About Masking Plans
Published 06 January 2020
During the process of building a set of masking rules, it is often useful to compare the current masking state (rules applied or no rules applied) to a desired state. In other words, it is useful to be able to have a method of determining which tables and columns that should be masked in the target database do not yet have rules.
The Data Masker software displays the schema table and column information in a panel on the Tables in Set tab. Three columns, entitled Matches Plan, Masking Plan and Masking Plan Comments are available on the table display panel - these can greatly assist with decision making when building new masking rules.
Important Note: It is often assumed that the Data Masker software will automatically configure the values in the Masking Plan column to appropriate settings. It cannot do this - yes, there are rule discovery tools in the Data Masker software. However there is no tool which can magically decide a column should or should not be masked and then choose the type of rule and a suitable dataset for it. Completely automatic rule generation is simply not possible because of the many purposes for which databases can be masked. Two different sets of masking rules could use entirely different masking operations - and dataset values. Ultimately a suitably trained person will have to make decisions about which columns to mask. The Masking Plan column is available to be set by the user during the planning stages of the masking set build to record and annotate their decisions according to the masking operations they think appropriate to their purposes.
Important Note: A value of "Yes" in the Matches Plan column does not absolutely guarantee that the column values will be appropriately masked. It is possible that there could be a Where clause placed on the rule which skips some values and it is also possible that the dataset is inappropriate. A "Yes" in the Matches Plan column is simply a quick check which ensures that a masking rule (of some sort) has been applied to that column. It is still very much the responsibility of the implementer of the masking rules to ensure that the rules are configured to perform the required actions.
The Data Masker Table Panel Showing the Plan Columns
Using the Plan Columns
The image above shows a screen shot of the Data Masker Tables in Set tab while an masking set is still under development. The developers of the rules have set the Masking Plan column for many of the columns in the DM_CUSTOMER table to the desired masking state: Must Mask, No Mask, or Check. Some of the column are still at the default state of Unknown. Note that the Masking Plan state cannot be set on a table. Masking Plan states are only set on the columns. The Data Masker software has automatically compared the rules on DM_CUSTOMER table and has set the Matches Plan value to Yes or No depending on whether that column has at least one masking rule applied to it. Also set is the Matches Plan value for the table. A Matches Plan value for a table is derived from the Matches Plan state of its columns (it cannot be set directly). If the column Matches Plan state for all columns in the table have a value of Yes then the table will be considered to match the plan. If even one column of a table has a Matches Plan state of No then the table will be marked as not matching the plan. The table Matches Plan state is a simple method of determining if any of the table columns do not match the plan.
The Data Masker Table Panel Sorted on the Matches Plan Column
Clicking with the mouse in the column header will sort on the Matches Plan column. This makes it easy to identify which tables are still unsatisfied according to the current plan requirements. A sort on the Matches Plan column is especially useful in larger schemas which may have hundreds or thousands of tables. Clearly, from the above display it can be seen that new rules which mask columns in the DM_CUSTOMER, DM_ASSIGNMENT, and DM_INVOICE tables should be considered as the existing rules are not set up to mask columns in those tables. The structure of each of those tables could be expanded to show the columns and a rule implemented on the columns which have a No value in the Matches Plan state.
The contents of the Matches Plan, Masking Plan and Masking Plan Comments columns are also available in the form of a printed report. This report can be generated by pressing the Plan Report button button at the bottom of the Tables in Set tab.
The visual plan display and report can be invaluable in determining which tables are not being masked in the subset database. Experience suggests that successful masking sets are easier to produce if the plan columns are used to bring into focus the sometimes ill-defined and indistinct requirements.