Tips, Expertise, Articles and Advice from the Pro's for Your Website or Blog to Succeed
In this article, we'll talk about fine-grained access control in DB2 - hiding data that is, in fact, present in the database, but should not be accessible to certain users.
Fine-grained access control is usually done in the database itself as the data is being accessed, but it can also be done between the database server and the database client using a programmable proxy.
Sometimes you need to control access to the data in your databases in a very granular way - much more granular than most databases allow.
For instance, you might want some database users to be able to read only the last few digits of some credit card number, or you may need certain columns of certain rows to be readable by certain users only. Or maybe you need to hide some rows from some users under specific circumstances.
The problem of data masking comes up surprisingly often in the world of IT. Any time you need to share some potentially sensitive data, you may need to hide, obfuscate, randomize, or otherwise dissimulate some of that data -- we'll call that the secret data.
In this article, we'll focus on the mechanics of data masking and gloss over a massive issue: data classification -- knowing who can access what data. Data classification is a whole different problem, especially in organizations with huge amounts of sensitive data. I'll refer you to a different article that touches on this topic. For the rest of this article, we'll assume that this problem has been solved and that we know who can access what data. The question is -- how do we hide the secret data?