANT statement. | |
EXECUTE | Allows the user to execute a procedure or a function. See GRANT statement. | |
INSERT | Allows the user to insert rows into a table or view. See GRANT statement. | |
INTEGRATED LOGIN | Allows the user to connect to the database using an integrated login. See Windows integrated logins. | |
KERBEROS LOGIN | Allows the user to connect to the database using a Kerberos login. See Kerberos authentication. | |
REFERENCES | Allows the user to create indexes on a table and to create foreign keys that reference a table. This permission can also be granted on individual columns in a table. Because this permission grants the user permission to modify the database schema, it should not be assigned to most users. | |
SELECT | Allows the user to look at information in a table or a view. This permission can also be granted to individual columns in a table. See GRANT statement. | |
UPDATE | Allows the user to update rows in a table or view. This permission can also be granted to individual columns in a table. See GRANT statement. |
SQL Server |
Function |
Description |
Profiling |
CONNECT | CONTROL SERVER |
SELECT | SELECT | |
Masking
|
CONNECT | CONTROL SERVER |
DELETE | DELETE | |
INSERT | INSERT | |
SELECT | SELECT | |
UPDATE | UPDATE | |
Masking Power User
|
ALTER | ALTER |
CONNECT | CONTROL SERVER | |
CREATE TABLE | CONTROL SERVER | |
DELETE | DELETE | |
EXECUTE | EXECUTE | |
INSERT | INSERT | |
SELECT | SELECT | |
UPDATE | UPDATE |
Applicable Delphix Versions
This article applies to the following versions of the Delphix Engine:
Major Release |
Sub Releases |
5.3 | 5.3.0.0 |
5.2 | 5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1 |
5.1 |
5.1.0.0, 5.1.1.0, 5.1.2.0, 5.1.3.0, 5.1.4.0, 5.1.5.0, 5.1.5.1, 5.1.6.0, 5.1.7.0, 5.1.8.0, 5.1.8.1, 5.1.9.0, 5.1.10.0 |
5.0 |
5.0.1.0, 5.0.1.1, 5.0.2.0, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.3.0, 5.0.3.1, 5.0.4.0, 5.0.4.1 ,5.0.5.0, 5.0.5.1, 5.0.5.2, 5.0.5.3, 5.0.5.4 |
Tags recommended by the template: article:reference