Skip to content

Best Practices for Defining Masking Roles


The Delphix Masking Engine contains a role definition capability that enables admins to easily create roles for users. This section describes the typical roles and privileges that can be granted to users. It is recommended that the masking administrator implementing these roles consult IT Security and follow existing policies for data access. Roles are added by clicking the appropriate checkboxes within the add role function in the Settings tab. A sample RACI document and examples of roles / privileges are located below.

Roles for operating the Delphix Masking Engine are shared primarily between the masking administration team and the teams that support the applications that will be on-boarded to the Masking Engine. The admin will manage central functions of the engine including definition of custom domains, profiler expressions, algorithms, role and user definitions. The masking Engine is flexible enough to enable application teams with these functions as well, but it is recommended that these shared functions be managed by the admin team. The admin team should have an account registered with Delphix Support and be the main interface for issues and maintenance support from Delphix.

Masking processes can be developed for each application by the central admin team or the individual application teams, often determined by the volume of applications to be on-boarded. The RBAC model employed by Delphix Masking can support different implementation models. Your Delphix support team can assist in constructing roles to meet your needs.

Once roles are defined, they can be assigned to individual user IDs for the environments that those users have responsibility. Administrators will have access to all masking settings and environments by default.


  1. Administrator access provides unlimited access to all functions and environments; this role should be granted to the central administration team.
  2. All privileges is a default role (predefined) which will provide all functions for each environment a user is given access to.
  3. Connector access should be controlled and administered by personnel responsible for database access.

Sample RACI

Teams: IT Security DM = Data masking admin team Application = App owner/SME DBA = Database admin QA = QA/Test environment owner PM = project management

Role Description Accountable Responsible Consulted Informed
Security Policy Determine data types that are sensitive for the enterprise. IT Security IT Security DM, Application DBA, QA
Program Management Maintain program plan and implementation schedule, tracking and reporting. PM DM, Application QA, IT Security DBA
Inventory Management Apply security policy to application schemas/ files. Application DM, Application DBA, QA IT Security
Data Masking Build, maintain, schedule masking processes. Application DM, DBA QA IT Security
Masked Data Validation Review and approve inventories and masked data. Application Application, DBA, QA DM IT Security
Masked Data Deployment Deploy masked data to required environments. Application Application, DBA, QA DM, QA IT Security
Environment Audit Assure applications are compliant with masking. IT Security IT Security DM, DBQ, QA Application
Masking Administration Manage masking tool central functions, create domains, profiler expressions, roles, users. DM DM Application, IT Security, DBA QA

Sample Roles for Masking

Role Description *Delphix Masking Functions
Administrator Manages masking server updates and upgrades; works with IT Security to update domains, algorithms and profiler expressions / sets. Unrestricted access to all the engine functions. The Admin role is assigned via the checkbox in the add user page of the UI.
IT Security Analyst Determines domains to be masked and high-level method for each domain and communicates them to administrator for inclusion in masking engine, responsible for masking audit functions. Unrestricted access for all settings functions; access to all application functions except environment and environment create, delete, update.
Application Roles (per environment)
All Privileges Super user for an environment. Unrestricted access for an application environment; central admin or security analyst will determine if this role can modify settings.
DBA Manages user privileges, database performance and schema definition. Manage connectors for application database, scripting and scheduling (no settings).
SME / Analyst / Developer Application subject matter expert, application developer, data analyst, application architecture. Manage inventories, create, view jobs.
Operations Roles (per environment)
Operator Schedule jobs, execute jobs, verify results, run automation scripts. All job privileges.
Environment Owner Determine workflow, monitor tool usage for environment. Approve workflow and inventories, privileges to view for settings and environment.