2 Prerequisites

This chapter helps you prepare with the prerequisites and other important things that you must consider before installing and using Oracle Data Masking and Subsetting.

Note:

You must be licensed for the Oracle Data Masking and Subsetting Pack in order to use any of its features. For licensing information, please refer to the Oracle Database Licensing Guide.

Oracle Data Masking and Subsetting Access Rights

To use Oracle Data Masking and Subsetting in Oracle Enterprise Manager, users need specific privileges:

User Privileges

Privilege Description
Application Data Model (DB_ADM_ADMIN) For managing and using the application data model feature
Data Masking Definition (DB_MASK_ADMIN) For managing and using the data masking feature.
Data Subset Definition (DB_SUBSET_ADMIN) For managing and using the data subsetting feature.

Default Access: By default, all Enterprise Manager administrators can access the Oracle Data Management and Subsetting pages, including the Application Data Models, Sensitive Types, Data Subset Definitions, Data Masking Definitions, and Data Masking Formats, because of the TDM_ACCESS privilege, which is part of the PUBLIC role. The Super Administrator can revoke this privilege to restrict access, removing these items from the Cloud Control console.

Note:

Please refer to the MOS note 3080339.1 to download the privilege script needed to grant or revoke the minimum required privileges for performing DMS operations.

Privilege Access Model

Enterprise Manager allows Super Administrators to restrict Test Data Management (TDM) object access to authorized users only, by granting Operator or Designer privileges.

Operator Privileges

Privilege View Edit Delete Additional Permissions
ADM Operator -
Data Subset Definition Operator Can create data subsets to export files, create on a database, and save the subset script
Data Masking Definition Operator Can generate data masking scripts, schedule jobs, and export definitions

Users with Designer privileges can manage, enhance, and modify Test Data Management (TDM) objects and can grant/revoke privileges to others.

Designer Privileges Summary

Privilege View Edit Delete Additional Permissions
ADM Designer/ Data Subset Definition Designer/ Data Masking Definition Designer Grant/revoke privileges to others

Access Control Procedures

To assign privileges on Application Data Models, Data Masking Definitions, and Data Subsetting Definitions, follow these procedures:

Additional Information:

The following privileges are required for a database user to perform data masking operation in a normal database where Database Vault is not enabled:

EM Privileges

  • Other Resource Privileges:
    • Job System —> Create (CREATE_JOB)
    • Named Credential —> Create new Named Credential (CREATE_CREDENTIAL)

      Other Resource Privileges

      Resource Type Privilege Description
      Application Data Model Use Application Data Models in EM Ability to use Application Data Models in EM
      Data Masking Definition Use Data Masking Definitions in EM Ability to Use Data Masking Definitions in EM
      Data Subset Definition Use Data Subset Definitions in EM Ability Use Data Subset Definitions in EM
      Job System Create Ability to submit jobs, create library jobs, create deployment procedure instance, and create deployment procedure configuration
      Named Credential Create new Named Credentials Ability to create new Named Credentials
  • Target Privileges:
    • Execute Command Anywhere (PERFORM_OPERATION_ANYWHERE)
    • View any Target AND Connect to any viewable target (VIEW_ANY_TARGET AND CONNECT_ANY_VIEW_TARGET) OR grant "Connect" privileges under Target Instance Privileges to specific instances

    Target Privileges

    Privilege Name Target Types Description
    Execute command anywhere Host Execute any OS command at any Agent
    View any Target All Ability to view all managed targets in Enterprise Manager
    Connect to any viewable target All Ability to connect and manage any viewable target

DB Privileges and Roles

  • CREATE SESSION
  • SELECT_CATALOG_ROLE
  • CREATE TABLE
  • CREATE PROCEDURE
  • CREATE SEQUENCE
  • CREATE TYPE
  • CREATE TABLESPACE
  • CREATE ANY DIRECTORY
  • DROP ANY DIRECTORY
  • UNLIMITED TABLESPACE
  • DATAPUMP_EXP_FULL_DATABASE
  • DATAPUMP_IMP_FULL_DATABASE
  • EXECUTE ANY PROCEDURE
  • ALTER SESSION
  • EXECUTE ON SYS.DBMS_CRYPTO
  • EXECUTE ON SYS.DBMS_RANDOM
  • EXECUTE ON SYS.UTL_RECOMP
  • ANALYZE ANY
  • ADMINISTER SQL TUNING SET
  • EXECUTE ON SYS.DBMS_AQADM
  • ALTER ANY INDEX
  • ALTER SYSTEM
  • SELECT ANY TABLE
  • CONNECT
  • DBA
  • RESOURCE
  • CREATE VIEW
  • CREATE SYNONYM
  • CREATE DATABASE LINK
  • SELECT ANY DICTIONARY
  • EXECUTE ANY TYPE

Note:

GRANT ANY OBJECT PRIVILEGE WITH GRANT OPTION privilege is also required for EBS and FA application suites.

Ensure the database user performing the masking has object/system privileges to create, drop, alter, select, insert and compile the objects being masked (in case the objects are owned by another schema).

For Basic set privileges to perform Data masking operation in a Database Vault enabled environment, please refer the following Oracle documentation URL: Oracle Database Vault Administrator's Guide

Application Data Model (ADM):
  1. ADD_AUTH_TO_REALM: Grants the user permission to deploy ADM packages.

    Example: If you want to grant this privilege to SCOTT user then login as user with dv_owner role and execute the following SQL command:

    SQL>exec dbms_macadm.add_auth_to_realm('Oracle Enterprise Manager','SCOTT', NULL, dbms_macutl.g_realm_auth_owner);

In-Place: Masking and Subsetting:

  1. Grant EXECUTE on UTL_FILE to allow the user to read and write files.
  2. Authorize <user> in realm protecting object: (Needed even if object owner is performing masking/subsetting)

    Example: SQL>exec dbms_macadm.add_auth_to_realm('<Realm Name>','<user>', NULL, dbms_macutl.g_realm_auth_owner);

Export: Masking and Subsetting:

  1. Grant Execute on UTL_FILE to <user> ;
  2. Realm Authorization:
    1. Object owner:

      If we want to perform export masking or subsetting on TEST.EMPLOYEE and we execute the job as TEST, then we don't need to authorize TEST in any realm protecting TEST.EMPLOYEE. Without granting authorization, TEST can export its own tables.

    2. Admin User:

      i) Grant authorization to Admin user in realm protecting TEST.EMPLOYEE.

      ii) Authorize Admin user to export tables under TEST schema:

      Example: SQL>exec dbms_macadm.authorize_datapump_user('<Admin User>','TEST');

Storage Requirements

Although Oracle Data Masking and Subsetting objects such as data models, masking and subsetting definitions consume a negligible amount of storage space, depending on the amount of data being stored over a period of time, you may need to allocate additional storage space to Oracle Enterprise Manager's repository database.

This section details the storage recommendations for masking and subsetting.

  • In-Database Masking:
    • 3X of additional space in the user tablespace (X being the largest table in size)
    • 2X of additional space in temporary tablespace.
  • In-Export Masking:
    • 2X additional space in the user tablespace (X being the largest table in size)
    • 2X of additional space in temporary tablespace
    • Sufficient disk space to store the generated export dump file.
  • In-Export Subsetting:
    • X additional space in the user tablespace (X being the largest table in size)
    • Sufficient space to store the generated dump files.
  • In-Database Subsetting:
    • 2X additional space in the user tablespace (X being the largest table in size)
    • 2X additional space in temporary tablespace.

Note:

The recommended storage requirement for integrated masking and subsetting is the sum total of the storage requirement for masking and subsetting as mentioned above.