Request a demo

Data Masking in Oracle: 5 Key Features and ADM Workflow

Shiv Sujir - September 30, 2022

What Is Data Masking in Oracle?

Data masking makes it possible to modify private data, protecting the original data from unauthorized access while preserving the structure and other important attributes of the data. This makes it possible to use the data for testing, training, or aggregate analysis.

Masking makes it impossible to identify the person referenced in the data (if the data is personally identifiable information) and prevents reverse engineering aimed at discovering the original, sensitive data. Oracle databases provide built-in SQL functions and tools for masking sensitive data in database tables.

5 Key Oracle Data Masking Features

1. Application Data Modeling (ADM)

ADM simplifies the data discovery process by automatically discovering Oracle database tables with sensitive data columns. It can identify relationships between database columns. Sensitive data column types provide forensics by combining patterns in column data, names, and comments. The automated discovery process can scan databases for sensitive data and sample data in the columns.

ADM offers several column types, including social security and credit card numbers. You can create a custom column type with regular expressions. Oracle’s data discovery offerings let you set pattern discovery criteria to find sensitive data elements.

With ADM, you list the tables, applications, and database relationships. ADM handles sensitive data and column types, allowing you to produce test data with data masking and subsetting.

Oracle Application Data Modelling
Source: Oracle

2. Data Masking Format Library

Data masking and subsetting let security admins centralize the definitions for masking formats, ensuring that the masking rules remain consistent across an enterprise’s systems. The definitions are the same regardless of the sensitive data’s location or the database. This ability lets you ensure that your organization’s data has consistent marking and complies with your established data sharing standards.

The Oracle data masking format library offers a centralized selection of data masking formats for frequently used sensitive information. For instance, it includes masking formats for telephone numbers, credit card and social security numbers, and pseudonyms. Security admins can specify and maintain the masking formats in the library, allowing database administrators to use them across the whole enterprise.

The data masking format library includes:

  • Various built-in data masking formats (and primitives) for use in data masking definitions.
  • Built-in masking primitives that you can combine to create new formats.
  • SQL and PL/SQL functions that users can define to handle complex masking formats.

3. Data Masking Transformations

You can leverage advanced data masking transformations when data masking or subsetting in Oracle. Masking formats are the building blocks of data masking definitions, while masking transformations arrange these formats based on various business objectives. Oracle offers the following masking transformations:

Conditional Data Masking

This transformation lets you arrange the data masking formats based on varying conditions. For instance, you might mask a column that lists unique human identifiers. Identifiers associated with persons in the US could have a social security number format, while persons in the UK could use the national insurance number format.

Compound Data Masking

This transformation masks related database columns as groups, ensuring that the masked data retains the original relationships of the input data. For instance, you might mask address fields in a table (i.e., city, state, country, and zip codes), with the values in each address field remaining consistent after the masking process.

Deterministic Data Masking

This transformation provides consistent outputs across different databases for each input. It helps maintain data and system integrity in multi-application environments with single sign-on. For instance, you might have a human resources application, a sales information store, and a customer relationship application. While each application serves a different function, they might share a field that requires consistent masking (e.g., employee ID). You could use substitution and encryption formats to ensure deterministic (consistent) masking.


This transformation randomly shuffles the fields in a table column. It helps to break the mapping between data elements. For instance, it could shuffle the health record columns to mask personal health information.

Key-Based Reversible Data Masking

This transformation can encrypt and decrypt the raw data using secure key strings. It preserves the original format of inputs. The reversible transformation leverages a 3DES algorithm to enable masking and sending data to third parties for analysis, auditing, and other data processing purposes. Once you receive the processed data from the third party, you can recover the original data with the same key strings you used to encrypt it.

Format-Preserving Randomization

This transformation randomizes and preserves the original format of the input data, including the length, special characters, position of numbers and characters, and cases (lower vs. upper).

4. Data Subsetting

Subsetting a modern enterprise-grade application can be challenging. Oracle helps simplify the data subsetting process using easily defined goals and conditions. You can subset data based on various goals, like relative table size. For example, you might extract a 1% subset of your database table with 100,000 rows to create a table with 1,000.

You can also subset data based on various conditions, such as time-based conditions. For example, you might discard all the records in a table before a specified date. Conditions can also be regional. For instance, you might extract information from a specific region (i.e., Europe, North America) for an application development project. You specify conditions using an “SQL where” clause, which supports binding variables.

Oracle data subsetting offers real-time, dynamic views of an application schema containing details such as before and after file sizes, the percentage of the table’s data subsetted, and dependent tables. Adminis can leverage these views to validate the criteria for data subsetting tasks.

5. Masking Application Templates

Oracle offers data masking application templates that deliver previously identified sensitive data columns, detailing their relationships. It supports out-of-the-box data masking methods that comply with industry standards and best practices for packaged Oracle applications like Fusion and the E-Business Suite. A self-update feature lets you take advantage of Oracle’s latest data subsetting and masking templates.

Related content: Read our guide to data masking (coming soon)

Data Masking Workflow in Oracle

The following image explains the general data masking workflow in Oracle applications.

Oracle Data Masking Workflow
Source: Oracle

The Oracle Data Masking and Subsetting Workflow consists of the following steps:

  1. An application data model (ADM)—the first step in the workflow is to create an ADM that captures application metadata and referential relationships and discovers sensitive data from your source database.
  2. A data masking definition—after creating your ADM, you need to create a data masking definition that includes information about table columns and the masking format for each column. You can create the mask by writing masked data to the export file.
  3. A data subsetting definition—the next step involves creating a data subsetting definition that specifies table rules and rule parameters. You can create this subset by writing subset data to the export file.

Oracle Data Masking with PathLock

Pathlock Security Platform’s dynamic data masking capabilities provide fine-grained control over which sensitive data fields can be masked for any specified user in the context of any situation. Pathlock allows companies to:

  • Centralize data masking enforcement throughout your ERP ecosystem with a single ruleset.
  • Deploy dynamic policies that account for risk based on the context of access, such as location, IP address, time, data sensitivity, and more.
  • Protect sensitive data in production and non-production environments.
  • Align data masking controls with existing governance (corporate) policies.
  • Mask sensitive PII based on the data subjects’ residency (country/nationality).
  • Mask data fields in transactions (Tcodes) that are unnecessary for a role.

Get in touch with us for a demo and see for yourself how Pathlock can improve data security and reduce compliance risk with a fully dynamic data masking solution.

Table of contents