DDM configuration uses Role-Based Access Control (RBAC) to control the privileges granted to users for data unmasking. This technique facilitates the creation and assignment of new database roles to database users, known as user-to-role mapping, which allows the determination of user credentials for accessing certain resources.

DDM configuration is maintained through an ABL client, but the SQL clients also honor DDM configuration. Therefore, after you set up a field in a table for DDM, all ABL and SQL clients can mask the data for an unauthorized user.

Any user with access to PROUTIL and the database can enable the database for DDM which adds the new built-in _sys.ddm.admin role for the DDM administrator. If no user is explicitly granted the DDM administrator role, the security administrator obtains that role implicitly.

A DDM administrator can:
  • Grant and revoke membership of user-defined DDM roles.
  • Manage (add, delete, or update) authorization tags for DDM that determine which user-defined role is authorized to see the unmasked version of column data.

  • Assign or remove authorization tags and mask configurations for designated fields in the database.

  • Activate and deactivate DDM.

For more information about RBAC, see Access control to support OpenEdge dynamic data masking.

To configure DDM for a field in a table, the DDM administrator needs to define the following:
  • A mask for the field that specifies what a user sees if they are not authorized to view the unmasked data.
  • An authorization tag designating an identifier for the field that will be assigned to roles, which can view the unmasked data.