By Nilesh Agrawal-Oracle on Aug 06, 2013
One-step inline data masking and data subsetting is a very innovative solution in Oracle Enterprise Manager 12c that enables enterprises to provision secure and reduced size test systems directly from the production or standby database without the need for a full production database copy. So you are able to create reduced size copies of production database keeping the referential integrity of data set intact saving on storage costs and more importantly also ensure your sensitive database never creeps into any of your development or test systems in compliance with data privacy policies.
With Oracle Enterprise Manager 12c Release 3 customers have now started adopting this one-step on-the-fly masking and subsetting solution along with Database-as-a-Service(DBaaS) self-service provisioning capabilities and the outcome is one of the most comprehensive and unique solution to realize self-service provisioning of secured, subset copies of production like databases for all of testing and development needs in a private cloud model.
In this blog post I will walk through the steps required to achieve this comprehensive solution for test and development systems provisioning in enterprise private cloud.
1) Prepare source database
One of the ideal option in case customer has physical standby is to convert physical standby into a snapshot standby for one-step data subsetting and masking operation. A snapshot standby receives and archives but does not apply redo from primary until converted back to physical standby. So once you have created subsetted and secure dump from snapshot standby you can convert snapshot standby back to physical standby using Oracle Enterprise Manager. Refer to Oracle Data Guard guide for considerations in using snapshot standby. In-line data subsetting and masking can also be performed on production database in case there is no physical standby.
2) Perform Inline data subsetting and masking workflow
Here are the steps :
a) Create Application Data Model(ADM)
ADM is a knowledge base entity in Oracle Enterprise Manager that captures application metadata, referential relationships, sensitive columns and is used by both test data management and data masking. There are pre-defined drivers to capture data relationships from application metadata tables for Oracle Applications such as Fusion Apps and eBusiness Suite. Security Administrator requires EM_ALL_OPERATOR privilege to create ADM and Data Masking and Subsetting definition.
b) Create Masking and Subsetting definition
As a best practice, Security Administrator can create masking formats for all regulated information in the enterprise. There are out-of-box Oracle supplied default masking formats also that can be used from format library. Next step is to create masking definition that includes information regarding table columns and the format for each column. You can choose which columns to mask. Data Masking workflow can be referred here.
Next step is to create Data subset definition and use the same ADM and database used in creating the masking definition. In this step you can define the table rules,rule parameters, include 'Ancestor and Descendant tables' or 'Ancestor tables only' option this ensuring referential integrity is maintained. At this step Space estimates can also be reviewed and depending on the result, you can modify or add new rules and review back on space estimates value. Pre/Post subset scripts can also be included in definition.
c) Generate subset using export option
Using the definition subset can be created by writing the subset data to export file. Specify directory where to save the export dump and schedule the subset job. Once the job is complete, the subset Data pump file of production data with sensitive data masked is ready. The overall flow is described here
Some key tips -
- Parallel degree can be used for faster export. Start with twice the number of CPUs and tune from there
- %U and max file size parameter can be used to ensure optimum use of parallelism
- Rule parameter in where clause can be used for actual subset generation with different values
- Column rules can be used to set large-sized columns to null or fix value to reduce database size further
3) Prepare secure test/reference database
Once the Data pump export file is generated it can be imported in a test/staging database . For details refer here.This test database can be used as a reference for all development and testing copies and hosted in Self-Service portal for end users to request from service catalog.
4) Self-Service Portal Setup
Following two options are available to cloud-enable this secure reference database for self-service provisioning of future copies of this database via Oracle Enterprise Manager 12c Database-as-a-Service (DBaaS) solution :
a) Snap Clone option that leverages storage level copy-on-write technologies for cloning and is suited best for functional testing requirements and for short lived databases.With this option you can clone terabytes of data in few minutes and storage saving is enormous with this option. you need to review the supported storage options for this method. As of time of writing the post Netapp and ZFS is supported though there are plans to support more storage options in near future.
b) RMAN based cloning from backup is one of the favorite option for DBAs. The restore process is completely automated with EM 12c DBaaS and this option is best suited for performance and load testing, development requirements and for databases used for significant updates.
Once you decide on the option, steps to follow are documented in one of my recent blog post around Planning Database as a Service Implementation Project
Refer to Private Cloud Setup and Administration guide here for details on DBaaS Setup and Snap Clone, RMAN Profile options. The secure database prepared in previous step will be used as reference target by SSA Administrator while creating database provisioning profile using RMAN backup or Snapshot option. Please also ensure you have reviewed this MOS Note for DBaaS related patches -
"Enterprise Manager Cloud Control 12c Recommended Plug-Ins and Patches for Database as a Service (DBaaS) (Doc ID 1549855.1)"
5) Self-Service database provisioning in Cloud
End users can now request for secure subset copies of production database via Self-service portal for all kind of functional QA, load and performance testing, development requirements. All the databases provisioned from this approach are also enabled by default with EM 12c powered monitoring and diagnostics, lifecycle and cloud management capabilities.
1) Oracle Enterprise Manager 12c Packs
Oracle Test Data Management Pack
Oracle Data Masking Pack
Oracle Database Lifecycle Management Pack
Oracle Database Cloud Management Pack
2) Oracle Enterprise Manager 12c Platform and Plug-ins
Enterprise Manager Cloud Control 12c Release 3 Base Platform (220.127.116.11)
Enterprise Manager for Oracle Database (DB) plug-in 18.104.22.168
Enterprise Manager for Oracle Virtualization (VT) plug-in 22.214.171.124
Enterprise Manager Storage Management Framework (SMF) plug-in 126.96.36.199
Enterprise Manager for Oracle Cloud (SSA) plug-in 188.8.131.52
- Oracle Database 12c Testing Guide
- Private Cloud Setup and Administration guide
- Zero to Cloud Resource Center
: Meet Growing IT Demand for Databases with Private DBaaS
- Delivering Database as a Service using Oracle Enterprise Manager 12c