Dgsecure Ondemand-Agent Installation and Configuration

DgSecure OnDemand-Agent Installation and Configuration

Table of Contents 1. Installation of DgSecure Agents ...... 3 1.1 Pre-requisites ...... 3 1.2 Download Installer ...... 3 1.3 Installation Steps ...... 4 1.4 Add Agent to DgSecure ...... 5 2. Masking Grants ...... 8 2.1 Redshift ...... 8 2.2 Snowflake ...... 9 2.3 SQL Server ...... 10 2.4 Azure ...... 14 2.5 RDS ...... 15 2.5.1 MySQL ...... 15 2.5.2 PostgreSQL ...... 16 2.5.3 AWS ...... 17 2.5.4 Oracle ...... 19 2.5.5 Aurora DB ...... 24 2.5.6 Maria DB ...... 24

1. Installation of DgSecure Agents DgSecure OnDemand supports masking and detection on RDBMS databases, and file systems on S3. For detection of sensitive data on databases, a Detection agent must be installed, directed to the target source system. Similarly, for masking a Masker agent must be installed. Detection on S3 files system can be performed on S3 file systems can be performed using OnDemand, for this two agents S3LFA agent and Cloud agent have to be configured and installed to the target source system. The Cloud agent browses files hosted in the cloud and the S3LFA agent performs sensitive data detection on the browsed files. This document outlines how to install and configure these agents. 1.1 Pre-requisites 1. Provision an EC2 instance with the following specifications:  Operating System: CentOS/RHEL 6.4 or 6.7 recommended, other Linux flavors are also supported  Minimum RAM: 8 GB  Minimum Hard Disc: 20 GB 2. The instance should be able to connect to the RDS or Redshift data repository which is to be scanned. 3. Java 1.7 or later is required on the EC2 instance provisioned above.

1.2 Download Installer 1. Click on the Help tab at the top panel.

2. Click on the link to the agent you want to install.

A zip file containing the agent installer will get downloaded. 1.3 Installation Steps On the provisioned EC2 machine, perform the following steps to install the agent: 1. Download the installer. 2. Unzip the file using the following command:

 For Detection agent:

unzip DgSecureDiscoverIDP--linux-x64-installer.zip

 For Masking agent:

unzip DgSecureMaskerIDP--linux-x64-installer.zip

 For S3LFA and Cloud agent:

unzip DgSecureS3LFAIDP--linux-x64-installer.zip

3. To provide the required permissions, execute the following commands  For Detection agent:

chmod +x/DgSecureDiscoverIDP--linux-x64- installer.run

sudo /DgSecureDiscoverIDP --linux-x64- installer.run

 For Masking agent:

chmod +x /DgSecureMaskerIDP--linux-x64- installer.run

sudo /DgSecureMaskerIDP --linux-x64- installer.run

 For S3LFA agent:

chmod +x /DgSecureFilesIDP--linux-x64-installer.run

 For Cloud agent:

chmod +x /DgSecureCloudIDP--linux-x64-installer.run

4. To install the required DgSecure agent, execute the following commands:  For Detection agent:

/DgSecureDiscoverIDP--linux-x64-installer.run

 For Masking agent:

/DgSecureMaskerIDP--linux-x64-installer.run

 For S3LFA agent:

/DgSecureFilesIDP--linux-x64-installer.run

 For Cloud agent:

/DgSecureCloudIDP--linux-x64-installer.run

5. Read the End User License Agreement (EULA) 6. To accept the license enter “y.” 7. Enter the path of the required installation directory. By default the installation will be done in the following directory:

/opt/Dataguise

8. Skip to step 13 if you are installing a Detection or Masker agent. Select Default option to deploy Files IDP: This is the file system that you want to scan. 9. Select S3 File System: Files IDP compatible with S3 File System will be deployed for use by DgSecure. 10. Select Default value for FileSystem: The provisioned CDH5/EMR/HW cluster / Files IDP 11. Select Default value for Meta Name for S3 IDP: ‘dgsecure-test’ (case sensitive -- all lower case). 12. Select Default value for AWS Compute Region for S3 IDP: ‘us-east-1’ (case sensitive -- all lower case). 13. By default a random controller ID is generated. Replace this with ‘dataguise’ (case sensitive -- all lower case).

1.4 Add Agent to DgSecure Configure connectivity between the DgSecure server and the Agent instance. Following options are available:

 Install an AWS Classic Load Balancer (CLB) instance fronting the Agent, and use that IP address/hostname in the configuration.  Expose the Agent IP address/hostname as a public address.

Once the Agent IP address or Hostname is available, perform the following steps to configure DgSecure OnDemand:

1. Click on the Agents tab.

2. Click Add New Agent.

3. Provide the Agent details and save.

4. Once the Agent configuration is saved, the following listing will appear. The highlighted row is the configuration for the newly added Agent.

5. After adding the Agent, a source to the target database has to be added. Click on the “Sources” tab.

6. Click Add New Source.

7. Provide the target database details. Test and save the source system information.

2. Masking Grants DgSecure OnDemand creates a user to execute masking on the target database. The user requires certain permissions to successfully mask the data. To get these necessary permissions, the user needs to execute different grant scripts for different databases. This document outlines these grant scripts, their prerequisites and the permissions granted. DgSecure OnDemand supports the following databases: 1. Redshift 2. Snowflake 3. SQL Server 4. Azure 5. RDS  MySQL  PostgreSQL  AWS  Oracle  Aurora DB  Maria DB Masking grants for different database have been discussed in further sections. 2.1 Redshift i. Prerequisites To perform masking on Redshift database, the user needs to perform a set of functions. These functions are written in Python and available in a zipped file. User need to upload these to Redshift. The script reads the library and performs the masking function.

Perform the following steps to upload the file containing masking functions and to create a library: 1. Download the AllFunctions.zip file from the following location:

https://dg-saas.s3.amazonaws.com/MaskerPrerequisiteFiles/Scripts/redshift/AllFunctions.zip

Upload the AllFunctions.zip file to the S3 storage or to a separate folder in the S3 storage. 2. To check if a library exists or not, execute the following query on the Redshift connection using psql or a similar Redshift client. Select 1 from pg_library where name = 'lib_AllFunctions'; If the above query returns result as 1, it signifies that there is an existing library. Execute the following command to drop the existing library. Drop library lib_AllFunctions; 3. Execute the following command to create a new library: CREATE LIBRARY lib_AllFunctions LANGUAGE plpythonu FROM 'https:///AllFunctions.zip CREDENTIALS 'aws_access_key_id=;aws_secret_access_key=;

NOTE: For more details on how to create a Redshift library, please visit:

https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_LIBRARY.html

ii. Variables Set the following variables before executing the script:

 sch1 : Comma Separated values of all the schemas to be masked.  user_name : Redshift user name to be used for masking.  user_db_name : Name of the database that has to be masked.  chooseapassword: Create a password.

iii. Script ------CREATE USER user_name createuser PASSWORD ‘chooseapassword';----- Execute if no user exists

--Login with the user created above, and execute the following commands:

ALTER USER user_name createuser;----- the user created above will be altered and granted the user the required permissions GRANT SELECT, INSERT, UPDATE, DELETE, REFERENCES ON ALL TABLES IN SCHEMA information_schema, pg_catalog, sch1, dg, public TO user_name;----- To

mask tables

GRANT CREATE, TEMPORARY, TEMP ON DATABASE ,dev TO user_name;----- will provide the user privilege to create temporary tables in the specified database. To run Amazon Redshift Spectrum queries, the database user must have permission to create temporary tables in the database.

GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA information_schema,

pg_catalog,------will provide the user privilege execute the masking operation

GRANT USAGE ON LANGUAGE plpythonu TO user_name;----will provide the user the privilege to use Python Library containing masking functions

------

2.2 Snowflake i. Variables Set the following variables before executing the script:

 user_name: Masker user to be created.  role_name: Role to be created to assign to the masker user.  password: Password associated with the masker user.  warehouse_name: Name of the warehouse used for masking.  dg_database_name: Database used while making the connection under which dg objects will be created.  database_name: Database on which masking is to be performed.  dg_schema_name: Schema used for creating dg objects.  schema_name: Schema on which masking is to be performed

ii. Script ------

\connect user_db_name;------Database which has to be masked --user with the SECURITYADMIN role or another role with the MANAGE GRANTS privilege on the account can grant privileges on objects

create role ;

create user password='' default_role=;

-- Below permission grants the user minimum priviledges to execute a masking task grant role to user ; grant operate,usage on warehouse to role ; grant usage,CREATE SCHEMA on database to role

;---- create schema needed for the dg schema that the user creates -- Create the with the masker user before proceeding further. This is the schema which you use while creating a masker task from set config params. grant usage,CREATE TABLE,CREATE FUNCTION on schema . to role ;---- creation of dg tables and masking functions

grant usage on database to role ;---- access to the database on which masking needs to be performed

grant usage on schema . to role ;---- access to the schema for masking

grant select,update on all tables in schema . to role ; ---- to mask the tables ------

2.3 SQL Server i. Variables Set the following variables before executing the script:

script. Set @DG_DB = 'DG,' signifies that you should connect to DG database in the DgSecure Connection Manager.  @DG_Collation='SQL_Latin1_General_CP1_CI_AS or Latin1_General_CI_AI': This will set the collation of the database with which DgSecure will connect. Collation must be the same as the target database collation. By default, collation is set to 'SQL_Latin1_General_CP1_CI_AS or Latin1_General_CI_AI'. You can change this to the language that your database uses. For instance, Set @DG_Collation='Modern_Spanish_100_CI_AS' for Spanish.  @DBFilePath = null: Keep it null, if you want to use the default path for data files or provide the path where you want to create the data files. For instance, 'd:\Database Files'  @DG_USER_PASS = null: If password is set to null, the password will be the same as the username for the newly created user.

------

\connect user_db_name;------Database which has to be masked

--user with the SECURITYADMIN role or another role with the MANAGE GRANTS privilege on the account can grant privileges on objects create role ; create user password='' default_role=;

-- Below permission grants the user minimum priviledges to execute a masking task grant role to user ; grant operate,usage on warehouse to role ; grant usage,CREATE SCHEMA on database to role ; -- create schema needed for the dg schema that the user creates

-- Create the with the masker user before proceeding further. This is the schema which you use while creating a masker task from set config params. grant usage,CREATE TABLE,CREATE FUNCTION on schema . to role ; -- creation of dg tables and masking functions grant usage on database to role ; -- access to the database on which masking needs to be performed grant usage on schema . to role ; -- access to the schema for masking grant select,update on all tables in schema . to role ; -- to mask the tables

------

ii. Script

------if UPPER(@DG_USER_TYPE) = 'W'

Begin

Print 'Creating DG User With WINDOWS_LOGIN'

IF NOT EXISTS (select name from sys.server_principals where upper(name) = upper(@DG_USER))

Begin

BEGIN TRY

Set @sql = 'CREATE LOGIN ['+@DG_USER+'] FROM WINDOWS WITH DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english]'

EXECUTE (@sql)

print ' Windows User '+@DG_USER+ ' created'

END TRY

BEGIN CATCH

print ' Windows User '+@DG_USER+ ' could not be created';

SELECT

@ErrorMessage = ERROR_MESSAGE(),

@ErrorSeverity = ERROR_SEVERITY(),

@ErrorState = ERROR_STATE();

RAISERROR (@ErrorMessage, -- Message text.

@ErrorSeverity, -- Severity.

@ErrorState -- State.

);

END CATCH

End

else

Begin

print ' Windows User '+@DG_USER+ ' already exists'

End

Else

Begin

Print 'Creating DG User With SQL_LOGIN'

IF NOT EXISTS (select name from sys.sql_logins where upper(name) = upper(@DG_USER))

Begin

BEGIN TRY

Set @sql = 'CREATE LOGIN ['+@DG_USER+'] WITH PASSWORD=N''' + (case when @DG_USER_PASS is null then @DG_USER else @DG_USER_PASS end) + ''', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF'

EXECUTE (@sql)

print ' SQL User '+@DG_USER+ ' created'

END TRY

BEGIN CATCH

print ' SQL User '+@DG_USER+ ' could not be created';

SELECT

@ErrorMessage = ERROR_MESSAGE(),

@ErrorSeverity = ERROR_SEVERITY(),

@ErrorState = ERROR_STATE();

RAISERROR (@ErrorMessage, -- Message text.

@ErrorSeverity, -- Severity.

@ErrorState -- State.

);

END CATCH

End

else

Begin

print ' SQL User '+@DG_USER+ ' already exists'

End

End ------

2.4 Azure i. Variables Set the following variables before executing the script:

 @DB_NAMES_TO_MASK = 'Target_Database': Specify all the databases on which masking has to be performed, with comma separation. Masking will only be performed on these databases. For instance, if you want to perform masking on the databases SQL_CUSTS and SQLFIN, set @DB_NAMES_TO_MASK = 'SQL_CUSTS, SQL_FIN'  @DG_USER_TYPE = 'S': To authenticate login from the server, set this property to ‘S’. To authenticate using Windows or Windows Impersonation, set this property to ‘W’.  @DG_USER = 'User_Name': Enter the name of the user using which you will login to run the masking tasks on DgSecure. If no such user exists, enter a user name for instance, @DG_USER = 'Masker'. A new user ‘Masker’ will automatically get created.  @DG_DB = 'DG': This is the database to which DgSecure’s masker will connect (‘Target_Name’). All the tables required for masking will automatically be created by this script. Set @DG_DB = 'DG,' signifies that you should connect to DG database in the DgSecure Connection Manager.  @DG_Collation='SQL_Latin1_General_CP1_CI_AS or Latin1_General_CI_AI': This will set the collation of the database with which DgSecure will connect. Collation must be the same as the target database collation. By default, collation is set to 'SQL_Latin1_General_CP1_CI_AS or Latin1_General_CI_AI'. You can change this to the language that your database uses. For instance, Set @DG_Collation='Modern_Spanish_100_CI_AS' for Spanish.  @DBFilePath = null: Keep it null, if you want to use the default path for data files or provide the path where you want to create the data files. For instance, 'd:\Database Files'  @DG_USER_PASS = null: If password is set to null, the password will be the same as the username for the newly created user.

ii. Script ------

Print 'Creating DG User With SQL_LOGIN'

Begin

Set @sql = 'CREATE USER ['+@DG_USER+'] WITH PASSWORD=N''' + (case when @DG_USER_PASS is null then @DG_USER else @DG_USER_PASS end) + ''''

EXECUTE (@sql)

Set @sql = 'ALTER ROLE db_owner ADD MEMBER ['+@DG_USER+']'

EXECUTE (@sql)

print ' SQL User '+@DG_USER+ ' created'

End

------

2.5 RDS Following are the scripts for different RDS databases supported by DgSecure. 2.5.1 MySQL i. Variables Set the following variables before executing the script:

 user_name: Masker user to be created.  db_name: - Name of the database where DG metadata will be saved.  target_db_name: Database where masked data will be stored.

ii. Script

------

CREATE USER 'user_name'@'localhost' IDENTIFIED BY 'user_name';

-- For ssl uncomment below script

-- GRANT USAGE ON *.* TO 'ssluser'@'localhost' identified by 'root' REQUIRE SSL;

-- 1. - Name of the database where DG metadata will be saved;

GRANT ALTER ON .* TO 'user_name'@'localhost';

GRANT ALTER ROUTINE ON .* TO 'user_name'@'localhost';

GRANT CREATE ROUTINE ON .* TO 'user_name'@'localhost';

GRANT CREATE ON .* TO 'user_name'@'localhost';

GRANT CREATE TEMPORARY TABLES ON .* TO 'user_name'@'localhost';

GRANT DELETE ON .* TO 'user_name'@'localhost';

GRANT DROP ON .* TO 'user_name'@'localhost';

GRANT EXECUTE ON .* TO 'user_name'@'localhost';

GRANT INDEX ON .* TO 'user_name'@'localhost';

GRANT INSERT ON .* TO 'user_name'@'localhost';

GRANT UPDATE ON .* TO 'user_name'@'localhost';

GRANT LOCK TABLES ON .* TO 'user_name'@'localhost';

GRANT SELECT ON .* TO 'user_name'@'localhost';

GRANT SHOW VIEW ON .* TO 'user_name'@'localhost';

GRANT SHOW DATABASES ON .* TO 'user_name'@'localhost';

GRANT TRIGGER ON .* TO 'user_name'@'localhost';

-- 2. - Name of target database;

GRANT CREATE ON .* TO 'user_name'@'localhost';

GRANT UPDATE ON .* TO 'user_name'@'localhost';

GRANT INSERT ON .* TO 'user_name'@'localhost';

GRANT SELECT ON .* TO 'user_name'@'localhost'; GRANT TRIGGER ON .* TO 'user_name'@'localhost';

GRANT INDEX ON .* TO 'user_name'@'localhost';

GRANT LOCK TABLES ON .* TO 'user_name'@'localhost'; --uncomment if all databases need to be viewed on "create masker task" screen; but masking on a DB will succeed only if grants(as in #2 above) on that particular DB are given --GRANT SHOW DATABASES ON *.* TO 'user_name'@'localhost';

------

2.5.2 PostgreSQL i. Prerequisites Connect to the database on which masking has to be performed, using an existing user or an admin user, to execute the grant script.

ii. Variables Set the following variables before executing the script:

 user_schema : Comma separated values of all schema to be masked  test_user : Postgres user name to be used for masking.  user_db_name : Database name to be masked.

NOTE: Information_schema and pg_catalog schema are required for masking. Please don’t exclude these from the schema list.

iii. Script ------

CREATE USER test_user WITH PASSWORD '12345678'; --Execute if the user has not been created

GRANT SELECT, INSERT, UPDATE, DELETE, REFERENCES, TRIGGER ON ALL TABLES IN SCHEMA information_schema, pg_catalog, user_schema TO test_user;

GRANT USAGE, SELECT, UPDATE ON ALL SEQUENCES IN SCHEMA information_schema, pg_catalog, user_schema TO test_user;

GRANT CREATE, CONNECT, TEMPORARY, TEMP ON DATABASE user_db_name TO test_user;

GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA information_schema, pg_catalog, user_schema TO test_user;

GRANT CREATE, USAGE ON SCHEMA information_schema, pg_catalog, user_schema TO test_user;

------

2.5.3 AWS i. Variables Set the following variables before executing the script:

 @DB_NAMES_TO_MASK = 'Target_Database': Specify all the databases on which masking has to be performed, with comma separation. Masking will only be performed on these databases. For instance, if you want to perform masking on the databases SQL_CUSTS and SQLFIN, set @DB_NAMES_TO_MASK = 'SQL_CUSTS, SQL_FIN'.  @DG_USER_TYPE = 'S': To authenticate login from the server, set this property to ‘S’. To authenticate using Windows or Windows Impersonation, set this property to ‘W’.  @DG_USER = 'User_Name': Enter the name of the user using which you will login to run the masking tasks on DgSecure. If no such user exists, enter a user name for instance, @DG_USER = 'Masker'. A new user ‘Masker’ will automatically get created.  @DG_DB = 'DG': This is the database to which DgSecure’s masker will connect (‘Target_Name’). All the tables required for masking will automatically be created by this script. Set @DG_DB = 'DG,' signifies that you should connect to DG database in the DgSecure Connection Manager.  @DG_Collation='SQL_Latin1_General_CP1_CI_AS or Latin1_General_CI_AI': This will set the collation of the database with which DgSecure will connect. Collation must be the same as the target database collation. By default, collation is set to 'SQL_Latin1_General_CP1_CI_AS or Latin1_General_CI_AI'. You can change this to the language that your database uses. For instance, Set @DG_Collation='Modern_Spanish_100_CI_AS' for Spanish.  @DBFilePath = null: Keep it null, if you want to use the default path for data files or provide the path where you want to create the data files. For instance, 'd:\Database Files'  @DG_USER_PASS = null: If password is set to null, the password will be the same as the username for the newly created user.

ii. Script

------if UPPER(@DG_USER_TYPE) = 'W'

Begin

Print 'Creating DG User With WINDOWS_LOGIN'

IF NOT EXISTS (select name from sys.server_principals where upper(name) = upper(@DG_USER))

Begin

Set @sql = 'CREATE LOGIN ['+@DG_USER+'] FROM WINDOWS WITH DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english]'

EXECUTE (@sql)

print ' Windows User '+@DG_USER+ ' created'

End

else

Begin

print ' Windows User '+@DG_USER+ ' already exists'

End

Else

Begin

Print 'Creating DG User With SQL_LOGIN'

IF NOT EXISTS (select name from sys.sql_logins where upper(name) = upper(@DG_USER))

Begin

EXECUTE (@sql)

print ' SQL User '+@DG_USER+ ' created'

End

else

Begin

print ' SQL User '+@DG_USER+ ' already exists'

End

 SQL for Azure ------

Print 'Creating DG User With SQL_LOGIN'

Begin

Set @sql = 'CREATE USER ['+@DG_USER+'] WITH PASSWORD=N''' + (case when @DG_USER_PASS is null then @DG_USER else @DG_USER_PASS end) + ''''

EXECUTE (@sql)

Set @sql = 'ALTER ROLE db_owner ADD MEMBER ['+@DG_USER+']'

EXECUTE (@sql)

print ' SQL User '+@DG_USER+ ' created'

End

------2.5.4 Oracle i. Prerequisites There are two scripts to perform the masking configuration, i.e., create_user script and create_user_individual_grants script: 1. create_user: This script provides the complete privileges to mask all the tables. Before running this script, ensure that:  The user running the script is either a system user or has the appropriate permissions to provide grants.  The table spaces should match your setup. Defaults have been used for testing. 2. create_user_indivisual_grants: This script provides the permissions to mask the specified tables. Before running the script, ensure that:  A masking user exists. If the user does not exist, use the create_user script to create the user.

ii. Variables . Set the following variables before running the script:

 CREATE USER &&: Provide the username.  IDENTIFIED BY &&: Provide the password.  DEFAULT TABLESPACE &&: You can change the table space settings to match your setup.  TEMPORARY TABLESPACE &&: You can change the table space settings to match your setup. NOTE: To execute masking on oracle, we require certain grants for all trigger, index and table objects (this is achieved using the “ANY” keyword in the create_user script)

iii. Script The Oracle Masking script includes the grants required for the oracle user that will perform the masking task. You can change the password after running the script. There are two scripts to

perform the masking configuration, i.e., create_user script and create_user_individual_grants script.

 create_user: The create user script grants permissions to all the tables.

------

--This is a sample script of the set up needed for the Oracle user needed to run the DG_Masker code.

-- Create a basic user, if user already exists, skip this step

-- Change the table spaces to match your setup, we used the defaults for testing.

-- Reset the password accordingly after running this -- &&DEFAULT_TABLESPACE -- USERS

-- &&TEMPORARY_TABLESPACE -- TEMP

CREATE USER &&USER_NAME

IDENTIFIED BY &&PASS_WORD

DEFAULT TABLESPACE &&DEFAULT_TABLESPACE

TEMPORARY TABLESPACE &&TEMPORARY_TABLESPACE

PROFILE DEFAULT ACCOUNT UNLOCK;

------

GRANT EXECUTE ON DBMS_LOCK TO &&USER_NAME;

GRANT CREATE JOB TO &&USER_NAME; -- we need this to run the job schedule GRANT CONNECT TO &&USER_NAME; -- basic access needed to function

GRANT RESOURCE TO &&USER_NAME; -- basic access needed to function

GRANT CREATE PROCEDURE TO &&USER_NAME; -- access to program for creating objects

GRANT CREATE SEQUENCE TO &&USER_NAME; -- access to program for creating objects

GRANT CREATE SESSION TO &&USER_NAME; -- access to program for creating objects

GRANT CREATE SYNONYM TO &&USER_NAME; -- access to program for creating objects GRANT CREATE TABLE TO &&USER_NAME; -- access to program for creating objects

GRANT CREATE TRIGGER TO &&USER_NAME; -- access to program for creating objects

GRANT CREATE TYPE TO &&USER_NAME; -- access to program for creating objects GRANT CREATE VIEW TO &&USER_NAME; -- access to program for creating objects

GRANT SELECT ANY DICTIONARY TO &&USER_NAME;--access to sys objects for table references

-- The below permission (Alter System) is to grant the user, the privilege to kill a query/session and is not required for Cloud databases. Can be ignored if the user does not want to kill the query through 'CANCEL' on task screen

GRANT ALTER SYSTEM TO &&USER_NAME;

--GRANT SELECT ANY TRANSACTION TO &&USER_NAME;

-- for hashing which we use for CUPS

GRANT EXECUTE ON DBMS_CRYPTO TO &&USER_NAME; -- check grants

GRANT EXECUTE ON DBMS_METADATA TO &&USER_NAME;

GRANT SELECT_CATALOG_ROLE TO &&USER_NAME; --GRANT EXECUTE_CATALOG_ROLE TO &&USER_NAME;

-- THERE IS NO WAY TO REMOVE ANY FROM THE FOLLOWING GRANTS

--GRANT LOCK ANY TABLE TO &&USER_NAME; -- needed to lock the tables under masking GRANT ALTER ANY TRIGGER TO &&USER_NAME; --needed if the user wishes to apply masking on columns having triggers

-- Some indexes will block processing on primary keys even if disabled, so they have to be dropped and recreated.

GRANT DROP ANY INDEX TO &&USER_NAME;

GRANT CREATE ANY INDEX TO &&USER_NAME;

-- We need the below grants to create and insert data in the DG_WATERMARK table in every schema on which masking is applied. GRANT INSERT ANY TABLE TO &&USER_NAME;

GRANT CREATE ANY TABLE TO &&USER_NAME;

GRANT SELECT ANY TABLE TO &&USER_NAME;

-- We need the following permissions if the user wants to execute a task using multithreading option

GRANT CREATE JOB TO &&USER_NAME;

GRANT SCHEDULER_ADMIN TO &&USER_NAME; GRANT MANAGE SCHEDULER TO &&USER_NAME;

GRANT ADM_PARALLEL_EXECUTE_TASK TO &&USER_NAME;

------

 create_user_individual_grants: This script will create a procedure - GRANT_TABLE_RIGHTS. To provide grants to update, create and alter specific tables in the databases instead of ‘ANY’ table, this script can be used.

------

CREATE OR REPLACE PROCEDURE GRANT_TABLE_RIGHTS (USER_NAME VARCHAR2, DB_TO_MASK1 VARCHAR2) AS

cmd varchar2(2000);

cmd2 varchar2(2000);

Cursor c_users is select username from all_users where username in (UPPER(USER_NAME));

cursor c1 is select table_name, owner from all_tables where OWNER in (

select regexp_substr(UPPER(DB_TO_MASK1),'[^,]+', 1, level) from dual

connect by regexp_substr(UPPER(DB_TO_MASK1), '[^,]+', 1, level) is not null )

BEGIN for c in c1 loop

for u in c_users loop

cmd := 'GRANT SELECT,ALTER, UPDATE ON '|| c.owner ||'.'||c.table_name|| ' TO ' || u.username;

execute immediate cmd;

end loop; end loop;

END;

------

After executing the script execute the following command to call the procedure:

call GRANT_TABLE_RIGHTS('user_name', 'schema1, schema2, schema3');

2.5.5 Aurora DB Please refer to Masking Scripts for MySQL 2.5.6 Maria DB Please refer to Masking Scripts for MySQL