Skip to main content

TB058 Masked Provisioning with Advanced Connector Could Result in Data Masking Errors




This article applies to the following versions of the Delphix Engine:

Major Release

All Sub Releases



5.0,,,,,,,,, ,,,,,

Alert Type


Severity Level: High

CVSS Score: 6.3 based on

Attack Vector (AV): Network

Attack Complexity (AC): Low

Privileges Required (PR): Low

User Interaction (UI): Required

Scope (S): Unchanged

Confidentiality (C): High

Integrity (I): Low

Availability (A): None


This issue affects customers using Selective Data Distribution (SDD) when the Masking function was configured to use an Advanced Connector.

The problem is encountered on combined engines when an Advanced Masking Connector is used. The created connector points to the original target (likely a sample VDB used to configure and test the masked provisioning process) rather than to the provisioned/refreshed VDB.


This issue has two negative side effects:

  1. If the Masking job succeeds, the VDB is incorrectly considered masked. If SDD (Selective Data Distribution) has been configured, the VDB would then be replicated to the SDD target engine.

  2. When the misconfigured Masking job runs, a different database will be masked unintentionally (assuming this database is online, the credentials are correct, etc.). As mentioned above, this is a sample VDB used to configure and test the masked provisioning process if the standard best practices have been followed.


Use custom hook scripts to correctly create the connector and invoke the masking job.


This issue is fully resolved in Delphix Engine release and later.

Additional Information