Best practices for defining masking roles
Introduction
The Delphix Masking Engine contains a role definition capability that enables admins to easily create roles for users. This section describes the typical roles and privileges that can be granted to users. It is recommended that the masking administrator implementing these roles consult IT Security and follow existing policies for data access. Roles are added by clicking the appropriate checkboxes within the add role function in the Settings tab. A sample RACI document and examples of roles / privileges are located below.
Roles for operating the Delphix Masking Engine are shared primarily between the masking administration team and the teams that support the applications that will be on-boarded to the Masking Engine. The admin will manage central functions of the engine including definition of custom domains, profiler expressions, algorithms, role and user definitions. The masking Engine is flexible enough to enable application teams with these functions as well, but it is recommended that these shared functions be managed by the admin team. The admin team should have an account registered with Delphix Support and be the main interface for issues and maintenance support from Delphix.
Masking processes can be developed for each application by the central admin team or the individual application teams, often determined by the volume of applications to be on-boarded. The RBAC model employed by Delphix Masking can support different implementation models. Your Delphix support team can assist in constructing roles to meet your needs.
Once roles are defined, they can be assigned to individual user IDs for the environments that those users have responsibility. Administrators will have access to all masking settings and environments by default.
Administrator access provides unlimited access to all functions and environments; this role should be granted to the central administration team.
All privileges is a default role (predefined) which will provide all functions for each environment a user is given access to.
Connector access should be controlled and administered by personnel responsible for database access.
Sample RACI
Teams: IT Security DM = Data masking admin team Application = App owner/SME DBA = Database admin QA = QA/Test environment owner PM = project management
Role | Description | Accountable | Responsible | Consulted | Informed |
|---|---|---|---|---|---|
Security Policy | Determine data types that are sensitive for the enterprise. | IT Security | IT Security | DM, Application | DBA, QA |
Program Management | Maintain program plan and implementation schedule, tracking and reporting. | PM | DM, Application | QA, IT Security | DBA |
Inventory Management | Apply security policy to application schemas/ files. | Application | DM, Application | DBA, QA | IT Security |
Data Masking | Build, maintain, schedule masking processes. | Application | DM, DBA | QA | IT Security |
Masked Data Validation | Review and approve inventories and masked data. | Application | Application, DBA, QA | DM | IT Security |
Masked Data Deployment | Deploy masked data to required environments. | Application | Application, DBA, QA | DM, QA | IT Security |
Environment Audit | Assure applications are compliant with masking. | IT Security | IT Security | DM, DBQ, QA | Application |
Masking Administration | Manage masking tool central functions, create domains, profiler expressions, roles, users. | DM | DM | Application, IT Security, DBA | QA |
Sample roles for Masking
Role | Description | *Delphix Masking Functions |
|---|---|---|
Administrator | Manages masking server updates and upgrades; works with IT Security to update domains, algorithms and profiler expressions / sets. | Unrestricted access to all the engine functions. The Admin role is assigned via the checkbox in the add user page of the UI. |
IT Security Analyst | Determines domains to be masked and high-level method for each domain and communicates them to administrator for inclusion in masking engine, responsible for masking audit functions. | Unrestricted access for all settings functions; access to all application functions except environment and environment create, delete, update. |
Application Roles (per environment) | ||
All Privileges | Super user for an environment. | Unrestricted access for an application environment; central admin or security analyst will determine if this role can modify settings. |
DBA | Manages user privileges, database performance and schema definition. | Manage connectors for application database, scripting and scheduling (no settings). |
SME / Analyst / Developer | Application subject matter expert, application developer, data analyst, application architecture. | Manage inventories, create, view jobs. |
Operations Roles (per environment) | ||
Operator | Schedule jobs, execute jobs, verify results, run automation scripts. | All job privileges. |
Environment Owner | Determine workflow, monitor tool usage for environment. | Approve workflow and inventories, privileges to view for settings and environment. |