How to Create a New Masking Rule

The types of Masking rules are summarized below. Please click on the link to read a detailed discussion of each rule type.

Masking Rules

Substitution Rules

Substitutes the data in the column of a table. As substitution data this type of rule can use any of the supplied datasets or User Defined DataSets appropriate to the column type. This type of rule can also substitute based on a user supplied WHERE condition.

Shuffle Rules

Shuffles the data in the column of a table (like a deck of cards) and leaves the other columns untouched. This type of rule can also shuffle based on a user supplied WHERE condition.

Command Rules

This type of rule is used to run user defined SQL or PL/SQL statements within the target database.

Synchronization Rules

Synchronization rules ensure that scrambled data correlates (or synchronizes) with other data. Synchronization rules are necessary because it is very rare for database information to be stored in a fully normalized way. Usually, there is a requirement for data masked in one area to be masked in an identical way in another area. For example, an employee name may be held in several tables. It is desirable (usually essential) that if the name is masked in one column then the other tables in which the information is held are also updated with an identical value. There are three basic types of synchronization and a specialized rule type to support each one.

Row-Internal Synchronization Rules

A Row-Internal Synchronization Rule updates a field in a row with a combination of values from the same row.

Table-Internal Synchronization Rules

A Table-Internal Synchronization Rule updates columns in groups of rows within a table to contain identical values.

Table-To-Table Synchronization Rules

A Table-To-Table Synchronization Rule uses a join condition to update columns in another table to contain identical values.

Specialized Rules

Rule Controller

A Rule Controller contains login information. Rule Controllers tell their dependent masking rules which database and schema they should connect to in order to perform their actions. All other types of masking rule must have a parent Rule Controller and every masking set must contain at least one Rule Controller.

Insertion Rules

Inserts new rows into table columns. This type of rule can use as insertion data any of the available datasets appropriate to the column type.

Foreign Key Enable Rules

Enables foreign keys in the target database. Each foreign key can be individually marked for enable. Usually used after a Foreign Key Disable Rule has run.

Foreign Key Disable Rules

Disables foreign keys in the target database. Usually followed by a Foreign Key Enable Rule after the other masking rules have run.

Trigger Enable Rules

Enables triggers in the target database. Each trigger can be individually marked for enable. Usually used after a Trigger Disable Rule has run.

Trigger Disable Rules

Disables triggers in the target database. Usually followed by a Trigger Enable Rule after the other masking rules have run.

The Masking Process

Once added to the masking set the rule is ready to modify the data in the target schema. However, no changes to the table contents will take place until the rules are executed by the Data Masker software. To run a masking set and execute the rules within it click on the Run Masking Set button on the right hand side of the main Data Masker display.

The Data Masker software can execute multiple rules simultaneously. Some rules will require other rules to complete before it is appropriate for them to begin. Read the Rule Blocks and Dependencies help page and view the Using Rule Blocks and Dependencies tutorial ([local] [internet]) to understand how to explicitly control the execution order of the masking rules.

The progress of the masking set run and information about each rules state can be viewed on the Rule Statistics and Run Statistics tabs.

Operationally, rule execution is quite straight forward. The effect is exactly what the rule and its options state. For example, a Substitution rule using the Random Last Names dataset applied to the EMPLOYEE table on the EMPLOYEE_LASTNAME column would generate and substitute random last names in place of the existing last names. The substitution would continue until all rows in the table (or a subset if a WHERE clause option was specified) were updated with the new data. Commits happen at user configurable intervals (every 5000 rows is the default).

Important Note: Once a rule has been run it is not possible to recover the previous data by running another rule. For example, once a Substitution rule has been run, the data will be thoroughly masked and there is no way of "un-substituting" it. To retrieve the original data the usual database restore procedures would have to be implemented.