October 06, 2009

Coming Soon: Masked Data

In a recent blog entry titled "Curtailing the SYSADM Privilege," I wrote about the need to provide more granularities between the roles of managing DB2 objects and managing access to the data stored in DB2.

The challenge with data access is keeping certain users from viewing sensitive columns while maintaining their access to production data. To meet this challenge, DBAs design applications that hides or masks sensitive data from users that lack the appropriate authorities. For instance, an end user may have access to a CICS screen or Web page containing employee data, but only the DBA and other privileged users (e.g., the HR head) would see employee salaires displayed on the page.

This process is normally handled with DB2 views. The view would be coded so the sensitive columns aren't included. The problem is while DB2 views may be an acceptable solution for dynamic report writing, they don't work well for use in an application.

The next DB2 release (DB2 X for z/OS) will provide a new database object "column mask" that expresses a column-level access control rule for a specific column in a table. A column mask contains the rule in the form of an SQL case expression that describes what masked values returned for a column based on a user's table privilege.

I'll go into more details on the column mask once the final implementation is made available to the public.