Oracle Cloud Infrastructure Documentation

Creating a Data Masking Rule

Create data masking rules in Cloud Guard to hide or redact categories of sensitive information from users who don't have a specific need to view it.

Prerequisite: Create IAM groups that clearly group users in a way that maps to the categories of sensitive information that they are authorized to view. See About Data Masking.

    1. Open the navigation menu  and select Identity & Security. Under Cloud Guard, select Configuration.
    2. On the Configuration page, select Data masking.
    3. Select Create masking rule.
    4. In the Create masking rule panel, in the Masking rule box, enter a name for this masking rule.
      Avoid entering confidential information.
    5. From the Create in compartment list, select the compartment to which the rule applies.
    6. From the Group membership list, select the group to which you want this rule to apply.
    7. For Targets, select one of the following options:
      • Select All to have the rule apply to all targets defined in Cloud Guard.

        Configuring the rule to apply all target instances makes it a global-level rule.

      • Select Instance to have the rule apply to only a specific target instance, and then select the instance from the Target instances list.

        Configuring the rule to apply only to specific target instances makes it a target-level rule.

    8. Under Redacted categories, select the categories of sensitive information to be redacted for the group that you specified in Group membership:
      Note

      Some options are unavailable.
      • Actor: Name or ID of an individual.
      • Personal identifying information (PII): Any information that could identify an individual, such as a social security number or national health ID, email address, and so on.
      • Protected health information (PHI): Any information about an individual's health.
      • Financial: All information involving monetary values, such as salary or tax figures.
      • Location: Geographic information, such as city or country, including IP addresses.
      • Custom: Another type of sensitive information that you define.
    9. Leave Enable rule selected, or clear the checkbox to disable the rule.
    10. To specify tags for the rule, select Show advanced options and enter the following values:
      1. Select a Tag namespace to add a defined tag, or select None to add a free-form tag.
      2. Select or enter a Tag key and a Tag value.
      3. Add more tags or delete them as needed.
    11. Select Create.

  • For a complete list of flags and variable options for CLI commands, see the Command Line Reference.

    Use the oci cloud-guard data-mask-rule create command and required parameters to create a data masking rule:

    oci cloud-guard data-mask-rule create --compartment-id, -c <compartment_ocid> --data-mask-categories <data_mask_categories> --display-name <display_name_text> --iam-group-id <iam_group_id> --target-selected <valid_json> [OPTIONS]

  • Run the CreateDataMaskRule operation to create a data masking rule.