Scribd
Upload
11 views

Row and Column Access Control (Column Masking)

The document discusses Row and Column Access Control, specifically focusing on column masking to protect sensitive data in databases. It outlines a two-phase process for implementing column access control, including assessing security policies and creating column masks. Examples illustrate how different users can access masked or unmasked data based on their roles, demonstrating the ease of setup and effectiveness of the masking process.

Uploaded by

Kaushik Majumder
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
11 views

Row and Column Access Control (Column Masking)

The document discusses Row and Column Access Control, specifically focusing on column masking to protect sensitive data in databases. It outlines a two-phase process for implementing column access control, including assessing security policies and creating column masks. Examples illustrate how different users can access masked or unmasked data based on their roles, demonstrating the ease of setup and effectiveness of the masking process.

Uploaded by

Kaushik Majumder
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 6

Row and Column Access Control (Column Masking)

Why Mask?
Having worked in the financial and insurance industries, security is something I have always scrutinized. I was intrigued
by a 2013 IDUG Tech Conference presentation on “Data Masking” by the DB2 Locksmith, Rebecca Bond. Essentially a
data mask is nothing more than displaying a value based on a rule for a specific column. My involvement on the DB2
Night Show and “DB2’s Got Talent” finally gave me the excuse to do more research, install v10.1 FP3 on a test box, and
see how involved row and column access control really is. Row access control is specifically geared for the government
and a level of security needed for top secret projects. However, column access control was designed to protect sensitive
information from table owners or even the database administrator. For my experiment, I narrowed my scope to column
access control. I wanted to see how complex it was to set up and exactly what the masking looked like. I wanted to see if
I could hide specific data from an employee but show everything to someone like a manager. ultimately, it was easy to
set up and done in only two phases. Before starting, I concocted a table that I wanted to protect. Let’s just say for this
example, it is an offshore account for some shady people you may know in the DB2 world.

Phase I – Assess Security Policy


Assess your security policy, and grant only enough to allow the user to get work done. Then create a role around this
security policy.

For example:

Phase II – Create Column Mask and Activate


Creating the actual mask is a fairly easy command; just have in mind what you want displayed for a masked value. Then
turn on the mask. Commands:

CREATE (OR REPLACE) MASK (NAME) ON (TABLE) FOR COLUMN (NAME)

RETURN (EXPRESSION) ENABLE (OR DISABLE)

ALTER TABLE (NAME) ACTIVATE COLUMN ACCESS CONTROL

Internal
Example:

There are two take-aways from my example. First, notice the RETURN clause rolls into a CASE statement to help
determine the value to return for a column. Second, the VERIFY_GROUP_FOR_USER is a new v10.1 function that comes
in handy when masking. Check these new functions for masking out:

 VERIFY_ROLE_FOR_USER: Is the USER a member of a ROLE? (True 1 | False 0)

 VERIFY_GROUP_FOR_USER: Is the USER a member of a GROUP? (True 1 | False 0)

 VERIFY_TRUSTED_CONTEXT_ROLE_FOR_USER: Does the USER have a specific trusted context role? (True 1 |
False 0)

Masked Data
In the end, I was able to easily display data on an as needed basis based on job role. Managers, for example, could see all
sensitive data such as accounts and social security numbers while customer service representatives could not. Total time
to setup was about 10 minutes. Employee view (masked data):

Ma
nager view (unmasked data):

Internal
Example 1

After column access control is activated for table EMPLOYEE, Paul from the payroll department can see the social security
number of the employee whose employee number is 123456. Mary who is a manager can see the last four characters
only of the social security number. Peter who is neither cannot see the social security number.

CREATE MASK SSN_MASK ON EMPLOYEE


FOR COLUMN SSN RETURN
CASE
WHEN (VERIFY_GROUP_FOR_USER(SESSION_USER,'PAYROLL') = 1)
THEN SSN
WHEN (VERIFY_GROUP_FOR_USER(SESSION_USER,'MGR') = 1)
THEN 'XXX-XX-' || SUBSTR(SSN,8,4)
ELSE NULL
END
ENABLE;

COMMIT;

ALTER TABLE EMPLOYEE


ACTIVATE COLUMN ACCESS CONTROL;

COMMIT;

SELECT SSN FROM EMPLOYEE


WHERE EMPNO = 123456;

Example 2

In the SELECT statement, column SSN is embedded in an expression that is the same as the expression used in the
column mask SSN_MASK. After column access control is activated for table EMPLOYEE, the column mask SSN_MASK is
applied to column SSN in the SELECT statement. For this particular expression, the SELECT statement produces the same
result as before column access control is activated for all users. The user can replace the expression in the SELECT
statement with column SSN to avoid the same expression gets evaluated twice.

CREATE MASK SSN_MASK ON EMPLOYEE


FOR COLUMN SSN RETURN
CASE
WHEN (1 = 1)
THEN 'XXX-XX-' || SUBSTR(SSN,8,4)
ELSE NULL
END
ENABLE;

COMMIT;

ALTER TABLE EMPLOYEE


ACTIVATE COLUMN ACCESS CONTROL;

COMMIT;

SELECT 'XXX-XX-' || SUBSTR(SSN,8,4) FROM EMPLOYEE


Internal
WHERE EMPNO = 123456;

Example 3

A state government conducted a survey for the library usage of the households in each city. Fifty households in each city
were sampled in the survey. Each household was given an option, opt-in or opt-out, whether to show their usage in any
reports generated from the result of the survey.

A SELECT statement is used to generate a report to show the average hours used by households in each city. Column
mask CITY_MASK is created to mask the city name based on the opt-in or opt-out information chosen by the sampled
households. However, after column access control is activated for table LIBRARY_ USAGE, the SELECT statement receives
a bind time error. This is because column mask CITY_MASK references another column LIBRARY_OPT and LIBRARY_OPT
does not identify a grouping column.

CREATE MASK CITY_MASK ON LIBRARY_USAGE


FOR COLUMN CITY RETURN
CASE
WHEN (LIBRARY_OPT = 'OPT-IN')
THEN CITY
ELSE ' '
END
ENABLE;

COMMIT;

ALTER TABLE LIBRARY_USAGE


ACTIVATE COLUMN ACCESS CONTROL;

COMMIT;

SELECT CITY, AVG(LIBRARY_TIME) FROM LIBRARY_USAGE


GROUP BY CITY;

Example 4

Employee with EMPNO 123456 earns bonus $8000 and salary $80000 in May. When the manager retrieves his salary, the
manager receives his salary, not the null value. This is because of no cascaded effect when column mask SALARY_MASK
references column BONUS for which column mask BONUS_MASK is defined.

CREATE MASK SALARY_MASK ON EMPLOYEE


FOR COLUMN SALARY RETURN
CASE
WHEN (BONUS < 10000)
THEN SALARY
ELSE NULL
END
ENABLE;

COMMIT;

CREATE MASK BONUS_MASK ON EMPLOYEE


FOR COLUMN BONUS RETURN

Internal
CASE
WHEN (BONUS > 5000)
THEN NULL
ELSE BONUS
END
ENABLE;

COMMIT;

ALTER TABLE EMPLOYEE


ACTIVATE COLUMN ACCESS CONTROL;

COMMIT;

SELECT SALARY FROM EMPLOYEE


WHERE EMPNO = 123456;

Example 5

This example shows Db2 adds "WHEN target-column IS NULL THEN NULL" as the first WHEN clause to the column mask
definition then merges the column mask definition into the statement.

CREATE EMPLOYEE (EMPID INT,


DEPTID CHAR(8),
SALARY DEC(9,2) NOT NULL,
BONUS DEC(9,2));

CREATE MASK SALARY_MASK ON EMPLOYEE


FOR COLUMN SALARY RETURN
CASE
WHEN SALARY < 10000
THEN CAST(SALARY*2 AS DEC(9,2))
ELSE COALESCE(CAST(SALARY/2 AS DEC(9,2)), BONUS)
END
ENABLE;

COMMIT;

CREATE MASK BONUS_MASK ON EMPLOYEE


FOR COLUMN BONUS RETURN
CASE
WHEN BONUS > 1000
THEN BONUS
ELSE NULL
END
ENABLE;

COMMIT;

ALTER TABLE EMPLOYEE


ACTIVATE COLUMN ACCESS CONTROL;

Internal
COMMIT;

SELECT SALARY FROM DEPT


LEFT JOIN EMPLOYEE ON DEPTNO = DEPTID;

/* When SALARY_MASK is merged into the above statement,


* 'WHEN SALARY IS NULL THEN NULL' is added as the
* first WHEN clause, as follows:
*/

SELECT CASE WHEN SALARY IS NULL THEN NULL


WHEN SALARY < 10000 THEN CAST(SALARY*2 AS DEC(9,2))
ELSE COALESCE(CAST(SALARY/2 AS DEC(9,2)), BONUS)
END SALARY
FROM DEPT
LEFT JOIN EMPLOYEE ON DEPTNO = DEPTID;

Internal

You might also like