Provisioning Masked VDBs
Delphix Masking / Delphix Masking Engine Quick Start Guide / Provisioning Masked VDBs

Masked virtual databases (VDBs) function just like normal VDBs. The only distinction is that the data they contain has been masked by a masking job. Masked VDBs can be selectively distributed to a separate Delphix Engine (in non-prod) without sending the original data that was obfuscated during masking. This topic describes how to work with masked VDBs.

Prerequisites

If you are configuring Delphix Masking for the first time, you must complete all of the activities below in order.

  1. Install the Combined OVA.
  2. Prepare Your Data.
  3. Configure, Create, and Test a Simple Masking Job.
    1. Add an Application.

    2. Create Data Masking Rule Sets.

      VDB Snapshot Required

      Take a VDB snapshot before masking data. This is required to bring the changes into Delphix if you are going to be provisioning masked VDBs.

    3. Mask Data.

      A masking job must be Multi Tenant to use it when creating a masked VDB.

Ways to Run a Masking Job on a VDB

You will always need to configure and test a new masking job in the Delphix Masking Engine as described in the prerequisites above. Once the masking job has been completely defined, you can run it in the following ways:

Identifying and Navigating to Masked VDBs in the Delphix Engine

Masked VDBs appear in the Datasets pane, just like regular VDBs. They are most obviously identified by the different icon used to represent them. In addition, a masked VDBs Configuration tab will contain information about the masking job that you applied to it. Generally, anything you can do with an unmasked VDB is also possible with a masked VDB.

Masked VDB Icon on Datasets PaneMasked VDB info in Configuration

Restrictions

  • You cannot select and run unique masking jobs on multiple VDBs simultaneously. The user interface will allow you to assign the same masking job to multiple VDBs, but if you provision or refresh multiple VDBs using the same selected masking job and ruleset, errors may occur with the masking jobs. If you are using the same masking ruleset on multiple VDBs, be sure to create a unique job for each VDB to avoid any issues with provisioning or refreshing.

  • Provisioning masked VDBs through the Delphix Engine does not currently work with DB2. In order to mask DB2, you should use the Delphix Masking Engine interface.
  • You cannot apply additional masking jobs to a masked VDB or its children.
  • If a masking job has been applied to a VDB, you cannot create an unmasked snapshot of that VDB.
  • Masking must take place during the process of provisioning a VDB. If an existing VDB has not had a masking job applied to it, then you cannot mask that particular VDB at any point in the future. All the data within the VDB and its parents will be accessible if it is replicated or distributed.

Workflow Overview to Provision Masked VDBs in the Delphix Management Application

  1. In the Management application, associate a masking job with a dSource.

  2. Use the dSource provision wizard to provision a VDB with a masking job.

Associating a Masking Job with the dSource

To provision a masked VDB, you must first indicate that the masking job you are using is complete and applicable to a particular database. You do this by associating the masking job with a dSource.

  1. In the Datasets panel on the left-hand side of the screen, click the dSource to which the masking job is applicable and with which it will be associated.
  2. Click the Configuration tab.
  3. Click the Masking tab.
  4. Click the pencil icon to edit.  All masking jobs on this Delphix Engine that have not been associated with another dSource will be listed on the right-hand side.
  5. Select the job you want to associate with this dSource.
  6. Click the green checkmark to confirm.
  7. Repeat for any other jobs that you want to associate with this dSource at this time.

The Delphix Engine now considers this masking job to be applicable to this dSource and ready for use. When provisioning from snapshots of this dSource, this masking job will now be available.

Note: Masking jobs can also be associated with virtual sources in addition to dSources.

Provisioning a Masked VDB using the dSource Provisioning Wizard

The steps required to provision a masked VDB are almost identical to the steps required to provision an unmasked VDB. Once you have created a masked VDB, you cannot un-mask it, nor can you alter which masking job it uses. All snapshots in the VDBs TimeFlow will always be masked using the masking job that you selected when you provisioned the masked VDB.

  1. In the Datasets panel on the left-hand side of the screen, select the dSource.
  2. Click the TimeFlow tab.
  3. Click Provision VDB icon.
  4. Review the information for Installation Home, Database Unique Name, SID, and Database Name. Edit as necessary.
  5. Review the Mount Base and Environment User. Edit as necessary.
    1. If you want to use login credentials on the target environment that are different from the login credentials associated with the Environment User, select Specify Privileged Credentials.
  6. Click Next.
  7. If necessary, edit the Target Group for the VDB.

  8. Select the None option for the Snapshot Policy  for the VDB .  

    Selecting Snapshot Policy

    For almost all usecases involving Masked VDBs, a Snapshot Policy of None is appropriate. Using a Snapshot Policy in conjunction with SDD can result in the leak of sensitive data.

  9. Select the Masking Job you want to use from the available drop-down menu. Only masking jobs that have been associated with the parent dSource will be available.

    Selecting Unique Masking Rule Sets

    If you are using the same masking ruleset on multiple VDBs, be sure to create a unique job for each VDB to avoid any issues when provisioning or refreshing.

  10. Click Next.
  11. Specify any Pre or Post Scripts that should be used during the provisioning process. If the VDB was configured before running the masking job using scripts that impact either user access or the database schema, those same scripts should also be used here.
  12. Click Next.
  13. Click Submit.

If you click Actions in the the upper right-hand corner, the Actions sidebar will appear and list an action indicating that masking is running. You can verify this and monitor progress by going to the Masking Engine page and clicking the Monitor tab.

Once you have created a masked VDB, you can provision its masked data to create additional VDBs, in the same way that you can provision normal VDBs. Since the parent masked VDB contains masked data, child VDBs will only have masked data. This is a great way to distribute multiple independent copies of masked data that is both time- and space-efficient.

Refresh a Masked VDB

You refresh a masked VDB in exactly the same way as you refresh a normal VDB. As with provisioning a masked VDB, the masking job will be run during the refresh process.

  1. Login to the Delphix Management application.
  2. Click Manage.
  3. Select Datasets.
  4. Select the VDB you want to refresh.
  5. Click the Refresh VDB button.
  6. Select More Accurate and Next.
  7. Select desired refresh point snapshot or slide the display LogSync timeline to pick a point-in-time to refresh from.

  8. Click Next

  9. Click Submit to confirm.

Disassociating a Masking Operation on a dSource

If a masking job is found to be unsuitable or should be retired, you can disassociate it though the same database card that you used to associate it.

  1. Deselect the job.
  2. Click green arrow to confirm.

Note that this will only prevent the creation of new masked VDBs with this job. It will not alter existing masked VDBs in any way. When disassociating a job, review the existing masked VDBs and consider whether you need to delete or disable any of them.

The following data operations are available to masked VDBs:

Masked VDB Data Operations

RewindAlter the database to contain masked data from a previous point in time.  Procedure to Rewind an Oracle Masked VDB  
RefreshGet new data from the parent dSouce and mask it.  Procedure to Refresh an Oracle Masked VDB
DisableTurn off the database and remove it from the host system.Procedure to Disable an Oracle Masked VDB
EnableTurn on the database and make it available on the host system.  Procedure to Enable an Oracle Masked VDB

Next Steps 

Related Links