This step allows you to define and structure the relationships between your target database, application, and schema. This setup is essential for accurately modeling and managing the data within your application environment.

To create an Application Data Model:

1. Navigate to the Enterprise Manager Named Credentials page and create a named credential that can be used to perform DMS operations on the target database.

   For detailed information regarding the creation of a named credential, see Cloud Control Security Guide - Named Credentials

2. From the Application Data Models page, review the overview diagram for a quick glance at the steps involved in creating an ADM with sensitive data.
3. Click Create. A pop-up window requesting general properties information appears.
4. Specify a name for the ADM to be created.
5. Select the Target Type, Target Database and Database Named Credential from the drop down list.
6. Select an Application Suite:

   • If you select Custom Application Suite:

     • By default, metadata collection is enabled for creating the ADM.

   • If you select Oracle Application Suite:

     • Oracle E-Business Suite – Provide the database credentials for APPS user (or equivalent), and click Submit to create the ADM.

     • Oracle Fusion Applications – Provide database credentials for FUSION user (or equivalent), and click Submit to create the ADM.

   Please note the following points about metadata collections:

   • The metadata collection for the selected application suite populates the ADM with the applications and tables in the suite.

   • The ADM can collect metadata for one or more schemas. An ADM application typically represents a schema. Each schema you select becomes an ADM application, and the ADM becomes populated with the tables in the schema, particularly in the case of custom applications. However, please note that multiple applications can also map to a single schema, as in the case of Fusion Applications. The actual mapping depends on the application metadata discovered by the metadata collection job.

7. Select the schemas you want to include as applications in the ADM being created. The drop-down only displays a limited number of possible schemas in the chosen database. Start searching in order to find and select the schema(s) of interest

   Note:

   For accurate results, ensure that you execute dbms_stats.gather_table_stats to gather the stats of all the tables.
8. Select the following "Relationship Discovery Type":

   • Database Level (Dictionary-Based) Relationships — Use this feature to discover relationships between database table columns predefined in the data dictionary as referential integrity constraints (primary key and foreign key). For example, the ORDERS table's CUSTOMER_ID column has a foreign key constraint referring to the CUSTOMER_ID primary key in the CUSTOMERS table.

   • Application Level (Non-Dictionary) Relationships — Use this feature to discover parent-child relationships between database table columns that are not predefined in the data dictionary as referential integrity constraints (primary key and foreign key). For example, the EMPLOYEE_CONTACTS table's EMPLOYEE_ID column is related to the EMPLOYEES table's EMPLOYEE_ID column, but no foreign key constraint is defined in the database.

     Click Continue.

9. Specify the parameters for scheduling the metadata collection job. You can choose to either run the ADM creation job immediately or schedule it to start at a later time.
10. Proceed if you checked Application Level discovery in Step 8, otherwise skip to step 11.
    1. Click Next.
    2. Select a Sampling option:
       • Sampling Column Names: This option identifies application-defined parent-child relationships using column names. Column name patterns can be specified using regular expressions. For example: EMPID.* and DEPT_EMPID.*.
       • Sampling Column Data: This option identifies application-defined parent-child relationships using data or value patterns. Data patterns can be specified using regular expressions. For example a 10 digit US telephone number such as 123-456-7890 can be specified as [1-9]{3}[-][1-9]{3}[-][1-9]{4}.

         Oracle Data Masking and Subsetting will match the values in the column to identify the potential primary key and foreign key using the name and (or) data pattern specified by the user and return the results.

         The potential foreign keys are verified for containment within the potential primary key column, that is, the values of potential foreign key must already be present in the potential primary key. A containment test is done to meet 90% accuracy, that is, if the foreign key column is 90% contained in the primary key, a match is flagged. This test is done to include any orphan rows that might be present in applications such as Oracle's E-Business Suite and Oracle Fusion Applications.

11. Click Create to submit the Create Application Data Model job. The ADM you created appears in the Application Data Models page. The application data model is locked and cannot be edited when the metadata is being collected. Use the Most Recent Job Status table column to monitor the status of the metadata collection job.

You can modify an existing ADM to view or add sensitive columns, applications, objects, privileges and referential relationships:

Adding or Removing an Application From the ADM

1. Select an Application Data Model, click on the Actions button, click on Modify and click Applications.
2. The Application subpage appears displaying the applications discovered during the metadata collection process.
3. To create a new Application, click Add. The Add Application pop-up window appears.
4. Specify a name for the application, a nick name/short name, description for the application, and Database Named Credentials.
5. Type the name of the schema you want to add and click the search icon. Alternatively, click the search icon without any text to retrieve all schemas.
6. Select a schema from the list (you may need to type to filter and view all options).
7. Click Add to include the newly created application to the data model.

   The application now appears along with the defined schema.

8. To remove an application, select the application from the Applications page and click Delete.

   Similarly, you can modify the objects and table types under the Actions menu.

Viewing the Referential Relationships

To view referential relationships:

1. Select an Application Data Model, click on the Actions button, click on Modify and click Referential Relationships.
2. A dialog opens with the list of parent and dependent key relationships. The following types of referential relationships are supported:
   • Dictionary-defined

     This is the referential relationship that the metadata collection extracted, resulting from primary key and foreign key relationship. You can remove relationship from the ADM if desired.

   • Non-Dictionary Based

     This is the referential relationship that is not defined in the Oracle data dictionary, and is achieved by matching the column names and column values of potential foreign keys with column names and column values of potential primary keys along with their data types.

   • User-defined

     This is the referential relationship that is not defined in the Oracle data dictionary, and user can create manually based on their requirement.

Adding and Removing Referential Relationships

To manually add or remove a referential relationship:

1. Select an Application Data Model, click on the Actions button, click on Modify and click Referential Relationships.
2. Click on the Add button under the Parent Referential Relations section.

   The Add Referential Relationship pop-up window appears.

3. Select the requisite Database Named Credential, Parent Key and Dependent Key information.
4. The new dependent column now appears in the referential relationships list.

Automatically Discover Sensitive Data

To discover sensitive columns:

1. Select an Application Data Model, click on the Actions button, click on Modify and click Discover Sensitive Columns.
2. Click Schedule and fill in the details for Database Named Credentials, Applications, Sensitive Types and click Submit.
3. Once the job is submitted, refresh until the status changes to Succeeded.
4. Highlight the succeeded job by clicking on the row. Notice the sensitive columns appeared under Discovered columns.
5. The Sensitive Status for the columns by default is Undefined. To set the sensitive status of any column, select the row for the column in Discovered Columns table and click Mark Sensitive (or Mark Not Sensitive if it is a false positive).
6. Click Close to return to the Application Data Models page.

Manually Add Sensitive Columns

To add/remove sensitive columns:

1. Select an Application Data Model, click on the Actions button, click on Modify and click Manage Sensitive Columns.
2. A dialog appears with the list of all sensitive columns currently part of the selected ADM. Now, click Add.

   The Add Sensitive Column pop-up appears.

3. Provide the required information and an optional Sensitive Type, then click Add.

   The sensitive column now appears in the table of Sensitive Columns.

Viewing the Discovery Results

To view the discovered sensitive columns:

1. Select an Application Data Model, click on the Actions button, click on Modify and click Discover Sensitive Columns.
2. Select one of the discovery jobs to view the sensitive columns discovered by the selected job.

Associating a Database to an ADM:

1. Select an Application Data Model, click on the Actions button, click on Modify and click Associated Databases.

   This dialog lists all of the databases associated with this ADM and the schemas assigned to each application per database. You can add more databases that give you a choice of data sources during masking and subsetting operations.

2. Click Add, then select a target type and target database from the popup.

   The selected database now appears in the Database section of the Associated Databases dialog.

3. Click on Associate.
4. To change a schema, select the associated database on the left, select the application on the right for which the schema is to be changed, then click Update.
5. Select the missing schema from the list in the pop-up, then click Update.

Assigning Privileges to an Existing ADM

You can grant privileges on an Application Data Model that you create so that others can have access. To do so, you must be an Enterprise Manager Administrator with at least Designer privileges on the ADM.

To assign privileges to an existing ADM:

1. From the Application Data Models page, select the ADM to which you want to grant privileges and click on Action.
2. From the Actions menu, select Modify then Privileges then Grant, and select one of the following for Grant Privilege:

   • Operator – to grant Operator privileges on the ADM to selected roles or administrators, which means the grantees can view and copy but not edit and delete the definition.

   • Designer – to grant Designer privileges on the ADM to selected roles or administrators, which means the grantees can view, edit, and delete the definition.

3. Filter by name, if desired. Make your selections and click Grant.

   The selected names now have privileges on the ADM.

4. Use the Revoke action if you want to deny any privileges that were previously granted.

After you have created an ADM, the ADM Status column can indicate Valid, Invalid, Needs Verification, or Needs Upgrade.

• Invalid status – Verify the target database to update the referential relationships in the application data model with those found in the data dictionary, and to also determine if each item in the application data model has a corresponding object in the database.

• Needs Verification status – You have imported an Oracle supplied template and you must verify the ADM before you can use it. This is to ensure that necessary referential relationships from data dictionary are pulled into the ADM.

To verify a target database:

1. Select the ADM to be verified.

2. From the Actions menu, select ADM Verification then Verify.

3. Select the Associated Database to be verified as well as its credentials

4. Once again select the ADM, select ADM Verification, and then select Results.

5. Monitor the status of the verify job submitted earlier by periodically clicking on the Refresh button.

6. Click Verify to schedule a verification job.

7. After the job completes successfully, click the Target Database and note any issues listed.

8. Fix the object problems, rerun the Verification Job, then check that the Target Database Status is now Valid.

You can share an ADM with other Enterprise Manager environments that use a different repository by exporting it and then importing it into the new repository.

An exported ADM is by definition in the XML file format required for import. You can edit an exported ADM XML file prior to import. When exporting an ADM for subsequent import, it is best to have one that uses most or all of the features—applications, tables, table types, referential relationships, sensitive columns. This way, if you are going to edit the exported file prior to import, it is clear which XML tags are required and where they belong in the file.

• Importing an ADM

• Exporting an ADM

Importing an ADM

1. From the Application Data Models page, click on the Import option shown on top of the table.
2. In the pop-up that appears, specify a name for the ADM, the Target Database you want to assign to the ADM, and the XML file which contains the ADM to be imported
3. Click Import.

   The ADM now appears on the Application Data Models page.

Exporting an ADM as an XML File

1. From the Application Data Models page, select the ADM you want to export.
2. From the Actions menu, select Export then select Export to File.
3. In the popup, navigate the location at which the exported XML file should be saved and click Save.

Export sensitive metadata from an ADM to Transparent Sensitive Data Protection (TSDP) enabled database

1. From the Application Data Models page, select the ADM to export.
2. From the Actions menu, select Export, then select Export to TSDP Catalog.
3. The Application Data Models page displays a table of associated databases. Select a database and click the Export button.
4. In the Export pop-up that appears, provide credentials for the selected database and click Export.

   A message appears on the Application Data Models page confirming that the sensitive data was copied to the database.

For detailed information on TSDP, see Oracle Database Security Guide.

To create a new sensitive type:

1. Under Data Discovery, select Sensitive Types.

   The Sensitive Types page appears.

2. Click Create.

   The Create Sensitive Type pop-up appears.

3. Specify a required name and regular expressions for the Column Name, Column Comment, and/or Column Data search patterns.

   • The 'Or' Search Type means that any of the patterns can match for a candidate sensitive column.

   • The 'And' Search Type means that all of the patterns must match for a candidate sensitive column.

   If you do not provide expressions for any of these parameters, the sensitive data discovery job will not search for the entity.

4. Click Create.

   The sensitive column appears in the table in the Sensitive Types page.

You can also create a new sensitive type based on an existing type:

1. Under Data Discovery, select Sensitive Types.

   The Sensitive Types page appears.

2. Select either a sensitive type you have already defined, or select one from the out-of-box types that the product provides.

3. Click Create Like.

   The Create Sensitive Type pop-up appears.

4. Specify a required name and alter the existing expressions for the Column Name, Column Comment, and Column Data search patterns to suit your needs.

5. Click Create.

   The sensitive column appears in the table in the Sensitive Types page.