ILM DDM 3.

1
Enablement – September 2011

Setting DNR Ports, Databases and switching rules

Objectives
After completing this practice you will be able to:
• Configure statement processing rules
• Regular expression introduction
• Importing and exporting rules
• Reading the logs

Why you need these skills/Why you need to know:

• To communicate, demonstrate, support and implement the
Informatica DDM to customers, prospects and others

Informatica Confidential & Proprietary 2

Statement processing rule definition
Securing individual SQL requests
• Create rule set from the menu item:
‘Action’ -> ‘Create Statement Processing Rule Set’

3
Statement processing rule definition
Securing individual SQL requests
• Select the new rule set and do a right-mouse-click , choose:
‘Edit Security Rule Set’ from the list.
>> An empty Rule editor will open:
• Rules are applied top-to-bottom
• Rule attribute: ‘Stop’ or ‘Continue when rule is matched’, allows
white/black list approach
• Folders allow ‘AND’
‘OR’ conditions
• Enable or disable rules
• ‘Log when rule is applied’
will create audit file in the
DDM log directory
• Export/Import rule sets
is also available

4
 Rule definition
Defining a rule
Matchers identify an incoming SQL request:
Using text matchers, PLSQL, Java, From clause,
time of day, Symbol matcher

Keep matcher allows NOT to match for every SQL

request (for example, identifying user grouping in
ActiveDirectory needs to be done only once

When a SQL request is matched than the following

actions are applied: mask, rewrite, block, Java action,
‘search and replace’ or simply ‘do nothing’

Log when rule is applied

Stop or continue
rule processing
5
 Regular expression introduction
• In regular expression the . (dot) means any character
• The * means the character on my left 0 or more times
• The + means the character on my left 1 or more times
• The .* means any character any number of times
• \s means single space
• \s* means 0 or more spaces
• \w means a letter
• \w+ means a word without spaces or special characters
• (.*) means all the text of the statement is captured as group number one
(tag placeholder), which can be retrieved in the text rewrite using \(1)
• In the following “search and replace” example,
ACCOUNT\s*=\s*(\w+)
is replaced with
ACCOUNT = \(1)*3
Original: select * from customer where account=10
DDM Rewrite: select * from customer where account=10*3
• The sign | means “or”, so ((DDM)|(PDM)) would match both DDM and
PDM
• Note that the SQL statement DOES NOT include semicolon ;
6
 Database access auditing with the
rule.log file

• Rule.log file is populated when ‘log when rule is applied’ attribute is set
• Logging include the original and replaced SQL request, time stamp,
database name and statement processing rule set name an client
information.
• It is stored in activesecurity\log directory
• Logs are managed cyclically (10 files, each 20 mega in size)
• Log loader utility uploads the logs into a central database repository

7
 FAQ
• What is the performance overhead:
A> The propagation delay is about 150 microsecond per SQL statement
(0.15 millisecond), similar to a network propagation.
Resource consumption is also negligible - about 2-3% CPU load, (it can be
installed on a dedicated server),
DDM Security switching applied only on specific programs, clients and IP’s
• What happens it DDM crushes
First, it has never been reported, secondly – you can have two DDM servers
with failover/load balance between them – or failover directly to the
database.
• What about Stored Procedure masking (PL/SQL)
A> We use wrappers that call the PL/SQL from another procedure that
masks the result set returned.
• How can we identify SAP responsibilities and PeopleSoft roles
A> For SAP we have a Java matcher that uses the session’s work process
to run an ABAP code that retrieve the SAP end-user name. For PeopleSoft
we have a PL/SQL function that looks at v$session clientinfo for the same

8
Summary
This session showed you how to:
• Define statement processing rules
• Regular expression introduction
• Import and export rules
• Test rules and see logs

Informatica Confidential & Proprietary 9

 Q&A

0
11