Scribd
Upload
54 views

Dynamic Data Masking Lab Guide

Uploaded by

Sabahat Hussain
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
54 views

Dynamic Data Masking Lab Guide

Uploaded by

Sabahat Hussain
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 67

Informatica Dynamic Data Masking

Lab Guide
Version:
ILM951_DDM_201310
Informatica Dynamic Data Masking
Version: ILM951_DDM_201310
October 2013
Copyright (c) 1998–2013 Informatica Corporation. All rights reserved.
This educational service, materials, documentation and related software contain proprietary
information of Informatica Corporation and are provided under a license agreement containing
restrictions on use and disclosure and are also protected by copyright law. Reverse engineering
of the software is prohibited. No part of the materials and documentation may be reproduced or
transmitted in any form, by any means (electronic, photocopying, recording or otherwise) without
prior consent of Informatica Corporation. The related software is protected by U.S. and/or
international Patents and other Patents Pending.
Use, duplication, or disclosure of the related software by the U.S. Government is subject to the
restrictions set forth in the applicable software license agreement and as provided in DFARS
227.7202-1(a) and 227.7702-3(a) (1995), DFARS 252.227-7013(c)(1)(ii) (OCT 1988), FAR
12.212(a) (1995), FAR 52.227-19, or FAR 52.227-14 (ALT III), as applicable.
The information in this educational service, materials and documentation is subject to change
without notice. If you find any problems in this educational service, materials or documentation,
please report them to us in writing.
Informatica, Informatica Platform, Informatica Data Services, PowerCenter, PowerCenterRT,
PowerCenter Connect, PowerCenter Data Analyzer, PowerExchange, PowerMart, Metadata
Manager, Informatica Data Quality, Informatica Data Explorer, Informatica B2B Data
Transformation, Informatica B2B Data Exchange Informatica On Demand, Informatica Identity
Resolution, Informatica Application Information Lifecycle Management, Informatica Complex
Event Processing, Ultra Messaging and Informatica Master Data Management are trademarks or
registered trademarks of Informatica Corporation in the United States and in jurisdictions
throughout the world. All other company and product names may be trade names or trademarks
of their respective owners.
Portions of this educational service, materials and/or documentation are subject to copyright held
by third parties, including without limitation: Copyright © Adobe Systems Incorporated. All rights
reserved. Copyright © Microsoft. All rights reserved. Copyright © Oracle. All rights reserved.
Copyright @ the CentOS Project.
This Software is protected by U.S. Patent Numbers 5,794,246; 6,014,670; 6,016,501; 6,029,178;
6,032,158; 6,035,307; 6,044,374; 6,092,086; 6,208,990; 6,339,775; 6,640,226; 6,789,096;
6,820,077; 6,823,373; 6,850,947; 6,895,471; 7,117,215; 7,162,643; 7,243,110, 7,254,590;
7,281,001; 7,421,458; 7,496,588; 7,523,121; 7,584,422, 7,720,842; 7,721,270; and 7,774,791,
international Patents and other Patents Pending.
DISCLAIMER: Informatica Corporation provides this educational services, materials and
documentation “as is” without warranty of any kind, either express or implied, including, but not
limited to, the implied warranties of non-infringement, merchantability, or use for a particular
purpose. Informatica Corporation does not warrant that this educational service, materials,
documentation or related software is error free. The information provided in this educational
service, materials, documentation and related software may include technical inaccuracies or
typographical errors. The information in this educational service, materials, documentation and
related software is subject to change at any time without notice.

ii
Preface

Welcome to the “Informatica Dynamic Data Masking” course.


This hands-on course familiarizes developers responsible for configuring Informatica
dynamic Data Masking with the essential terminology and concepts necessary to
understand what goes into a DDM implementation and introduces them to the
fundamental capabilities of the DDM user interface. With hands on labs, it walks them
through the Management Console which is used to configure data masking rules and
explains how to specify conditions that qualify incoming SQL queries for data masking.
Each step is supported by labs.

Prerequisites:
This course is designed for database administrators and professional developers with at
least one year of SQL and database experience. This is meant for those who will be
involved in ILM Dynamic Data Masking project. Additional prerequisites include:
Knowledge of Structures Query Language (SQL)
Microsoft Windows Graphical User Interface
General programming basics

Course Objectives
After successfully completing this course, students should be able to:
 Describe the Informatica ILM Dynamic Data Masking
 Know the DDM critical terms
 Describe the purpose and benefits of DDM
 Configure DDM listener Ports
 Configure DDM to protect a database
 Configure a database client with DDM listener port
 Describe and configure Switching Rule Components
 Describe and configure a Rule Set
 Basic Troubleshooting steps
Audience
This course is designed for professional developers with at least one year of SQL and
database experience. This is meant for those who will be involved in ILM Dynamic Data
Masking project.

3
Document Conventions
This guide uses the following formatting conventions:
If you see… It means… Example
> Indicates a submenu to navigate Click Repository > Connect.
to. In this example, you should click the
Repository menu or button and choose
Connect.
boldfaced text Indicates text you need to type or Click the Rename button and name the new
enter. source definition S_EMPLOYEE.
UPPERCASE Database tables and column names T_ITEM_SUMMARY
are shown in all UPPERCASE.
italicized text Indicates a variable you must Connect to the Repository using the assigned
replace with specific login_id.
information
Note: The following paragraph provides Note: You can select multiple objects to
additional facts. import by using the Ctrl key.
Tip: The following paragraph provides Tip: The m_ prefix for a mapping name is…
suggested uses or a Velocity best
practice.

4
Other Informatica Resources
In addition to the student and lab guides, Informatica provides these other resources:
Informatica Documentation
Informatica Customer Portal
Informatica web site
Informatica Developer Network
Informatica Knowledge Base
Informatica Multimedia Knowledge Base
Informatica How-to Library
Informatica Professional Certification
Informatica Technical Support
Obtaining Informatica Documentation
The Informatica Documentation team takes every effort to create accurate, usable documentation. If
you have questions, comments, or ideas about this documentation, contact the Informatica
Documentation team through email at [email protected]. We will use your
feedback to improve our documentation. Let us know if we can contact you regarding your
comments. The Documentation team updates documentation as needed. To get the latest
documentation for your product, navigate to Product Documentation from
http://mysupport.informatica.com.

Visiting the Informatica Customer Portal


http://mysupport.informatica.com
As an Informatica customer, you can access the Informatica Customer Portal site. The site contains
product information, user group information, newsletters, access to the Informatica customer support
case management system (ATLAS), the Informatica How-To Library, the Informatica Knowledge
Base, the Informatica Multimedia Knowledge Base, Informatica Product Documentation, and access
to the Informatica user community.

Visiting the Informatica Web Site


You can access Informatica’s corporate web site at:
http://www.informatica.com
The site contains information about Informatica, its background, upcoming events, and locating
your closest sales office. You will also find product information, as well as literature and partner
information. The services area of the site includes important information on technical support,
training and education, and implementation services.

Visiting the Informatica Technology Network


The Informatica Developer Network is a web-based forum growing online community and
interactive forum for data integration and data quality professionals around the globe. You can
access the Informatica Developer Network at the following URL: http://technet.informatica.com/
The site contains information on how to create, market, and support customer-oriented add-
on solutions based on interoperability interfaces for Informatica products.

5
Visiting the Informatica Knowledge Base
As an Informatica customer, you can access the Informatica Knowledge Base at
http://mysupport.informatica.com. Use the Knowledge Base to search for documented solutions to
known technical issues about Informatica products. You can also find answers to frequently asked
questions, technical white papers, and technical tips. If you have questions, comments, or ideas
about the Knowledge Base, contact the Informatica Knowledge Base team through email at
[email protected].

Visiting the Informatica Multimedia Knowledge Base


As an Informatica customer, you can access the Informatica Knowledge Base at
http://mysupport.informatica.com. Use the Knowledge Base to search for documented solutions to
known technical issues about Informatica products. You can also find answers to frequently asked
questions, technical white papers, and technical tips. If you have questions, comments, or ideas
about the Knowledge Base, contact the Informatica Knowledge Base team through email at
[email protected].

Visiting the Informatica How-To Library


As an Informatica customer, you can access the Informatica How-To Library at
http://mysupport.informatica.com. The How-To Library is a collection of resources to help you
learn more about Informatica products and features. It includes articles and interactive
demonstrations that provide solutions to common problems, compare features and behaviors,
and guide you through performing specific real-world tasks.

Obtaining Informatica Professional Certification


You can take, and pass, exams provided by Informatica to obtain Informatica Professional
Certification. For more information, go to:
http://www.informatica.com/products_services/education_services/certification/Pages/index.aspx

Providing Feedback
Email any comments on this guide to [email protected].

Obtaining Technical Support


There are many ways to access Informatica Technical Support. You can call or email your nearest
Technical Support Center listed in the following table, or you can use our WebSupport Service.
Use the following email addresses to contact Informatica Technical Support:
[email protected] for technical inquiries
[email protected] for general customer service requests

WebSupport requires a user name and password. You can request a user name and password at:
http://communities.informatica.com

6
Informatica Global Customer Support
You can contact a Customer Support Center by telephone or through the Online Support.
Online Support requires a user name and password. You can request a user name and password
at http://mysupport.informatica.com.

Use the following telephone numbers to contact Informatica Global Customer Support:

North America / South Europe / Middle East / Africa Asia / Australia


America
Informatica Informatica Software Ltd. Informatica Business
Corporation 6 Waltham Park Solutions Pvt. Ltd.
Headquarters Waltham Road, White Waltham 301 & 302 Prestige Poseidon
100 Cardinal Maidenhead, Berkshire 139 Residency Road
Way SL6 3TN Bangalore 560 025
Redwood City, United Kingdom India
California
94063 Toll Free Toll Free
United States 00 800 4632 4357 Australia: 00 11 800 4632
4357
Toll Free Standard Rate Singapore: 001 800 4632 4357
877 463 Belgium: +32 15 281 702
2435 France: +33 1 41 38 92 26 Standard Rate
Germany: +49 1805 702 702 India: +91 80 5112 5738
Standard Rate Netherlands: +31 306 022 797
United States: 650 United Kingdom: +44 1628 511 445

vii
Table of Contents

Module 1 Lab 1: Prepare for Dynamic Data Masking...................................................................... 1


Module 1 Lab 2: Deny database access within a time frame ........................................................ 13
Module 1 Lab 3: Protect CUSTOMER and CUSTOMER_SERVICE tables ........................................ 21
Module 1 Lab 4: Disable, Export, and Delete Rules ...................................................................... 27
Module 1 Lab 5: Replace an Incoming SQL Query ........................................................................ 31
Module 1 Lab 6: Edit an Incoming SQL Query ............................................................................... 35
Module 1 Lab 7: Intercepting an Incoming SQL Query from a JAR ............................................... 39
Informatica Dynamic Data Masking Workshop............................................................................. 47
Module 1 Lab 1: Prepare for Dynamic Data Masking
Scenario:
 You will tell the DDM what database to protect.
 You will configure a database client to access the database through DDM

Goals:
 Use DDM to create a DDM listener port
 Configure DDM to protect a database
 Configure a database client with the DDM listener port

Duration:
15 minutes

ILM Dynamic Data Masking Module 1. Lab 1 1


Instructions
Step 1. Configure DDM Listener Ports
1) In your Student environment, click Start > programs > Informatica
>Dynamic_Data_Masking_9.5.1 > Management Console.
2) In the Login dialog box, enter the following for the Password:
infa
3) Click Connect.
Figure 1: Login dialog box

4) In Site Management Console Navigator, right-click the DDM_Server and


select Add DDM Services.
Figure 2

5) In the Add DDM Services window, select DDM for Oracle and then click
OK.
Figure 3

2 Module 1. Lab 1 ILM Dynamic Data Masking


6) In the Site Management Console Navigator, expand DDM_Server and
select DDM for Oracle. By Default, the DDM Service listener ports
section lists ports 1525 and 1526 for Oracle. DDM can listen to multiple
ports at the same time.
Figure 4

Note: In the Student environment, you use ports 1525, 1526, and 1530 as
DDM listener ports.

7) In the Site Management Console Navigator, right-click DDM for Oracle


and select Edit
Figure 5: Creating DDM

8) The Edit dialog box lists ports 1525 and 1526 by default. Click Add Port.

ILM Dynamic Data Masking Module 1. Lab 1 3


9) In the new entry, enter 1530 and then click Ok.
Figure 6: Managing DDM Listener ports

Step 2. Add production database


You define the database schema you want to protect through the DDM.
1) In the Site Management Console Navigator, right-click Site and select
Add Database
Figure 7: Adding Protected Database definition

2) In the Add Database window, for the Database Name enter


Source_DDM.
Figure 8: Protected database name within DDM

4 Module 1. Lab 1 ILM Dynamic Data Masking


3) Under the Oracle Instances section, click the plus sign (+)
Figure 9: Add database Instances

4) In the new entry, enter the following:


 Instance Name: infaorcl
 Listener Address: 10.10.10.10
 Listener Port: 1521
Figure 10: Database details on your Student environment

ILM Dynamic Data Masking Module 1. Lab 1 5


5) Under the Service Name section, click the plus sign (+)
Figure 11: Add the listener service name

6) In the new entry, for the Service Name, enter infaorcl

6 Module 1. Lab 1 ILM Dynamic Data Masking


7) For the DBA credentials, use the following:
 DBA Username: system
 DBA Password: admin
Figure 12: Enter system credentials

Note: To protect the entire database, enter the system credentials. To


restrict DDM protection to a single schema, enter credentials for that
particular schema.

ILM Dynamic Data Masking Module 1. Lab 1 7


8) Click Test Connection.
9) When the test succeeds, a validation message appears. Click Ok.
Figure 13: Configure Protected Database

10) In the Create Database window, click OK.

8 Module 1. Lab 1 ILM Dynamic Data Masking


Step 3. Configure database client
Configure the database clients/ applications to use the DDM listener port.
In the Student environment, you configure SQL Developer to access the
SOURCE database schema through the DDM listener port.
1) In the Student environment, double-click the SQL Developer icon to start
it.
Figure 14: SQL Developer icon

2) In the SQL developer, there is an existing connection to the SOURCE


database schema. This connection accesses the database without the
DDM protection. You use this connection to compare query results
against the results with DDM protection.
Figure 15: Existing connection to the source database

3) In the SQL Developer, from the toolbar, click File > New
Figure 16: Creating a new database connection

ILM Dynamic Data Masking Module 1. Lab 1 9


4) In the Create New dialog box, select Database Connection and click
OK.
Figure 17: Creating a new connection in SQL Developer

5) In the New / Select Database Connection window, use the following


values to create a connection:
a) Connection Name: Source with DDM
b) User name: source
c) Password: infa
d) Port: 1530
e) SID: infaorcl

10 Module 1. Lab 1 ILM Dynamic Data Masking


6) To verify the credentials, click Test. You can see the status message
Figure 18: Configure SQL Developer with DDM listener port

7) Click Connect.

ILM Dynamic Data Masking Module 1. Lab 1 11


12 Module 1. Lab 1 ILM Dynamic Data Masking
Module 1 Lab 2: Deny database access within a time
frame
Scenario:
 Your employer InfaBank is upgrading an application today. This application uses
the CREDIT_CARDS table. The upgrade will take place between 9AM and 5PM
local time. Your manager has asked you to restrict reads and writes to the tables
during the upgrade time.
 You want to deny access to the CREDIT_CARDS table between 9 am and 5pm
of your database server.

Goals:
 Configure a connection rule to intercept database requests specific to a database
 Configure a statement processing rule set
 Configure a rule within the rule set to validate the time frame
 Configure another rule to deny access to the database table CREDIT_CARDS.

Duration:
15 minutes

ILM Dynamic Data Masking Module 1. Lab 2 13


Instructions
Step 1. Configure Connection rule
Create a connection rule to capture incoming database requests specific to
the SOURCE database schema.
1) In Site Management Console Navigator, right-click DDM for Oracle and
select Connection Rules.
Figure 1: Create Connection rule

2) The Rule Editor – DDM for Oracle window appears. In the Rule Editor
Navigator, right-click DDM for Oracle Rules and select Append Rule.
Figure 2: Add connection rule

3) In the Append Rule window, Enter the following:


a) Rule Name: Source_DB
b) Identify incoming connections using: Current target Database
c) Database: Source_DDM
d) Action applied: Use Rule Set

14 Module 1. Lab 2 ILM Dynamic Data Masking


e) Rule Set Name: Source_DB_Rules
Figure 3: Configure connection rule

Note: The Rule Set Name: Source_DB_Rules does not exist at this moment.
You create this rule set in the next step.

4) Click OK.
5) Click File > Update Rules.
6) Click File > Exit.

ILM Dynamic Data Masking Module 1. Lab 2 15


Step 2. Create Rule Set
A database request is intercepted by a Connection rule. The connection rule
uses a rule set to process the database request.
1) In the Site Management Console Navigator, right-click Site and select
Add Rule Set.
Figure 4: Create a rule set

2) The Add Rule Set window appears. Enter the Rule Set name as
Source_DB_Rules and click OK.
Figure 5: Name a rule set

16 Module 1. Lab 2 ILM Dynamic Data Masking


3) In the Site Management Console navigator, select the Source_DB_Rules
ruleset.
4) Right-click SOURCE_DB_RULES and select Security Rule Set.
Figure 6: Edit a rule set

5) In the Rule Editor Navigator, right-click SOURCE_DB_Rules and select


Append Rule.
Figure 7: Add rule to a rule set

6) In the Append Rule window, Enter the following values:


a) Rule Name: Time_Frame
b) Matcher: Time of Day
c) From Time: Enter the training machine’s time
d) To Time: Enter a value greater than the From Time.

ILM Dynamic Data Masking Module 1. Lab 2 17


e) Time Zone: select the training machine’s time zone.
f) Action: Folder
Figure 8: Configure rule

7) In the Append Rule window, click OK.


8) In the Rule Editor Navigator, right-click Time_Frame and select Append
Rule.
Figure 9: Add rules within a rule

18 Module 1. Lab 2 ILM Dynamic Data Masking


9) In the Append Rule window, you define the condition based on which you
want to block the query. Since you know the table name, you specify the
matcher as the “From Clause”. Enter the following values:
a) Rule Name: Credit cards
b) Matching Method: From Clause Object
c) Object Name: credit_cards
d) Alias: %
e) Action Type: Block Statement
f) Error message: Scheduled application upgrade from 0900 to
1700 hours today. Unable to connect to CREDIT_CARDS table
Figure 10: Configure rule

10) Click OK.

ILM Dynamic Data Masking Module 1. Lab 2 19


11) In the Rule Editor window, click File ->Update Rules.
12) In the Rule Editor window, click File ->Exit.
Figure 11: Update the rules and exit the Rule Editor

Step 3. Access the database table


In this step, you test the DDM rules by accessing the table that you have
blocked access to.
1) In your Student environment, open the SQL Developer.
2) Disconnect and re-connect to the Source with DDM connection and issue
the following query:
a) select * from credit_cards
3) An error appears as configured in the DDM.
Figure 12

20 Module 1. Lab 2 ILM Dynamic Data Masking


Module 1 Lab 3: Protect CUSTOMER and
CUSTOMER_SERVICE tables
Scenario:
 You want to mask customer sensitive information like phone numbers, SSN, and
customer IDs.
 Intercept a database request specific to CUSTOMER and
CUSTOMER_SERVICE tables and return a masked value for the PHONE, SSN
and ID columns.

Goals:
Learn how to
 Configure statement processing Rule Set
o Learn to use the text matching method
o Learn to use the mask action type
 Display subset of CSR_ID, SSN, and phone columns.

Duration:
15 minutes

ILM Dynamic Data Masking Module 1. Lab 3 21


Instructions
Step 1. Configure Rule within a Rule Set
Create a rule in the rule set to identify CUSTOMER and
CUSTOMER_SERVICE tables and return a protected output for SSN,
PHONE and ID columns.
1) In the Site Management Console navigator, right-click
SOURCE_DB_RULES rule set and select Security Rule Set.
Figure 1: Edit rule set

2) In the Rule Editor window, right-click Source_DB_Rules and select


Append Rule.
Figure 2: Add rule to the rule set

22 Module 1. Lab 3 ILM Dynamic Data Masking


3) In the Append Rule window, enter the following:
a) Rule Name: Customer_Tables
b) Description: Rule to protect PHONE, SSN, and all ID columns
for CUSTOMER and CUSTOMER_SERVICE tables
c) Matching Method: Text
d) Text: %customer%
e) Identification method: Wildcard
f) Action Type: Mask
Figure 3: Configure the rule

ILM Dynamic Data Masking Module 1. Lab 3 23


4) In the Action section, click the plus symbol (+) under the Colum Name to
specify the SSN, PHONE, and ID columns that you want to protect.

Note: By default the Table Name and Column Names are set to .* (dot
star) and the Masking Function is set to substr(\(col)1,2). This means
that all columns in the table will be masked using the substr function
there by resulting only a part of the actual data.
5) To mask the PHONE column, specify the TABLE Name as customer.*
(dot star) and the Column Name as .*PHONE (dot star PHONE)
6) To mask the SSN column, specify the Table Name as customer.* (dot
star) and the Column Name as .*SSN (dot star SSN).
7) To mask the ID column, specify the TABLE Name as customer.* (dot
star) and the Column Name as .*ID (dot star ID)
Figure 4: Specify the columns and the SQL function

Note: For the Masking action, the SQL substr function is completed
automatically. You may use any sql function as a masking function. For this
exercise, use the default substr function.

24 Module 1. Lab 3 ILM Dynamic Data Masking


8) Click OK.
9) In the Rule Editor toolbar, click File -> Update Rules.
Figure 5: Update the rule

10) Click File -> Exit.

Step 2. Access the database table


In this step, you test the DDM rules by accessing the CUSTOMER and
CUSTOMER_SERVICE tables.
1) In your Student environment, open the SQL Developer.
2) Connect to the Source with DDM connection and issue the following
query:
a) select * from customer
3) For the columns specified in the rule, a subset of the actual data is listed.
Figure 6: Test the rule

ILM Dynamic Data Masking Module 1. Lab 3 25


26 Module 1. Lab 3 ILM Dynamic Data Masking
Module 1 Lab 4: Disable, Export, and Delete Rules
Scenario:
 You disable, export, and delete rules that are no longer needed.

Goals:
Learn how to
 Disable rules within a rule set
 Export rules to XML files
 Delete rules from DDM

Duration:
5 minutes

ILM Dynamic Data Masking Module 1. Lab 4 27


Instructions
Step 1. Disable rules in a Rule Set
Disable rules that you do not need for the rest of the exercises.

1) In the Site Management Console Navigator, right-click


SOURCE_DB_RULES and select Security Rule Set.
Figure 1: Editing a rule set

2) Under the SOURCE_DB_RULES, right-click Time_Frame and select


Disable.
Figure 2: Disabling rules within a rule set

Note: You can also select the rule and click Disable from the Rule Editor’s toolbar

28 Module 1. Lab 4 ILM Dynamic Data Masking


Step 2. Export Rules
To have a backup of the rules you export switching rules and rule sets in XML
format. You can restore the rules by importing them when required.
1) The Rule Editor Navigator, right-click SOURCE_DB_RULES rule set and
select Export.
Figure 3: Export rule

ILM Dynamic Data Masking Module 1. Lab 4 29


2) In the Export dialog box, the file name is completed automatically. Click
Export.
Figure 4: Exporting the rule as an XML file

Step 3. Delete Rules


1) In the Rule Editor Navigator, right-click Time_Frame and select Delete.
2) Right-click Customer_Tables rule and select Delete. Once you delete the
rules, they disappear from the Rule Editor.
3) In the Site Management Console toolbar, click File -> Update Rules.
4) In the Site Management Console toolbar, click File -> Exit.

30 Module 1. Lab 4 ILM Dynamic Data Masking


Module 1 Lab 5: Replace an Incoming SQL Query
Scenario:
 Intercept an incoming database request and replace it with a custom database
request.

Goals:
Learn how to
 Intercept an incoming database request
 Replace an incoming database request

Duration:
10 minutes

Prerequisites
 Deleted Time_Frame, Credit_Cards, and Customer_Tables rules.

ILM Dynamic Data Masking Module 1. Lab 5 31


Instructions
Step 1. Rewrite an incoming SQL Query
For this exercise, you identify the database query that requests data from the
CUSTOMRE table and display all columns of the CUSTOMER table.
Note: You can intercept a database request based on the database table
name, syntax of the database request, or the exact query.

1) In the Rule Editor toolbar, click Action > Append Rule.


2) In the Insert Rule window, enter the following values:
a) Rule Name: Customer_List
b) Description: Intercept Queries
c) Matching method: Text
d) Text: %customre%
e) Identification Method: Wildcard
f) Action Type: Rewrite
g) Alternate Statement: select * from customer
Note: In the Alternate Statement section, you do not need to add a
semicolon (;) symbol to terminate the query.
Figure 1: Configure the rule

32 Module 1. Lab 5 ILM Dynamic Data Masking


3) In the Append Rule window, click OK.
4) In the Rule Editor Toolbar, select File > Update rules.
Figure 2: Update the rule

5) In the Rule Editor Toolbar, select File > Exit.

Step 2. Access the database table


In this step, you test the DDM rule by accessing the CUSTOMRE table
1) In your Student environment, open the SQL Developer.
2) Connect to the Source with DDM connection and issue the following
query:
select * from customre
3) According to the rule, the query is replaced and a different result
appears.
Figure 3: Test the rule

ILM Dynamic Data Masking Module 1. Lab 5 33


34 Module 1. Lab 5 ILM Dynamic Data Masking
Module 1 Lab 6: Edit an Incoming SQL Query
Scenario:
 Your employer has renamed a customer classification from Level_1 to Premium.
The values are updated the respective database tables, the application however
still requests for Level_1 customers. Your manager has asked to see if you can
intercept queries which request for Level_1 customers. Search for Level 1 and
replace Level 1 with Premium.
 Search and replace parts of an intercepted database request.

Goals:
Learn how to
 Create a rule to search and replace parts of an intercepted database request.

Duration:
10 minutes

Prerequisite
 Disable or delete all prior rules in the rule set.

ILM Dynamic Data Masking Module 1. Lab 6 35


Instructions
Step 1. Rewrite an incoming SQL Query
In this step, you create a rule to search and replace parts of an intercepted
database request.
1) In the Site Management Console Navigator, right-click
SOURCE_DB_RULES and select Security Rule Set.
Figure 1: Edit the rule set

2) In the Rule Editor Navigator, right-click SOURCE_DB_RULES and select


Append Rule.
Figure 2: Appending rule to a rule set

36 Module 1. Lab 6 ILM Dynamic Data Masking


3) In the Append Rule window, enter the following:
a) Rule Name: Scramble
b) Matching method: Text
c) Text: select * from customer where c_type=’Level_1’
d) Identification method: String
e) Action Type: Search & Replace
f) Search text: Level_1
g) Replacement string: Premium
Figure 3: Configure the rule

4) In the Append Rule window, click OK.


5) In the Rule Editor Navigator, click File > Update Rule.
6) In the Rule Editor Navigator, click File > Exit.

ILM Dynamic Data Masking Module 1. Lab 6 37


Step 2. Access the database table
In this step, you test the DDM rules by requesting all records form the
CUSTOMER table where C_TYPE is Level_1.
1) In your Student environment, open the SQL Developer.
2) Connect to the Source with DDM connection and enter the following
query:
a) select * from customer where C_GENDER=’Level_1’
3) According to the rule, the query is replaced and a different result
appears.
Figure 4: Test the rule

38 Module 1. Lab 6 ILM Dynamic Data Masking


Module 1 Lab 7: Intercepting an Incoming SQL Query from
a JAR
Scenario:
 The sample JAR file on your Student environment allows only the scott database
user to perform DB actions and lists the tables for all other database users.

Goals:
Learn how to
 Import Rules.
 Use a JAR file with masking logic in DDM.

Duration:
10 minutes

ILM Dynamic Data Masking Module 1. Lab 7 39


Instructions
Step 1. Edit the Switching Rule
1) In the Site Management Console Navigator, right-click DDM for Oracle
and select Connection Rules.
Figure 1

2) In the Rule Editor, right-click Source_DB and select Edit.


Figure 2

40 Module 1. Lab 7 ILM Dynamic Data Masking


3) Change the Identify Incoming Connections to All Incoming
Connections.
Figure 3

4) Click OK.
5) In the Rule Editor, click File -> Update Rules.
6) In the rule Editor, click File -> Exit.

Step 2. Import a Switching Rule


Import a rule into a rule set. You can import a rule into the DDM rather than
creating it again.
1) In the Site Management Console Navigator, right-click
SOURCE_DB_RULES and select Security Rule Set.

ILM Dynamic Data Masking Module 1. Lab 7 41


Figure 4: Edit the rule set

2) The Rule Editor window appears. In the Rule Editor Navigator, right-click
Source_DB_Rules and select Import.
Figure 5: Import the rule

42 Module 1. Lab 7 ILM Dynamic Data Masking


3) In the Import window, navigate to c:\ilmcmd_folder\ddm and select
java_custom_rule.xml.
Figure 6: Select the Java.xml file

4) A new rule named java appears in the list. The Java rule allows the user
scott to access the database and displays a list of tables for the rest of
the users. The logic is defined inside a JAR file which the java rule uses
Figure 7: Imported rule appears in the rule set

Note: Every time you import a rule, the older rules are deleted. The rule from
the previous exercise is deleted once you import the java rule.

ILM Dynamic Data Masking Module 1. Lab 7 43


5) In the Rule Editor Navigator, select File > Update rule
6) In the Rule Editor Navigator, select File >Exit.
Step 3. Access the database table
In this step, you test the DDM Java rule by accessing the scott and source
databases.
1) In your Student environment, open the SQL Developer.
2) Connect to the Source with DDM connection and enter the following
query:
select * from customer
3) According to the rule, the query is replaced and a different result
appears.
Figure 8: Test the rule

4) In the SQL Developer, right-click scott connection and select Connect.


Figure 9

44 Module 1. Lab 7 ILM Dynamic Data Masking


5) Enter the following query:
select * from emp
Figure 10

ILM Dynamic Data Masking Module 1. Lab 7 45


46 Module 1. Lab 7 ILM Dynamic Data Masking
Informatica Dynamic Data Masking Workshop
Timing: 60 minutes (1 Hr.)

Scenario:

You want to dynamically mask the credit card number within the
CREDIT_CARDS table of the SOURCE schema.

Rather than using an existing listener port, you configure a new listener port and
define the protected database within Dynamic Data Masking.

The following workshop is based on all that you have learned in this course. If
you have any difficulty in completing the steps in this workshop, refer back to
your labs as a reference.

Configure a
listener port Add a new listener port
Define Protected
Database Define a protected database
Create Switching Configure a switching rule to capture incoming
Rule database requests

Create RuleSet Configure a masking rule to replace original column


value
Configure
Database Client Configure SQL Developer and test the results

ILM Dynamic Data Masking Workshop 47


1. Create a new listener port. Use port number 1600 to create a new listener
port.

1) In Site Management Console Navigator, right-click DDM for Oracle and


select Edit.

Figure 1

2) In the Edit window, click Add Port. Enter 1600 and click OK.

Figure 2

48 Workshop ILM Dynamic Data Masking


2. Configure a protected database within the DDM interface.
1) In the Site Management Console Navigator, right-click Site and select Add
Database.

Figure 3

2) In the Create Database window, click the plus sign (+) and enter the
following:
a) Database Name: Source_Schema
b) Instance Name: infaorcl
c) Listener Address: 10.10.10.10
d) Listener Port: 1521
e) Service Name: infaorcl
f) DBA Username: SYSTEM
g) DBA Password: admin

Figure 4

ILM Dynamic Data Masking Workshop 49


3) Click Test Connection.
4) In the Validate node message, click OK.

3. Create a switching rule to capture all incoming requests specific to the


CREDIT_CARDS table.

1) In the Site Management Console Navigator, right-click DDM for Oracle


and select Connection Rules.

Figure 5

2) In the Rule Editor Navigator, right-click DDM for Oracle and select
Append rule.

Figure 6

50 Workshop ILM Dynamic Data Masking


3) In the Append Rule window, enter the following values:
a) Rule Name: C_Rule_to_RS
b) Identify Incoming connections using: Current target Database
c) Database: Source_Schema
d) Action: Use Rule Set
e) Rule Set Name: CreditCards

Figure 7

4) In the Append Rule window, click OK.


5) In the Rule Editor Toolbar, click Update Rules.
6) In the Rule Editor Toolbar, click Exit.

ILM Dynamic Data Masking Workshop 51


4. Create a Statement Processing Rule Set to mask the credit cards column.

1) In the Site Management Console Navigator, right-click DDM_Server and


select Add Rule Set.

Figure 8

2) In the Add Rule Set box, enter the Rule Set name as CreditCards.

Figure 9

52 Workshop ILM Dynamic Data Masking


3) The Rule Set appears in the Site Management Console Navigator, right-
click CreditCards rule set and select Security Rule Set.

Figure 10

4) In the Rule Editor Navigator, right-click CreditCards and select Append


Rule.

Figure 11

ILM Dynamic Data Masking Workshop 53


5) In the Append Rule window, enter the following:
a) Rule Name: Mask_CC
b) Matching Method: From Clause Object
c) Object Name: credit_cards
d) Alias: %

Figure 12

6) In the Append Rule window, click the plus sign (+) and enter the following:
a) Action: Mask
b) Table Name: .* (Dot Star)
c) Column Name: .*CARD.*
d) Masking Function:
TRUNC(DBMS_RANDOM.VALUE(5555555555555555,
9999999999999999))

Note: The TRUNC SQL function determines the random value range
that will be used to mask the credit card numbers.

Figure 13

7) In the Append Rule window, click OK.

54 Workshop ILM Dynamic Data Masking


8) In the Rule Editor Toolbar, click Update.
9) In the Rule Editor Toolbar, click Exit.

5. Configure a new database connection in SQL Developer using the DDM


listener port.

1) In your VMware environment desktop, open the SQL Developer.


2) In the Connections tab, click plus sign (+)

Figure 14

3) In the New / Select Database Connection window, enter the following:


a) Connection Name: DDM_connection
b) User Name: source
c) Password: infa
d) Hostname: 10.10.10.10
e) Port: 1600
f) SID: infaorcl

ILM Dynamic Data Masking Workshop 55


4) Click Test. A success message appears on the left hand side of the window.
5) Click Connect.

Figure 15

6) In the SQL Developer, expand the Source connection.

Figure 16

7) Expand the Tables (Filtered) and select the CREDIT_CARDS table and
then select the Data tab. The original values of the
CREDIT_CARD_NUMBER column appear. You compare the original
values with the masked values in the next step.

56 Workshop ILM Dynamic Data Masking


Figure 17

8) Open another instance of SQL Developer and navigate to the


DDM_Connection and expand to the CREDIT_CARDS table to view the
masked values of the CREDIT_CARD_NUMBER column.

Figure 18

6. This completes the workshop.

ILM Dynamic Data Masking Workshop 57

You might also like