DgSecure OnDemand-Agent Installation and Configuration

DgSecure OnDemand – Installation and Configuration| Copyright © 2020

1

DgSecure OnDemand-Agent Installation

and Configuration


2

Table of Contents 1. Installation of DgSecure Agents ......................................................................................................... 3

1.1 Pre-requisites .................................................................................................................................. 3

1.2 Download Installer .......................................................................................................................... 3

1.3 Installation Steps ............................................................................................................................. 4

1.4 Add Agent to DgSecure ................................................................................................................... 5

2. Masking Grants ....................................................................................................................................... 8

2.1 Redshift ........................................................................................................................................... 8

2.2 Snowflake ........................................................................................................................................ 9

2.3 SQL Server ..................................................................................................................................... 10

2.4 Azure ............................................................................................................................................. 14

2.5 RDS ................................................................................................................................................ 15

2.5.1 MySQL ................................................................................................................................... 15

2.5.2 PostgreSQL ............................................................................................................................ 16

2.5.3 AWS ....................................................................................................................................... 17

2.5.4 Oracle .................................................................................................................................... 19

2.5.5 Aurora DB .............................................................................................................................. 24

2.5.6 Maria DB ................................................................................................................................ 24


3

1. Installation of DgSecure Agents DgSecure OnDemand supports masking and detection on RDBMS databases, and file systems

on S3. For detection of sensitive data on databases, a Detection agent must be installed,

directed to the target source system. Similarly, for masking a Masker agent must be installed.

Detection on S3 files system can be performed on S3 file systems can be performed using

OnDemand, for this two agents S3LFA agent and Cloud agent have to be configured and

installed to the target source system. The Cloud agent browses files hosted in the cloud and the

S3LFA agent performs sensitive data detection on the browsed files. This document outlines how

to install and configure these agents.

1.1 Pre-requisites 1. Provision an EC2 instance with the following specifications:

Operating System: CentOS/RHEL 6.4 or 6.7 recommended, other Linux flavors

are also supported

Minimum RAM: 8 GB

Minimum Hard Disc: 20 GB

2. The instance should be able to connect to the RDS or Redshift data repository which is to be scanned.

3. Java 1.7 or later is required on the EC2 instance provisioned above.

1.2 Download Installer 1. Click on the Help tab at the top panel.

2. Click on the link to the agent you want to install.


4

A zip file containing the agent installer will get downloaded.

1.3 Installation Steps On the provisioned EC2 machine, perform the following steps to install the agent:

1. Download the installer. 2. Unzip the file using the following command:

For Detection agent:

For Masking agent:

For S3LFA and Cloud agent:

3. To provide the required permissions, execute the following commands


For Masking agent:

For S3LFA agent:

For Cloud agent:

4. To install the required DgSecure agent, execute the following commands:


For Masking agent:

unzip DgSecureDiscoverIDP-<version>-linux-x64-installer.zip

unzip DgSecureMaskerIDP-<version>-linux-x64-installer.zip

chmod +x<download-directory>/DgSecureDiscoverIDP-<version>-linux-x64-

installer.run

sudo <download-directory>/DgSecureDiscoverIDP-<version>-linux-x64-

installer.run

chmod +x <download-directory>/DgSecureMaskerIDP-<version>-linux-x64-

installer.run

sudo <download-directory>/DgSecureMaskerIDP-<version>-linux-x64-

installer.run

unzip DgSecureS3LFAIDP-<version>-linux-x64-installer.zip

chmod +x <directory>/DgSecureFilesIDP-<version>-linux-x64-installer.run

chmod +x <directory>/DgSecureCloudIDP-<version>-linux-x64-installer.run

<directory>/DgSecureDiscoverIDP-<version>-linux-x64-installer.run


5

For S3LFA agent:

For Cloud agent:

5. Read the End User License Agreement (EULA) 6. To accept the license enter “y.” 7. Enter the path of the required installation directory. By default the installation will be done

in the following directory:

8. Skip to step 13 if you are installing a Detection or Masker agent. Select Default option to

deploy Files IDP: This is the file system that you want to scan. 9. Select S3 File System: Files IDP compatible with S3 File System will be deployed for use

by DgSecure. 10. Select Default value for FileSystem: The provisioned CDH5/EMR/HW cluster / Files IDP 11. Select Default value for Meta Name for S3 IDP: ‘dgsecure-test’ (case sensitive -- all

lower case). 12. Select Default value for AWS Compute Region for S3 IDP: ‘us-east-1’ (case sensitive --

all lower case). 13. By default a random controller ID is generated. Replace this with ‘dataguise’ (case

sensitive -- all lower case).

1.4 Add Agent to DgSecure Configure connectivity between the DgSecure server and the Agent instance. Following options

are available:

Install an AWS Classic Load Balancer (CLB) instance fronting the Agent, and use that IP address/hostname in the configuration.

Expose the Agent IP address/hostname as a public address.

Once the Agent IP address or Hostname is available, perform the following steps to configure

DgSecure OnDemand:

/opt/Dataguise

<directory>/DgSecureMaskerIDP-<version>-linux-x64-installer.run

<directory>/DgSecureFilesIDP-<version>-linux-x64-installer.run

<directory>/DgSecureCloudIDP-<version>-linux-x64-installer.run


6

1. Click on the Agents tab.

2. Click Add New Agent.

3. Provide the Agent details and save.


7

4. Once the Agent configuration is saved, the following listing will appear. The highlighted

row is the configuration for the newly added Agent.

5. After adding the Agent, a source to the target database has to be added. Click on the “Sources” tab.

6. Click Add New Source.

7. Provide the target database details. Test and save the source system information.


8

2. Masking Grants DgSecure OnDemand creates a user to execute masking on the target database. The user requires certain permissions to successfully mask the data. To get these necessary permissions, the user needs to execute different grant scripts for different databases. This document outlines these grant scripts, their prerequisites and the permissions granted. DgSecure OnDemand supports the following databases:

1. Redshift

2. Snowflake

3. SQL Server

4. Azure

5. RDS

MySQL

PostgreSQL

AWS

Oracle

Aurora DB

Maria DB

Masking grants for different database have been discussed in further sections.

2.1 Redshift

i. Prerequisites

To perform masking on Redshift database, the user needs to perform a set of functions. These functions are written in Python and available in a zipped file. User need to upload these to Redshift. The script reads the library and performs the masking function. Perform the following steps to upload the file containing masking functions and to create a library:

1. Download the AllFunctions.zip file from the following location:

https://dg-saas.s3.amazonaws.com/MaskerPrerequisiteFiles/Scripts/redshift/AllFunctions.zip

Upload the AllFunctions.zip file to the S3 storage or to a separate folder in the S3

storage.

2. To check if a library exists or not, execute the following query on the Redshift connection

using psql or a similar Redshift client.

Select 1 from pg_library where name = 'lib_AllFunctions';

If the above query returns result as 1, it signifies that there is an existing library. Execute

the following command to drop the existing library.

Drop library lib_AllFunctions;

3. Execute the following command to create a new library:

CREATE LIBRARY lib_AllFunctions LANGUAGE plpythonu FROM 'https://<LOCATION OF

THE ZIP FILE>/AllFunctions.zip

CREDENTIALS 'aws_access_key_id=<User Name>;aws_secret_access_key=<Password>;

NOTE: For more details on how to create a Redshift library, please visit:

https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_LIBRARY.html

https://dg-saas.s3.amazonaws.com/MaskerPrerequisiteFiles/Scripts/redshift/AllFunctions.zip

https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_LIBRARY.html


9

ii. Variables

Set the following variables before executing the script:

sch1 : Comma Separated values of all the schemas to be masked.

user_name : Redshift user name to be used for masking.

user_db_name : Name of the database that has to be masked.

chooseapassword: Create a password.

iii. Script

2.2 Snowflake

i. Variables


user_name: Masker user to be created.

role_name: Role to be created to assign to the masker user.

password: Password associated with the masker user.

warehouse_name: Name of the warehouse used for masking.

dg_database_name: Database used while making the connection under which dg objects

will be created.

database_name: Database on which masking is to be performed.

dg_schema_name: Schema used for creating dg objects.

schema_name: Schema on which masking is to be performed

----------------------------------------------------------------------------------------------------------------------------------------

CREATE USER user_name createuser PASSWORD ‘chooseapassword';-----

Execute if no user exists

--Login with the user created above, and execute the following commands:

ALTER USER user_name createuser;----- the user created above will be

altered and granted the user the required permissions

GRANT SELECT, INSERT, UPDATE, DELETE, REFERENCES ON ALL TABLES IN SCHEMA

information_schema, pg_catalog, sch1, dg, public TO user_name;----- To

mask tables

GRANT CREATE, TEMPORARY, TEMP ON DATABASE <user_db_name>,dev TO

user_name;----- will provide the user privilege to create temporary

tables in the specified database. To run Amazon Redshift Spectrum

queries, the database user must have permission to create temporary

tables in the database.

GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA information_schema,

pg_catalog,------ will provide the user privilege execute the masking

operation

GRANT USAGE ON LANGUAGE plpythonu TO user_name;----will provide the

user the privilege to use Python Library containing masking functions

----------------------------------------------------------------------------------------------------------------------------------------


10

ii. Script

2.3 SQL Server

i. Variables


@DB_NAMES_TO_MASK = 'Target_Database': Specify all the databases on which

masking has to be performed, with comma separation. Masking will only be performed on

these databases.

For instance, if you want to perform masking on the databases SQL_CUSTS and

SQLFIN, set @DB_NAMES_TO_MASK = 'SQL_CUSTS, SQL_FIN'

@DG_USER_TYPE = 'S': To authenticate login from the server, set this property to ‘S’.

To authenticate using Windows or Windows Impersonation, set this property to ‘W’.

@DG_USER = 'User_Name': Enter the name of the user using which you will login to run

the masking tasks on DgSecure. If no such user exists, enter a user name, for instance,

@DG_USER = 'Masker'. A new user ‘Masker’ will automatically get created.

@DG_DB = 'DG': This is the database to which DgSecure’s masker will connect

(‘Target_Name’). All the tables required for masking will automatically be created by this

----------------------------------------------------------------------------

\connect user_db_name;-------Database which has to be masked

--user with the SECURITYADMIN role or another role with the MANAGE GRANTS

privilege on the account can grant privileges on objects

create role <role_name>;

create user <user_name> password='<password>' default_role=<role_name>;

-- Below permission grants the user minimum priviledges to execute a masking

task

grant role <role_name> to user <user_name>;

grant operate,usage on warehouse <warehouse_name> to role <role_name>;

grant usage,CREATE SCHEMA on database <dg_database_name> to role

<role_name>;---- create schema needed for the dg schema that the user

creates

-- Create the <dg_schema_name> with the masker user before proceeding

further. This is the schema which you use while creating a masker task from

set config params.

grant usage,CREATE TABLE,CREATE FUNCTION on schema

<dg_database_name>.<dg_schema_name> to role <role_name>;---- creation of dg

tables and masking functions

grant usage on database <database_name> to role <role_name>;---- access to

the database on which masking needs to be performed

grant usage on schema <database_name>.<schema_name> to role <role_name>;----

access to the schema for masking

grant select,update on all tables in schema <database_name>.<schema_name> to

role <role_name>; ---- to mask the tables

----------------------------------------------------------------------------


11

script. Set @DG_DB = 'DG,' signifies that you should connect to DG database in the

DgSecure Connection Manager.

@DG_Collation='SQL_Latin1_General_CP1_CI_AS or Latin1_General_CI_AI': This will

set the collation of the database with which DgSecure will connect. Collation must be the

same as the target database collation. By default, collation is set to

'SQL_Latin1_General_CP1_CI_AS or Latin1_General_CI_AI'.

You can change this to the language that your database uses. For instance,

Set @DG_Collation='Modern_Spanish_100_CI_AS' for Spanish.

@DBFilePath = null: Keep it null, if you want to use the default path for data files or

provide the path where you want to create the data files. For instance, 'd:\Database Files'

@DG_USER_PASS = null: If password is set to null, the password will be the same as

the username for the newly created user.


12

ii. Script

----------------------------------------------------------------------------

\connect user_db_name;-------Database which has to be masked

--user with the SECURITYADMIN role or another role with the MANAGE GRANTS

privilege on the account can grant privileges on objects

create role <role_name>;

create user <user_name> password='<password>' default_role=<role_name>;

-- Below permission grants the user minimum priviledges to execute a masking

task

grant role <role_name> to user <user_name>;

grant operate,usage on warehouse <warehouse_name> to role <role_name>;

grant usage,CREATE SCHEMA on database <dg_database_name> to role

<role_name>; -- create schema needed for the dg schema that the user

creates

-- Create the <dg_schema_name> with the masker user before proceeding

further. This is the schema which you use while creating a masker task from

set config params.

grant usage,CREATE TABLE,CREATE FUNCTION on schema

<dg_database_name>.<dg_schema_name> to role <role_name>; -- creation of

dg tables and masking functions

grant usage on database <database_name> to role <role_name>; -- access to

the database on which masking needs to be performed

grant usage on schema <database_name>.<schema_name> to role <role_name>;

-- access to the schema for masking

grant select,update on all tables in schema <database_name>.<schema_name> to

role <role_name>; -- to mask the tables

----------------------------------------------------------------------------

----------------------------------------------------------------------------

if UPPER(@DG_USER_TYPE) = 'W'

Begin

Print 'Creating DG User With WINDOWS_LOGIN'

IF NOT EXISTS (select name from sys.server_principals where

upper(name) = upper(@DG_USER))

Begin

BEGIN TRY

Set @sql = 'CREATE LOGIN ['+@DG_USER+'] FROM WINDOWS

WITH DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english]'

EXECUTE (@sql)

print ' Windows User '+@DG_USER+ ' created'

END TRY

BEGIN CATCH

print ' Windows User '+@DG_USER+ ' could not

be created';

SELECT

@ErrorMessage = ERROR_MESSAGE(),

@ErrorSeverity = ERROR_SEVERITY(),

@ErrorState = ERROR_STATE();

RAISERROR (@ErrorMessage, -- Message text.

@ErrorSeverity, -- Severity.

@ErrorState -- State.

);

END CATCH

End

else

Begin

print ' Windows User '+@DG_USER+ ' already exists'

End

End

Else


13

Begin

Print 'Creating DG User With SQL_LOGIN'

IF NOT EXISTS (select name from sys.sql_logins where upper(name)

= upper(@DG_USER))

Begin

BEGIN TRY

Set @sql = 'CREATE LOGIN ['+@DG_USER+'] WITH

PASSWORD=N''' + (case when @DG_USER_PASS is null then @DG_USER else

@DG_USER_PASS end) + ''', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF,

CHECK_POLICY=OFF'

EXECUTE (@sql)

print ' SQL User '+@DG_USER+ ' created'

END TRY

BEGIN CATCH

print ' SQL User '+@DG_USER+ ' could not

be created';

SELECT

@ErrorMessage = ERROR_MESSAGE(),

@ErrorSeverity = ERROR_SEVERITY(),

@ErrorState = ERROR_STATE();

RAISERROR (@ErrorMessage, -- Message text.

@ErrorSeverity, -- Severity.

@ErrorState -- State.

);

END CATCH

End

else

Begin

print ' SQL User '+@DG_USER+ ' already exists'

End

End

----------------------------------------------------------------------------


14

2.4 Azure

i. Variables




these databases.


SQLFIN, set @DB_NAMES_TO_MASK = 'SQL_CUSTS, SQL_FIN'




the masking tasks on DgSecure. If no such user exists, enter a user name for instance,
















ii. Script

----------------------------------------------------------------------------


Begin

Set @sql = 'CREATE USER ['+@DG_USER+'] WITH PASSWORD=N''' +

(case when @DG_USER_PASS is null then @DG_USER else @DG_USER_PASS end) +

''''

EXECUTE (@sql)

Set @sql = 'ALTER ROLE db_owner ADD MEMBER ['+@DG_USER+']'

EXECUTE (@sql)


End

----------------------------------------------------------------------------


15

2.5 RDS Following are the scripts for different RDS databases supported by DgSecure.

2.5.1 MySQL

i. Variables


user_name: Masker user to be created.

db_name: - Name of the database where DG metadata will be saved.

target_db_name: Database where masked data will be stored.

ii. Script

----------------------------------------------------------------------------

CREATE USER 'user_name'@'localhost' IDENTIFIED BY 'user_name';

-- For ssl uncomment below script

-- GRANT USAGE ON *.* TO 'ssluser'@'localhost' identified by 'root' REQUIRE SSL;

-- 1. <db_name> - Name of the database where DG metadata will be saved;

GRANT ALTER ON <db_name>.* TO 'user_name'@'localhost';

GRANT ALTER ROUTINE ON <db_name>.* TO 'user_name'@'localhost';

GRANT CREATE ROUTINE ON <db_name>.* TO 'user_name'@'localhost';

GRANT CREATE ON <db_name>.* TO 'user_name'@'localhost';

GRANT CREATE TEMPORARY TABLES ON <db_name>.* TO 'user_name'@'localhost';

GRANT DELETE ON <db_name>.* TO 'user_name'@'localhost';

GRANT DROP ON <db_name>.* TO 'user_name'@'localhost';

GRANT EXECUTE ON <db_name>.* TO 'user_name'@'localhost';

GRANT INDEX ON <db_name>.* TO 'user_name'@'localhost';

GRANT INSERT ON <db_name>.* TO 'user_name'@'localhost';

GRANT UPDATE ON <db_name>.* TO 'user_name'@'localhost';

GRANT LOCK TABLES ON <db_name>.* TO 'user_name'@'localhost';

GRANT SELECT ON <db_name>.* TO 'user_name'@'localhost';

GRANT SHOW VIEW ON <db_name>.* TO 'user_name'@'localhost';

GRANT SHOW DATABASES ON <db_name>.* TO 'user_name'@'localhost';

GRANT TRIGGER ON <db_name>.* TO 'user_name'@'localhost';

-- 2. <target_db_name> - Name of target database;

GRANT CREATE ON <target_db_name>.* TO 'user_name'@'localhost';

GRANT UPDATE ON <target_db_name>.* TO 'user_name'@'localhost';


16

2.5.2 PostgreSQL

i. Prerequisites

Connect to the database on which masking has to be performed, using an existing user or an

admin user, to execute the grant script.

ii. Variables


user_schema : Comma separated values of all schema to be masked

test_user : Postgres user name to be used for masking.

user_db_name : Database name to be masked.

NOTE: Information_schema and pg_catalog schema are required for masking. Please don’t

exclude these from the schema list.

iii. Script

----------------------------------------------------------------------------

CREATE USER test_user WITH PASSWORD '12345678'; --Execute if the user has

not been created

GRANT SELECT, INSERT, UPDATE, DELETE, REFERENCES, TRIGGER ON ALL TABLES IN

SCHEMA information_schema, pg_catalog, user_schema TO test_user;

GRANT USAGE, SELECT, UPDATE ON ALL SEQUENCES IN SCHEMA information_schema,

pg_catalog, user_schema TO test_user;

GRANT CREATE, CONNECT, TEMPORARY, TEMP ON DATABASE user_db_name TO

test_user;

GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA information_schema, pg_catalog,

user_schema TO test_user;

GRANT CREATE, USAGE ON SCHEMA information_schema, pg_catalog, user_schema TO

test_user;

----------------------------------------------------------------------------

GRANT postgres TO test_user;

CREATE EXTENSION pgcrypto;

----------------------------------------------------------------------------

--------------------------------------------------------------------------

GRANT INSERT ON <target_db_name>.* TO 'user_name'@'localhost';

GRANT SELECT ON <target_db_name>.* TO 'user_name'@'localhost';

GRANT TRIGGER ON <target_db_name>.* TO 'user_name'@'localhost';

GRANT INDEX ON <target_db_name>.* TO 'user_name'@'localhost';

GRANT LOCK TABLES ON <target_db_name>.* TO 'user_name'@'localhost';

--uncomment if all databases need to be viewed on "create masker task"

screen; but masking on a DB will succeed only if grants(as in #2 above) on

that particular DB are given

--GRANT SHOW DATABASES ON *.* TO 'user_name'@'localhost';

----------------------------------------------------------------------------------------------------------------------------- ------


17

2.5.3 AWS

i. Variables




these databases.


SQLFIN, set @DB_NAMES_TO_MASK = 'SQL_CUSTS, SQL_FIN'.




the masking tasks on DgSecure. If no such user exists, enter a user name for instance,

















18

ii. Script

----------------------------------------------------------------------------

if UPPER(@DG_USER_TYPE) = 'W'

Begin

Print 'Creating DG User With WINDOWS_LOGIN'

IF NOT EXISTS (select name from sys.server_principals where

upper(name) = upper(@DG_USER))

Begin

Set @sql = 'CREATE LOGIN ['+@DG_USER+'] FROM WINDOWS WITH

DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english]'

EXECUTE (@sql)

print ' Windows User '+@DG_USER+ ' created'

End

else

Begin

print ' Windows User '+@DG_USER+ ' already

exists'

End

End

Else

Begin


IF NOT EXISTS (select name from sys.sql_logins where upper(name)

= upper(@DG_USER))

Begin

Set @sql = 'CREATE LOGIN ['+@DG_USER+'] WITH PASSWORD=N'''

+ (case when @DG_USER_PASS is null then @DG_USER else @DG_USER_PASS end) +

''', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF'

EXECUTE (@sql)


End

else

Begin

print ' SQL User '+@DG_USER+ ' already exists'

End

End

----------------------------------------------------------------------------

--------------------------------------------------------------


19

SQL for Azure

2.5.4 Oracle

i. Prerequisites

There are two scripts to perform the masking configuration, i.e., create_user script and

create_user_individual_grants script:

1. create_user: This script provides the complete privileges to mask all the tables. Before

running this script, ensure that:

The user running the script is either a system user or has the appropriate permissions

to provide grants.

The table spaces should match your setup. Defaults have been used for testing.

2. create_user_indivisual_grants: This script provides the permissions to mask the specified

tables. Before running the script, ensure that:

A masking user exists. If the user does not exist, use the create_user script to create

the user.

ii. Variables

. Set the following variables before running the script:

CREATE USER &&<USER_NAME>: Provide the username.

IDENTIFIED BY &&<PASS_WORD>: Provide the password.

DEFAULT TABLESPACE &&<DEFAULT_TABLESPACE>: You can change the table

space settings to match your setup.

TEMPORARY TABLESPACE &&<TEMPORARY_TABLESPACE>: You can change the

table space settings to match your setup.

NOTE: To execute masking on oracle, we require certain grants for all trigger, index and

table objects (this is achieved using the “ANY” keyword in the create_user script)

iii. Script

The Oracle Masking script includes the grants required for the oracle user that will perform the

masking task. You can change the password after running the script. There are two scripts to

----------------------------------------------------------------------------


Begin

Set @sql = 'CREATE USER ['+@DG_USER+'] WITH PASSWORD=N''' +

(case when @DG_USER_PASS is null then @DG_USER else @DG_USER_PASS end) +

''''

EXECUTE (@sql)

Set @sql = 'ALTER ROLE db_owner ADD MEMBER ['+@DG_USER+']'

EXECUTE (@sql)


End

----------------------------------------------------------------------------


20

perform the masking configuration, i.e., create_user script and create_user_individual_grants

script.

create_user: The create user script grants permissions to all the tables.

----------------------------------------------------------------------------

--This is a sample script of the set up needed for the Oracle user needed to

run the DG_Masker code.

-- Create a basic user, if user already exists, skip this step

-- Change the table spaces to match your setup, we used the defaults for

testing.

-- Reset the password accordingly after running this

-- &&DEFAULT_TABLESPACE -- USERS

-- &&TEMPORARY_TABLESPACE -- TEMP

CREATE USER &&USER_NAME

IDENTIFIED BY &&PASS_WORD

DEFAULT TABLESPACE &&DEFAULT_TABLESPACE

TEMPORARY TABLESPACE &&TEMPORARY_TABLESPACE

PROFILE DEFAULT

ACCOUNT UNLOCK;

----------------------------------------------------------------------------


21

GRANT EXECUTE ON DBMS_LOCK TO &&USER_NAME;

GRANT CREATE JOB TO &&USER_NAME; -- we need this to run the

job schedule

GRANT CONNECT TO &&USER_NAME; -- basic access needed to

function

GRANT RESOURCE TO &&USER_NAME; -- basic access needed to

function

GRANT CREATE PROCEDURE TO &&USER_NAME; -- access to program for

creating objects

GRANT CREATE SEQUENCE TO &&USER_NAME; -- access to program for

creating objects

GRANT CREATE SESSION TO &&USER_NAME; -- access to program for

creating objects

GRANT CREATE SYNONYM TO &&USER_NAME; -- access to program for

creating objects

GRANT CREATE TABLE TO &&USER_NAME; -- access to program for

creating objects

GRANT CREATE TRIGGER TO &&USER_NAME; -- access to program for

creating objects

GRANT CREATE TYPE TO &&USER_NAME; -- access to program for

creating objects

GRANT CREATE VIEW TO &&USER_NAME; -- access to program for

creating objects

GRANT SELECT ANY DICTIONARY TO &&USER_NAME;--access to sys objects for

table references

-- The below permission (Alter System) is to grant the user, the privilege

to kill a query/session and is not required for Cloud databases. Can be

ignored if the user does not want to kill the query through 'CANCEL' on task

screen

GRANT ALTER SYSTEM TO &&USER_NAME;

--GRANT SELECT ANY TRANSACTION TO &&USER_NAME;

-- for hashing which we use for CUPS

GRANT EXECUTE ON DBMS_CRYPTO TO &&USER_NAME;

-- check grants

GRANT EXECUTE ON DBMS_METADATA TO &&USER_NAME;

GRANT SELECT_CATALOG_ROLE TO &&USER_NAME;

--GRANT EXECUTE_CATALOG_ROLE TO &&USER_NAME;

-- THERE IS NO WAY TO REMOVE ANY FROM THE FOLLOWING GRANTS

--GRANT LOCK ANY TABLE TO &&USER_NAME; -- needed to lock the tables under

masking

GRANT ALTER ANY TRIGGER TO &&USER_NAME; --needed if the user wishes to apply

masking on columns having triggers

GRANT ALTER ANY INDEX TO &&USER_NAME; --needed if the user wishes to

apply masking on columns having indexes


22

-- Some indexes will block processing on primary keys even if disabled, so

they have to be dropped and recreated.

GRANT DROP ANY INDEX TO &&USER_NAME;

GRANT CREATE ANY INDEX TO &&USER_NAME;

-- We need the below grants to create and insert data in the DG_WATERMARK

table in every schema on which masking is applied.

GRANT INSERT ANY TABLE TO &&USER_NAME;

GRANT CREATE ANY TABLE TO &&USER_NAME;

GRANT SELECT ANY TABLE TO &&USER_NAME;

-- We need the following permissions if the user wants to execute a task

using multithreading option

GRANT CREATE JOB TO &&USER_NAME;

GRANT SCHEDULER_ADMIN TO &&USER_NAME;

GRANT MANAGE SCHEDULER TO &&USER_NAME;

GRANT ADM_PARALLEL_EXECUTE_TASK TO &&USER_NAME;

----------------------------------------------------------------------------


23

create_user_individual_grants: This script will create a procedure -

GRANT_TABLE_RIGHTS. To provide grants to update, create and alter specific tables in

the databases instead of ‘ANY’ table, this script can be used.

After executing the script execute the following command to call the procedure:

call GRANT_TABLE_RIGHTS('user_name', 'schema1, schema2, schema3');

----------------------------------------------------------------------------

CREATE OR REPLACE PROCEDURE GRANT_TABLE_RIGHTS (USER_NAME VARCHAR2,

DB_TO_MASK1 VARCHAR2) AS

cmd varchar2(2000);

cmd2 varchar2(2000);

Cursor c_users is select username from all_users where username

in (UPPER(USER_NAME));

cursor c1 is select table_name, owner from all_tables where

OWNER in (

select regexp_substr(UPPER(DB_TO_MASK1),'[^,]+', 1, level)

from dual

connect by regexp_substr(UPPER(DB_TO_MASK1), '[^,]+', 1,

level) is not null )

BEGIN

for c in c1 loop

for u in c_users loop

cmd := 'GRANT SELECT,ALTER, UPDATE ON '|| c.owner

||'.'||c.table_name|| ' TO ' || u.username;

execute immediate cmd;

end loop;

end loop;

END;

/

---------------------------------------------------------------------------


24

2.5.5 Aurora DB Please refer to Masking Scripts for MySQL

2.5.6 Maria DB Please refer to Masking Scripts for MySQL

Documents

DgSecure OnDemand-Agent Installation and Configuration