To use Oracle Data Masking and Subsetting in Oracle Enterprise Manager, users need specific privileges:

User Privileges

Default Access: By default, all Enterprise Manager administrators can access the Oracle Data Management and Subsetting pages, including the Application Data Models, Sensitive Types, Data Subset Definitions, Data Masking Definitions, and Data Masking Formats, because of the TDM_ACCESS privilege, which is part of the PUBLIC role. The Super Administrator can revoke this privilege to restrict access, removing these items from the Cloud Control console.

Enterprise Manager allows Super Administrators to restrict Test Data Management (TDM) object access to authorized users only, by granting Operator or Designer privileges.

Operator Privileges

Users with Designer privileges can manage, enhance, and modify Test Data Management (TDM) objects and can grant/revoke privileges to others.

Designer Privileges Summary

To assign privileges on Application Data Models, Data Masking Definitions, and Data Subsetting Definitions, follow these procedures:

• Modify an Existing ADM
• Granting Privileges on a Subset Definition

Additional Information:

The following privileges are required for a database user to perform data masking operation in a normal database where Database Vault is not enabled:

EM Privileges

• Other Resource Privileges:
  • Job System —> Create (CREATE_JOB)
  • Named Credential —> Create new Named Credential (CREATE_CREDENTIAL)

    Other Resource Privileges

    Resource Type	Privilege	Description
    Application Data Model	Use Application Data Models in EM	Ability to use Application Data Models in EM
    Data Masking Definition	Use Data Masking Definitions in EM	Ability to Use Data Masking Definitions in EM
    Data Subset Definition	Use Data Subset Definitions in EM	Ability Use Data Subset Definitions in EM
    Job System	Create	Ability to submit jobs, create library jobs, create deployment procedure instance, and create deployment procedure configuration
    Named Credential	Create new Named Credentials	Ability to create new Named Credentials

• Target Privileges:
  • Execute Command Anywhere (PERFORM_OPERATION_ANYWHERE)
  • View any Target AND Connect to any viewable target (VIEW_ANY_TARGET AND CONNECT_ANY_VIEW_TARGET) OR grant "Connect" privileges under Target Instance Privileges to specific instances

  Target Privileges

  Privilege Name	Target Types	Description
  Execute command anywhere	Host	Execute any OS command at any Agent
  View any Target	All	Ability to view all managed targets in Enterprise Manager
  Connect to any viewable target	All	Ability to connect and manage any viewable target

DB Privileges and Roles

• CREATE SESSION
• SELECT_CATALOG_ROLE
• CREATE TABLE
• CREATE PROCEDURE
• CREATE SEQUENCE
• CREATE TYPE
• CREATE TABLESPACE
• CREATE ANY DIRECTORY
• DROP ANY DIRECTORY
• UNLIMITED TABLESPACE
• DATAPUMP_EXP_FULL_DATABASE
• DATAPUMP_IMP_FULL_DATABASE
• EXECUTE ANY PROCEDURE
• ALTER SESSION
• EXECUTE ON SYS.DBMS_CRYPTO
• EXECUTE ON SYS.DBMS_RANDOM
• EXECUTE ON SYS.UTL_RECOMP
• ANALYZE ANY
• ADMINISTER SQL TUNING SET
• EXECUTE ON SYS.DBMS_AQADM
• ALTER ANY INDEX
• ALTER SYSTEM
• SELECT ANY TABLE
• CONNECT
• DBA
• RESOURCE
• CREATE VIEW
• CREATE SYNONYM
• CREATE DATABASE LINK
• SELECT ANY DICTIONARY
• EXECUTE ANY TYPE

Ensure the database user performing the masking has object/system privileges to create, drop, alter, select, insert and compile the objects being masked (in case the objects are owned by another schema).

For Basic set privileges to perform Data masking operation in a Database Vault enabled environment, please refer the following Oracle documentation URL: Oracle Database Vault Administrator's Guide

In-Place: Masking and Subsetting:

1. Grant EXECUTE on UTL_FILE to allow the user to read and write files.
2. Authorize <user> in realm protecting object: (Needed even if object owner is performing masking/subsetting)

   Example: SQL>exec dbms_macadm.add_auth_to_realm('<Realm Name>','<user>', NULL, dbms_macutl.g_realm_auth_owner);

Export: Masking and Subsetting:

1. Grant Execute on UTL_FILE to <user> ;
2. Realm Authorization:
   1. Object owner:

      If we want to perform export masking or subsetting on TEST.EMPLOYEE and we execute the job as TEST, then we don't need to authorize TEST in any realm protecting TEST.EMPLOYEE. Without granting authorization, TEST can export its own tables.

   2. Admin User:

      i) Grant authorization to Admin user in realm protecting TEST.EMPLOYEE.

      ii) Authorize Admin user to export tables under TEST schema:

      Example: SQL>exec dbms_macadm.authorize_datapump_user('<Admin User>','TEST');

Although Oracle Data Masking and Subsetting objects such as data models, masking and subsetting definitions consume a negligible amount of storage space, depending on the amount of data being stored over a period of time, you may need to allocate additional storage space to Oracle Enterprise Manager's repository database.

This section details the storage recommendations for masking and subsetting.

• In-Database Masking:
  • 3X of additional space in the user tablespace (X being the largest table in size)
  • 2X of additional space in temporary tablespace.
• In-Export Masking:
  • 2X additional space in the user tablespace (X being the largest table in size)
  • 2X of additional space in temporary tablespace
  • Sufficient disk space to store the generated export dump file.
• In-Export Subsetting:
  • X additional space in the user tablespace (X being the largest table in size)
  • Sufficient space to store the generated dump files.
• In-Database Subsetting:
  • 2X additional space in the user tablespace (X being the largest table in size)
  • 2X additional space in temporary tablespace.