Contents x
    Managing Inventories
    • 12 Apr 2023
    • Print
    • Dark
      Light
    • PDF
    Contents

    Managing Inventories

    • Updated on 12 Apr 2023
    • Print
    • Dark
      Light
    • PDF
    Article Summary

    Managing Inventories

    An inventory describes all of the data present in a particular ruleset and defines the methods which will be used to secure it. Inventories typically include the table or file name, column/field name, the data classification, and the chosen algorithm.

    The Inventory Screen

    From anywhere within an environment, click the Inventory tab to see the Inventory Screen. This displays the inventory for the environment's rule sets.

    Inventory Settings

    To specify your inventory settings:

    1. On the left-hand side of the screen, select a Rule Set from the drop-down menu.
    2. Below this, Contents lists all the tables or files defined for the ruleset. inventory_settings
    3. Select a table or file for which you want to create or edit the inventory of sensitive data. The Columns or Fields for that specific table or file appear.
    4. If a column is a primary key (PK), Foreign Key (FK), or index (IDX), an icon indicating this will appear to the Right of the column name. If there is a note for the column, a Note icon will appear. To read the note, click the icon.
    5. If you selected a table, metadata for the column appears: Data Type and Length (in parentheses). This information is read-only.
    6. Choose how you would like to view the inventory:
      • All Fields — Displays all columns in the table or all fields in the file (allowing you to mark new columns or fields to be masked).
      • Masked Fields — Filters the list to just those columns or fields that are already marked for masking.
      • Auto — The default value. The profiling job can determine or update the algorithm assigned to a column and whether to mask the column.
      • User — The user's choice overrides the profiling job. The user manually updates the algorithm assignment, mask/unmask option of the column. The Profiler will ignore the column, so it will not be updated as part of the Profiling job.

    Assigning Algorithms

    To set criteria for sensitive columns or fields:

    1. Click the edit icon to the right of a column or field name.
    2. From the Domain drop-down list, select the appropriate sensitive data element type.
    3. The Delphix Masking Engine defaults to a Masking Algorithmas specified in the Settings screen. If necessary, you can override the default algorithm.
    4. Select an ID Method:
      • Auto — The default value. The profiling job can determine or update whether to mask a column.
      • User — The user decides whether to mask/unmask a column. The user's choice overrides the profiling job. (The user masking is done after the profiling job is finished.)
    5. You can add/remove notes in the Notes text field.
    6. When you are finished, click Save. You must click Save for any edits to take effect.

    Note

    If you select a DATESHIFT algorithm and you are not masking a datetime or timestamp column, you must specify a Date Format. (This field only appears if you select a DATESHIFT algorithm from the Masking Algorithm dropdown.) For a list of acceptable formats, click the Help link for Date Format. The default format is yyyy-MM-dd.

    Managing a File Inventory

    Defining Fields

    Note

    You must select a delimited or fixed-width file connector from the Select Rule Set drop-down list on the left navigation pane, not a database.

    To create new fields:

    1. From an Environment's Inventory tab, click Define fields to the far right. The Edit Fields window appears.define_fields
    2. Edit the fields as described in Setting Field Criteria for a File.
    3. When you are finished, click New to create a new field, or click Save to update an existing field.

    Record Types

    You can use record types to perform conditional masking of the file records. If a file has different set of records spread across multiple rows, then the masking engine should be able to understand all the unique records. For example, a file has the following record in the first 3 columns of each row: first name, last name, and age. But the last column of each row has a unique record like IP address, ethernet address, etc. Then you must create a new record type for every unique record present in the file and assign a specific file format to all the record types. For more information on adding a record type, see Managing Record Types.

    Managing a Mainframe Inventory

    Redefine Conditions

    For Mainframe data sets, the inventory also allows for the entry of Redefine Conditions, which are used to handle any occurrences of COBOL's REDEFINES construct that might appear in the Copybook. In COBOL, the REDEFINES keyword allows an area of a record to be interpreted in multiple different ways. In the example below, for instance, each record can hold either the details of a person (PERSON-DET) or the details of a company (COMP-DET).

    redefine

    Depending on which group is present, different masking algorithms may need to be applied. Below is the inventory corresponding to this copybook, which allows algorithms to be selected separately for each group.

    inventory

    In order to do any masking however, the Masking Engine must be able to determine, for each record, which fields should be read, so that the correct algorithms can be applied. In order to do this, the masking engine uses Redefine Conditions, which are specified in the inventory. Redefine Conditions are boolean expressions which can reference any fields in the record when they are evaluated.

    In the example copybook above, the field CUST-TYPE is used to indicate which group is present. If CUST-TYPE holds a 'P', a PERSON-DET group is present, and if it holds a 'C', COMP-DET is present. This can be expressed in the inventory by specifying a Redefine Condition with the value [CUST-TYPE]='P' . This expression indicates that, for each record read from the source file during the masking job, the value of the field CUST-TYPE should be read and compared against the string 'P'. If it is equal, the Masking Engine will read from the record the fields subordinate to PERSON-DET, and will apply any masking algorithms specified on those fields. Similarly, a Redefine Condition with the value [CUST-TYPE]='C' should be applied to the COMP-DET field. Exactly one of the conditions should evaluate to 'true' for each group of redefined fields. For example, a copybook might have fields A, B REDEFINES A, and C REDEFINES A. Of the Redefine Conditions attached to A, B, and C, one and only one should evaluate to true for each record.

    Entering a Redefine Condition

    1. Click on the orange REDEFINED or REDEF button next to the redefined or redefining field
    2. Enter a condition in the dialog box which appears. This is the expression, which, when it evaluates to true, causes the subordinate fields to be read and, if they have algorithms assigned, masked.editprops
    3. Click Submit.

    Format of Redefine Conditions

    Redefine Conditions allow fields to be compared against either number or string literals. Square brackets enclosing a field name indicate a variable, which takes on the value of the named field:

    [Field1] = 'An example String'

    String literals can be enclosed in either single or double quotes. For fields that are numeric (e.g. PIC S99V9), the operators <, <=, >, and >= can be used in addition to the =operator, e.g.

    [Field2] <= -10.5

    Also, conditions can be joined using AND, OR, and NOT to form more complex conditions:

    ([Field3] > 2.5 AND [Field3] < 10) OR NOT [FIELD4] = 'Z'

    Importing and Exporting an Inventory

    To export an inventory:

    1. Click the Export icon at the upper right. The Export Inventory pop-up appears with the name of the currently selected Rule Set as the Inventory Name and a corresponding .csv File Name.
    2. Click Save.

    A status pop-up appears. When the export operation is complete, you can click on the Download file name to access the inventory file

    To import an inventory:

    1. In the upper right-hand corner, click the Import icon. The Import Inventory pop-up appears.
    2. Click Select to browse for the name of a comma-separated (.csv) file.
    3. Click Save.

    The inventory you imported appears in the Rule Set list for this environment.

    Info

    • You can only import one ruleset at a time.
    • The format of an imported .csv file must exactly match the format of the exported inventory. If you plan to import an inventory, you should export it first and then update the exported file as needed before importing it.
    • After importing the inventory to the 10.0.0.0 version Compliance engine from older versions, ruleset refresh is mandatory when the inventory has any document store type assignments or the user needs to perform document store type masking on the columns from the imported inventory.

    Document Store Type Masking

    This feature provides the ability to mask structured documents that are stored in database columns. This is done by marking a column as Structured and assigning a respective Document Store Type and File Format to it.

    With the release of version 10.0.0.0 of the Continuous Compliance engine, the document store type masking will support automatic datatype identification. This will be done by using theJDBC SQL Type associated with columns. String and BLOB types will be supported for document store type masking.

    With version 10.0.0.0 release
    • In the case of existing rulesets, a ruleset refresh is mandatory before using Document Store Type masking.
    • Masking jobs having rulesets with document store type assignments will need mandatory ruleset refresh. Without ruleset refresh job will not be allowed to run.
    • Masking jobs having rulesets without document store type assignments will not need ruleset refresh.
    • Ruleset refresh is not required for newly created rulesets.
    Note
    • The column type should be from one of the following JDBC SQL Types: CHAR, NCHAR, VARCHAR, NVARCHAR, CLOB, NCLOB, LONGVARCHAR, LONGNVARCHAR, BLOB, SQLXML
    • BLOB type will not be supported for MySQL databases.
    • SQLXML type will be only supported for Oracle databases.
    • The file format must be either XML or JSON

    Columns with a supported data type have a setting called Data Model, which can be set to either Plain or Structured values. 

    As shown in the image below, columns with Plain selected as the Data Model can be masked as a single value by assigning a Domain and Algorithm

    properties1

    When the Structured value is selected for the Data Model, a Document Store Type and File Format can be assigned as shown in the image below.

    properties2

    The image below shows the Inventory screen for a rule set with a structured column. To quickly access an assigned File Format from this screen (books.xml in this example), click on the file format's name in the File Format panel in the lower left.

    ruleset_inventory

    Multi-column algorithm support

    With the release of version 10.0.0.0, Multi-column algorithms will be supported for JSON and XML document store type masking with limited buffer-data size.  

    Buffer size (in bytes) will be using calculated using the below formula:
    ((Max_memory_of_Job/No_of_streams_for_job)*CharStreamingBufferLimitRate)/100

    • The default values will be used when the maximum memory and number of the stream for the job are not defined. 
    • Buffer-data size is configurable via the application setting "CharStreamingBufferLimitRate" under Mask group settings. For adjusting "CharStreamingBufferLimitRate" refer to Masking API Client.

    The fields having multi-column assignments should not exceed the limit of buffer data size. In case of exceeding the limit of buffer data size, the job will fail. Users can configure buffer size by adjusting "CharStreamingBufferLimitRate" to avoid exceeding the buffer data size issue.

    JSON file format

    For details on Multi-column algorithm support with JSON file format refer to JSON File Masking

    XML file format

    In the case of XML document store type masking, Multi-column algorithm assignment to XML elements will not be validated at the time of assignment. Because in XML it is difficult to find out if an element is a type of an array or a single element until the whole data is read. Here, the masking job will fail immediately when any of the invalid multi-column assignments are found while running the job. Make sure the algorithm assignment should follow the below rules.

    • Multi-column algorithm for XML file masking is not supported.
    • Multi-column algorithm assignment to XML attributes is not supported.
    • Multi-column algorithm is not supported for XML elements where,
      • The element is a type of array.
      • Elements are part of different arrays.
      • Elements are on different levels having one or more elements of type array.

    Below is a sample XML file format with valid and invalid multi-column assignment examples. 


    Was this article helpful?
    What's Next