Support

What is Conditional Masking? 

Conditional masking is part of the G-Migration+ functionality. When enabled, Conditional Masking can be used to apply one or more logical criteria or conditions to specifically define the rules and format to be used when masking data values within a database column. Using G-Migration+ without enabling Conditional Masking (default setting) does not require reading the actual values in the sensitive columns. But with Conditional Masking enabled, during the masking process the actual values within the sensitive columns are read to be able to determine the masking rules to apply. Because this functionality requires reading the actual sensitive values, it must be enabled by users with the role permission of "Org Admin" for each G-Migration+ configuration. 

Conditional masking provides increased flexibility over how sensitive data values are masked.  The user can assign additional Generators to define masking conditions, which are applied to the actual data value before insertion into the target database. Here are some examples of how conditional masking can be used: 

• Replace a string value each time it appears. Example: "N/A" with "1234567"
• Add a value to the beginning or end of the actual value. Example: Add the word "Test
   at the beginning of each string."Value" becomes "TestValue"
• Replace NULL values with a constant value.
• Mask all values except NULL values 
• Mask an SSN so that it only shows the last 4 digits. Example: 100-00-0001 becomes ***-**-0001

GenRocket keeps track of the user who enabled Conditional Masking, the sensitive columns that were allowed to be read, and the user who selected them.  

Story

A user needs to perform data masking using G-Migration+ and must apply specific masking conditions to the actual data values within two sensitive columns in a department table. 

• dept_name - add "-TEST" to end of name
• dept_phone - for N/A values, use (123) 345-6789

Prerequisite Steps

This article assumes the following steps have already been completed by the user: 

1. Create a new or select an existing Project and Project Version.
2. Create the config.properties files for source and target databases .
3. Create an XTS file and import it for the Project Version.
4. Create a G-Migration+ Configuration.

Step 1 - Org Admin Enables Conditional Masking

Users who do not have the appropriate permissions will receive a message stating that an Org Admin must enable Conditional Masking.

1. Access the G-Migration+ Dashboard.
2. Click on the Eye icon to enable/disable Conditional Masking.
   
   
   
   
3. Select Yes in the pop-up modal.
   
   

Step 2 - Select Tables for Masking

For this example, the 'department' table will be selected. More than one table can be selected.

• Select Manage Tables in the G-Migration+ Dashboard.
  
  
  
• Select each table by ticking the Add checkbox.
• Once all tables are selected, click Save (After clicking save, you will see the image shown in Step 3 below.)
  
  
  
  

Step 3 - Select Sensitive Columns and Give Read Permissions

For multiple tables, repeat this step for each one. 

1. Select each sensitive column by ticking the Add checkbox. 
   • Note: The Add checkbox must be selected for a column in order to make it readable.
2. Select the Allow Read checkbox for any sensitive column where the actual value should be read. 
3. Select Save.
   
   
   

Step 4 - View Attribute and Default Generator (Each Sensitive Column)

After completing Step 3 above, the required Domains and Attributes will be created based on the tables and sensitive columns that have been selected. 

When the "Allow Read" option is also selected for a sensitive column, a GMigReferenceGen will automatically be assigned to the respective Attribute. This Generator reads the actual data value in the source database and is required. Do not remove this Generator!

You can view the default Generator through the Domain Dashboard. This can be done from the G-Migration+ Dashboard by clicking on the Domain Name.

Note: The '1000' value is for preview purposes only in the GenRocket web platform. When running the command, the Generator will read the actual data value from the table column.  

WARNING! If you do not assign additional Generators to define the masking condition, then the actual data value will be inserted into the target database for each record. See Step 5 below for more information.

Step 5 - Create Masking Condition by Adding Additional Generators

Repeat these steps for each sensitive column that requires a masking condition. 

1. Assign one or more Generators to define the masking condition. Please see Linked Generators Overview for more information.
   
   
2. Reference the default assigned GMigReferenceGen in the appropriate linked Generator. Once the actual value is read, the references will be used to apply the masking condition. 

Example 1 - Department Name

A ConcatGen will reference the GMigReferenceGen (gen1) and add "-TEST" to the end of the Department Name. The output will appear similar to what is shown below: 

• department1-TEST
• department2-TEST
• department3-TEST

Example 2 - Phone Number

An EvalCaseGen will be used to set up the masking condition and reference the GMigReferenceGen (gen1).

• equation - Checks if var1 equals N/A.
• var1 - References the GMigReferenceGen (gen1). The entered equation references this value to check if the department phone is "N/A".
• caseTrue - If the value is "N/A", then (123) 345-6789 will be inserted for the record into the target database. 
• caseFalse - References the GMIGReferenceGen (gen1). If the value is NOT "N/A", then the original phone number value will be inserted into the target database.

Step 6 - Download Required Files and Move to Proper Location

To perform the migration, remember to download your G-Migration+ configuration and any required Scenarios. By using the icon below, you will receive a zip folder containing the G-Migration+ configuration and all required Scenario files. You can extract it and move the files to their appropriate locations.

Scenario Files - Place them in the resource.output.directory path location. 

G-Migration+ Configuration File - Place it in the resource.home.direcctory path location. 

Step 7 - Run the Command to Insert Masked Data into Target Database

Once everything is set up, use the following command to perform the migration.

genrocket -gmigp <G-Migration+ Name>.gredb

genrocket -gmigp demoMasking.gredb

Sample Data -  Source Actual Values (Left) and Masked Target Values (Right)

In the Target Database, each department name has "-TEST" at the end. In the Source Database, three records had N/A for the department phone. The masked value of (123) 345-6789 has been inserted into the Target Database.