Login Substitution for the SQL Server Command-line
Published 17 January 2020
Background
This article is a part of the series on Command Line Automation. For details on the feature, please review this article first. If you'd like to see how the parameters relate to the UI, please see the Oracle version of this article.
Contents
If the controller is configured with SQL Authentication
Given the controller is configured to use ControllerLoginName, to access database ControllerDatabase on server ControllerServerNameand you wish to use another SQL Server Authentication account use the format:
<ControllerLoginName>@<ControllerServerName>[ControllerDatabase]||<SubstitutedLogin>/<SubstitutedPassword>@<SubstitutedServerName>[SubstitutedDatabase]
For example, a Rule Controller might be configured with a login of DEVUSER, a server name of DEV-DB, and a database name of CustomerInformation. In that case, a parameter file line with the option:
LOGINSUB=DEVUSER@DEV-DB[CustomerInformation]||DataMasker/SecurePassword@STAGING\SQL2019[CustomerInformationMasked]
If the command-line should connect using Windows Authentication then you would specify a placeholder username and password and append "||LOGINMODE_IS_WINAUTH" to the line:
LOGINSUB=DEVUSER@DEV-DB[CustomerInformation]||dummy-user/placeholder-password@STAGING\SQL2019[CustomerInformationMasked]||LOGINMODE_IS_WINAUTH
If the controller is configured with Windows Authentication
Ensure that the controller has a suitable Login Name to allow substitution, even though the Login Name will not be used a placeholder value is needed in this field for the substitution to work. You can add a placeholder by:
- Editing the controller
- Switching the controller to SQL Authentication
- Entering the placeholder into the Login Name field
- Switching the controller back to Windows Authentication
- Updating the controller
Given the controller is configured with a Login Name of "placeholder-login" to access database ControllerDatabase on server ControllerServerName and you wish to use another SQL Server Authentication account use the format:
placeholder-login@<ControllerServerName>[ControllerDatabase]||<SubstitutedLogin>/<SubstitutedPassword>@<SubstitutedServerName>[SubstitutedDatabase]
For example, a Rule Controller might be configured with a login of a server name of DEV-DB, and a database name of CustomerInformation. In that case, a parameter file line with the option:
LOGINSUB=placeholder-login@DEV-DB[CustomerInformation]||DataMasker/SecurePassword@STAGING\SQL2019[CustomerInformationMasked]
If the command-line should connect using Windows Authentication then you would specify a placeholder username and password and append "||LOGINMODE_IS_WINAUTH" to the line:
LOGINSUB=placeholder-login@DEV-DB[CustomerInformation]||dummy-user/placeholder-password@STAGING\SQL2019[CustomerInformationMasked]||LOGINMODE_IS_WINAUTH
How does the LOGINSUB parameter work?
As explained above the values for the login, server and database name on the controller are matched against the LOGINSUB line. If they all match, the details of the connection are replaced with the substitution values in the line.
All rule controllers that match the LOGINSUB line will be updated with these substituted values. If no controller matches the LOGINSUB line it is considered an error and the command-line will terminate.
What if I have multiple controllers targeting different databases?
You can support multiple database connections using multiple LOGINSUB lines in the PARFILE, for example:
LOGINSUB=DEVUSER@DEV-DB[CustomerInformation]||dummy-user/placeholder-password@STAGING\SQL2019[CustomerInformationMasked]||LOGINMODE_IS_WINAUTH LOGINSUB=placeholder-login@DEV-DB[DataWarehouse]||DataMasker/SecurePassword@STAGING\SQL2019[DataWarehouseMasked]
Escaping characters in the LOGINSUB parameter
The Data Masker Command Line Processor uses delimiter characters ('@', '[', ']' and '='). If the contents of a login substitution parameter require the use of any of these characters (for example a password is "myp@ss") the presence of the delimiters will disrupt the interpretation and processing of the command line.
