This topic describes an example of enabling, configuring, and activating Dynamic Data Masking (DDM).
Important: The example codes provided in the following steps function with OpenEdge Release 12.8.4 and later. They are not compatible with OpenEdge Releases 12.8 through 12.8.3.
  1. Copy the existing sample database into a new database for use in the following steps.

    1. For example, copy Sports2020 database into mysports22 database.

      proenv>procopy $DLC/sports2020 mysports22
    2. Start the database server for the mysports22 database.
      proenv>proserve mysports22 -H localhost -S 5000
  2. Enable DDM for mysports22.
    proenv>proutil mysports22 -C enableddm
    Note: To check if the database is licensed for DDM, enable the DDM feature before configuring and using it.
    After you enable the database for DDM:
    • Clients earlier than OpenEdge 12.8 that are not aware of the DDM setup may not be able to open or connect to the database.
    • Activate DDM to configure it because DDM is inactive, by default.

    For more information, see PROUTIL ENABLEDDM qualifier.

  3. If users are not already added in the database, create users using the CreateUser() method of the OpenEdge.DataAdmin package and add them in the database.
    Note: This topic generates user records solely for demonstration purposes. OpenEdge provides different and more standard ways to integrate with various user account systems, such as the built-in _oslocal authentication system for using Operating System (OS) local accounts, external user accounts accessed by an ABL authentication callback, and the OpenEdge Authentication Gateway. For more information, see Assert user identity.
    1. The following example code creates the AdminUser user, who has the authorization to view data in DDM-configured fields:
      USING OpenEdge.DataAdmin.*.

VAR DataAdminService oDAS.
VAR IUser oUser.
VAR LOGICAL lResult.
VAR CHARACTER Paswrd = "password".

ASSIGN oDAS = NEW DataAdminService(LDBNAME("DICTDB")).  
oUser = oDAS:NewUser("AdminUser").
oUser:Description = "Dummy user for DDM administration".
oUser:Password = Paswrd.
lResult = oDAS:CreateUser(oUser).

MESSAGE "Added AdminUser to database".
DELETE OBJECT oDAS.
      1. Save the example code as create-AdminUser.p.
      2. To create AdminUser, run create-AdminUser.p.
        proenv>mpro mysports22 create-AdminUser.p
    2. To create the GeneralUser user, who does not have the authorization to view data in the DDM-configured fields, run the following example code:
      USING OpenEdge.DataAdmin.*.

VAR DataAdminService oDAS.
VAR IUser oUser.
VAR LOGICAL lResult.
VAR CHARACTER Paswrd = "password".

ASSIGN oDAS = NEW DataAdminService(LDBNAME("DICTDB")).  
oUser = oDAS:NewUser("GeneralUser").
oUser:Description = "Dummy general user".
oUser:Password = Paswrd.
lResult = oDAS:CreateUser(oUser).

MESSAGE "Added GeneralUser to database".
DELETE OBJECT oDAS.
      1. Save the example code as create-GeneralUser.p.
      2. To create GeneralUser, run create-GeneralUser.p.
        proenv>mpro mysports22 create-GeneralUser.p
      Note: Because AdminUser is the first non-blank user for the mysports22 database, the blank user no longer has security administrator rights for any connections to the database. Therefore, after running create-GeneralUser.p, you must log in with the AdminUser user ID and password to create GeneralUser.
  4. Grant the security administrator privileges to the currently logged-in user. This step is optional but recommended. In the absence of a DDM administrator, either the ABL security administrator or the SQL DBA acts as a DDM administrator. Therefore, they are granted this permission for convenience in initial configuration and protection against losing all DDM administrators.

    The following example code grants the security administrator privileges to the currently logged-in user:

    using OpenEdge.DataAdmin.DataAdminService from propath.
using OpenEdge.DataAdmin.IAdministrator from propath.

define variable administrator  as class  IAdministrator    no-undo.
define variable service        as class  DataAdminService  no-undo.
define variable okay           as logical     no-undo.
DEF VAR cSecadminUser AS CHAR NO-UNDO.


cSecadminUser = USERID.

message "Adding " + cSecadminUser + " as security admin".

assign service = new DataAdminService (LDBNAME(1)).
assign administrator = service:getAdministrator ( ).
assign administrator:administrators = cSecadminUser.
assign okay = service:updateAdministrator ( input administrator ).

PAUSE 10.
QUIT.
    1. Save the example code as secadmin.p.
    2. To grant security administrator privileges to AdminUser, run secadmin.p.
      proenv>mpro mysports22 -U AdminUser -P password secadmin.p

  5. To determine user privileges for accessing the masked data, create a new role for database users (user-to-role mapping).

    The following example code creates the PAYROLL role, which regulates the privileges granted to users for data unmasking:

    USING OpenEdge.DataAdmin.*.

VAR DataAdminService oDAS. VAR IRole oRole.
VAR LOGICAL lResult.

ASSIGN oDAS = NEW DataAdminService(LDBNAME("DICTDB")).

oRole = oDAS:NewRole("Payroll"). 
oRole:Description = "Admin User Role".
// This role will be used for Dynamic Data Masking
oRole:IsDDM = true.
lResult = oDAS:CreateRole(oRole). 

MESSAGE "Added Payroll Role".

DELETE OBJECT oDAS.
    1. Save the example code as addRole.p.
    2. Run addRole.p.
      proenv>mpro mysports22 -U AdminUser -P password addRole.p
  6. Create an authorization tag and associate it with the role created in Step 6. An authorization tag establishes the connection between the user-defined DDM roles and the fields of a table to which a mask is to be applied.

    The following example code associates the #DDM_SEE_ContactInfo authorization tag with the PAYROLL role:

    USING OpenEdge.DataAdmin.*.

VAR DataAdminService service.
VAR IAuthTag oTag.
VAR LOGICAL lReturn.

ASSIGN service = new DataAdminService (LDBNAME("DICTDB")).

     oTag       = service:NewAuthTag("#DDM_SEE_ContactInfo"). 
     oTag:RoleName      = service:GetRole("Payroll"):Name.
     oTag:description = "Can see contact info".
     lRETURN = service:CreateAuthTag(oTag).

MESSAGE "Added Payroll to #DDM_SEE_ContactInfo".
QUIT.
    1. Save the example code as setAuthTagRole.p.
    2. Run setAuthTagRole.p.
      proenv>mpro mysports22 -U AdminUser -P password setAuthTagRole.p
    For more information on authorization tags, see Authorization tags.
  7. Grant user-defined roles to authorized users.

    The following example code grants the PAYROLL role to AdminUser: 

    USING OpenEdge.DataAdmin.*.
 
VAR DataAdminService oDAS.
VAR IGrantedRole oRole.
VAR IUser oUser.
VAR LOGICAL lResult = FALSE.
 
ASSIGN oDAS = NEW DataAdminService(LDBNAME("DICTDB")).
oRole = oDAS:NewGrantedRole().
oRole:Role = oDAS:GetRole("Payroll").
oUser = oDAS:GetUser("AdminUser").
 
IF VALID-OBJECT(oRole:Role) AND VALID-OBJECT(oUser) THEN DO:
  oRole:Grantee = oUser:Name.
 
   IF oUser:Domain:Name NE "" THEN
      oRole:Grantee = oRole:Grantee  + "@" + oUser:Domain:Name.
 
    oRole:CanGrant = false. // Cannot grant to others.
    // Granting Role to AdminUser
   lResult = oDAS:CreateGrantedRole(oRole).
   
END.
    1. Save the example code as grantRole.p.
    2. Run grantRole.p.
      proenv>mpro mysports22 -U AdminUser -P password grantRole.p
  8. Add a mask to the field that specifies what a user sees if they are not authorized to view the unmasked data. The types of masks available are: default, literal, partial, and null.
    1. Default mask—To configure the default mask (prefix D:), the following example code uses the setDDMConfig() method and the #DDM_SEE_ContactInfo authorization tag for the state field of the Customer table. 
      USING OpenEdge.DataAdmin.DataAdminService FROM PROPATH.

DEFINE VARIABLE service AS DataAdminService NO-UNDO. 
DEFINE VARIABLE lResult AS LOGICAL NO-UNDO.

service = NEW DataAdminService(LDBNAME("DICTDB")).
lResult = service:setDDMConfig("customer","state","D:","#DDM_SEE_ContactInfo").

MESSAGE "Added Default mask".
QUIT.
      1. Save the example code as addDefaultMask.p.
      2. Run addDefaultMask.p.
        proenv>mpro mysports22 -U AdminUser -P password addDefaultMask.p
      For more information about default mask, see Default mask.
    2. Literal mask—To configure the literal mask (prefix L:), the following example code uses the setDDMConfig() method and the #DDM_SEE_ContactInfo authorization tag for the city field of the Customer table. 
      USING OpenEdge.DataAdmin.DataAdminService FROM PROPATH.

DEFINE VARIABLE service AS DataAdminService NO-UNDO. 
DEFINE VARIABLE lResult AS LOGICAL NO-UNDO.

service = NEW DataAdminService(LDBNAME("DICTDB")).
lResult = service:setDDMConfig("customer","city","L:MASKED","#DDM_SEE_ContactInfo").

MESSAGE "Added Literal mask".
QUIT.
      1. Save the example code as addLiteralMask.p.
      2. Run addLiteralMask.p.
        proenv>mpro mysports22 -U AdminUser -P password addLiteralMask.p
      For more information about literal mask, see Literal mask.
    3. Partial mask—To configure the partial mask (prefix P:), the following example code uses the setDDMConfig() method and the #DDM_SEE_ContactInfo authorization tag for the phone field of the Customer table.
      USING OpenEdge.DataAdmin.DataAdminService FROM PROPATH.

DEFINE VARIABLE service AS DataAdminService NO-UNDO. 
DEFINE VARIABLE lResult AS LOGICAL NO-UNDO.

service = NEW DataAdminService(LDBNAME("DICTDB")).
lResult = service:setDDMConfig("customer","phone","P:0,X,4","#DDM_SEE_ContactInfo").

MESSAGE "Added Partial mask".
QUIT.

      1. Save the example code as addPartialMask.p.

      2. Run addPartialMask.p.
        proenv>mpro mysports22 -U AdminUser -P password addPartialMask.p
      For more information about partial mask, see Partial mask.
    4. Null mask—To configure the null mask (prefix N:), the following example code uses the setDDMConfig() method and the #DDM_SEE_ContactInfo authorization tag for the address field of the Customer table.
      USING OpenEdge.DataAdmin.DataAdminService FROM PROPATH.

DEFINE VARIABLE service AS DataAdminService NO-UNDO. 
DEFINE VARIABLE lResult AS LOGICAL NO-UNDO.

service = NEW DataAdminService(LDBNAME("DICTDB")).
lResult = service:setDDMConfig("customer","address","N:","#DDM_SEE_ContactInfo").

MESSAGE "Added Null mask".
QUIT.

      1. Save the example code as addNullMask.p.

      2. Run addNullMask.p.
        proenv>mpro mysports22 -U AdminUser -P password addNullMask.p
      For more information about null mask, see Null mask.
  9. To initiate the application of masks on the designated fields. activate DDM
    proenv>proutil mysports22 -C activateddm
    ACTIVATEDDM ensures that the DDM policies you have set up are honored. All connected clients must comply with the policies and mask configurations that have been set up.

    For more information, see PROUTIL ACTIVATEDDM qualifier.

  10. View data from the Customer table.

    1. Save the following example code as findFirstCustomer.p. This code displays the first row of the Customer table, which includes the Custnum, Name, Address, State, City, Postalcode, and Phone fields. 

      FIND FIRST Customer.
DISPLAY custnum name address state city postalcode phone WITH 1 columns.
											
PAUSE 60.
QUIT.
    2. Run findFirstCustomer.p as AdminUser.
      proenv>mpro mysports22 -U AdminUser -P password findFirstCustomer.p
      Output for AdminUser: 
      Cust Num: 3000
Name: Lift Tours
Address: 276 North Drive
State: MA 
City: Burlington
Postal Code: 01730
Phone: (617) 450-0086
      AdminUser can access and view unmasked data in the DDM-configured fields.
    3. Run findFirstCustomer.p as GeneralUser.
      proenv>mpro mysports22 -U GeneralUser -P password findFirstCustomer.p
      Output for GeneralUser: 
      Cust Num: 3000
Name: Lift Tours
Address: ?
State: XX 
City: MASKED
Postal Code: 01730
Phone: XXXXXXXXXX0086
      GeneralUser views masked data in the DDM-configured fields.
To watch a video on how to get started with DDM, refer to Get started with Dynamic Data Masking (DDM) in OpenEdge database.
Note:

  • For more information about how to deactivate or disable DDM, see PROUTIL DEACTIVATEDDM qualifier and PROUTIL DISABLEDDM qualifier.

  • The IDataAdminService interface provides a set of methods that enable the execution of CRUD operations pertaining to DDM. These methods are utilized for managing:
    • User-defined roles
    • Users
    • Role grants or user-to-role mapping
    • Authorization tags
    • Setting or unsetting the mask and authorization tag for any field in a table
    For more information on the IDataAdminService methods, see IDataAdminService interface.