Masked virtual databases (VDBs) function just like normal VDBs. The only distinction is that the data they contain has been masked by a masking job. Masked VDBs can be selectively distributed to a separate Delphix Engine (in non-prod) without sending the original data that was obfuscated during masking. This topic describes how to work with masked VDBs.
If you are configuring Delphix Masking for the first time, you must complete all of the activities below in order.
- Install the Combined OVA.
- Prepare Your Data.
- Configure, Create, and Test a Simple Masking Job.
Ways to Run a Masking Job on a VDB
You will always need to configure and test a new masking job in the Delphix Masking Engine as described in the prerequisites above. Once the masking job has been completely defined, you can run it in the following ways:
- Using the Masking API to Run a Masking Job Command
Identifying and Navigating to Masked VDBs in the Delphix Engine
Masked VDBs appear in the Datasets pane, just like regular VDBs. They are most obviously identified by the different icon used to represent them. In addition, a masked VDB's Configuration tab will contain information about the masking job that you applied to it . Generally, anything you can do with an unmasked VDB is also possible with a masked VDB.
|Masked VDB Icon on Datasets Pane||Masked VDB info in Configuration|
You cannot select and run unique masking jobs on multiple VDBs simultaneously. The user interface will allow you to assign the same masking job to multiple VDBs, but if you provision or refresh multiple VDBs using the same selected masking job and ruleset, errors may occur with the masking jobs. If you are using the same masking ruleset on multiple VDBs , be sure to create a unique job for each VDB t o avoid any issues with provisioning or refreshing .
- Provisioning masked VDBs through the Delphix Engine does not currently work with DB2. In order to mask DB2, you should use the Masking Engine interface.
- You cannot apply additional masking jobs to a masked VDB or its children.
- If a masking job has been applied to a VDB, you cannot create an unmasked snapshot of that VDB.
- Masking must take place during the process of provisioning a VDB. If an existing VDB has not had a masking job applied to it, then you cannot mask that particular VDB at any point in the future. All the data within the VDB and its parents will be accessible if it is replicated or distributed.
Workflow Overview to Provision Masked VDBs in the Delphix Admin Console
In the Admin console, associate a masking job with a dSource.
Use the dSource provision wizard to provision a VDB with a masking job.
Associate a Masking Job with the dSource
To provision a masked VDB, you must first indicate that the masking job you are using is complete and applicable to a particular database. You do this by associating the masking job with a dSource.
- In the Datasets panel on the left-hand side of the screen, click the dSource to which the masking job is applicable and with which it will be associated.
- Click the Configuration tab.
- Click the Masking tab.
- Click the pencil icon to edit. All masking jobs on this Delphix Engine that have not been associated with another dSource will be listed on the right-hand side.
- Select the job you want to associate with this dSource.
- Click on the left-facing arrow .
- Repeat for any other jobs that you want to associate with this dSource at this time.
- Click the yellow checkmark to confirm.
The Delphix Engine now considers this masking job to be applicable to this dSource and ready for use. When provisioning from snapshots of this dSource, this masking job will now be available.
Note: Masking jobs can also be associated with virtual sources in addition to dSources.
Provisioning a Masked VDB using the dSource Provisioning Wizard
The steps required to provision a masked VDB are almost identical to the steps required to provision an unmasked VDB. Once you have created a masked VDB, you cannot un-mask it, nor can you alter which masking job it uses. All snapshots in the VDB’s TimeFlow will always be masked using the masking job that you selected when you provisioned the masked VDB.
- In the Datasets panel on the left-hand side of the screen, select the dSource.
- Click the TimeFlow tab.
- Click Provision.
- Review the information for Installation Home, Database Unique Name, SID, and Database Name. Edit as necessary.
- Review the Mount Base and Environment User. Edit as necessary.
- If you want to use login credentials on the target environment that are different from the login credentials associated with the Environment User, select Specify Privileged Credentials.
- Click Next.
- If necessary, edit the Target Group for the VDB.
Select the None option for the Snapshot Policy for the VDB.
Selecting Snapshot Policy
For almost all usecases involving Masked VDBs, a Snapshot Policy of None is appropriate. Using a Snapshot Policy in conjunction with SDD can result in the leak of sensitive data.
Select the Masking Job you want to use from the available drop-down menu. Only masking jobs that have been associated with the parent dSource will be available.
Selecting Unique Masking Rulesets
If you are using the same masking ruleset on multiple VDBs, be sure to create a unique job for each VDB to avoid any issues when provisioning or refreshing.
- Click Next.
- Specify any Pre or Post Scripts that should be used during the provisioning process. If the VDB was configured before running the masking job using scripts that impact either user access or the database schema, those same scripts should also be used here.
- Click Next.
- Click Finish.
If you click Actions in the the upper right-hand corner, the Actions sidebar will appear and list an action indicating that masking is running. You can verify this and monitor progress by going to the Masking Engine page and clicking the Monitor tab.
Once you have created a masked VDB, you can provision its masked data to create additional VDBs, in the same way that you can provision normal VDBs. Since the parent masked VDB contains masked data, child VDBs will only have masked data. This is a great way to distribute multiple independent copies of masked data that is both time- and space-efficient.
Refresh a Masked VDB
You refresh a masked VDB in exactly the same way as you refresh a normal VDB. As with provisioning a masked VDB, the masking job will be run during the refresh process.
- Login to the Delphix Admin application.
- Click Manage.
- Select My Datasets.
- Select the VDB you want to refresh.
- Click the TimeFlow tab.
- Click the Refresh VDB button.
This will open the screen to re-provision the VDB.
- Select desired refresh point snapshot or slide the display LogSync timeline to pick a point-in-time to refresh from.
Click Refresh VDB.
Click Yes to confirm.
Refresh VDB confirmation
Disassociate a Masking Operation on a dSource
If a masking job is found to be unsuitable or should be retired, you can disassociate it though the same database card that you used to associate it.
- Select the job on the left- hand side to disassociate.
2. Click the right-facing arrow, as seen in the screenshot above.
Note that this will only prevent the creation of new masked VDBs with this job. It will not alter existing masked VDBs in any way. When disassociating a job, review the existing masked VDBs and consider whether you need to delete or disable any of them.
The following data operations are available to masked VDBs:
Masked VDB Data Operations
|Rewind||Alter the database to contain masked data from a previous point in time.||Procedure to Rewind an Oracle Masked VDB|
|Refresh||Get new data from the parent dSouce and mask it.||Procedure to Refresh an Oracle Masked VDB|
|Disable||Turn off the database and remove it from the host system.||Procedure to Disable an Oracle Masked VDB|
|Enable||Turn on the database and make it available on the host system.||Procedure to Enable an Oracle Masked VDB|
- Troubleshoot Provisioning Errors for Masked VDBs
- Quick Start Masking Engine Overview
- Masking Engine Activities
- Masking API Calls to Run a Masking Job
- Advanced Integrated Delphix Masking Workflow
- Masking Engine Install, System Configuration, and Network Setup
- Prepare Data for Masking
- Add an Application and Create a New Environment and Connector
- Create Data Masking Rule Sets, Algorithms, and Inventories