Hello Everyone,

In this blog post, I will give you information about oracle data redaction. We need to use dbms_redact package. The DBMS_REDACT package provides an interface to Oracle Data Redaction, which enables you to mask (redact) data that is returned from queries issued by low-privileged users or an application.

DBMS_REDACT Package:

Some procedures we use in this blog examples:

Procedures Description
ADD_POLICY Procedure This procedure defines a Data Redaction policy for a table or view
ALTER_POLICY Procedure This procedure alters an existing Data Redaction policy for a table or view
DISABLE_POLICY Procedure This procedure disables a Data Redaction policy
ENABLE_POLICY Procedure This procedure re-enables a Data Redaction policy
DROP_POLICY Procedure This procedure drops a Data Redaction policy by removing a masking policy from the table or view

Table – 1: Content of DBMS_REDACT Package

Some parameters of function_type we use in this blog examples:

Parameters of function_type Value Description
NONE 0 No redaction
FULL 1 Redact to fixed values
PARTIAL 2 Partial redaction, redact a portion of the column data
RANDOM 4 Random redaction, each query results in a different random value

Table – 2: Values for function_type Parameter of DBMS_REDACT.ADD_POLICY


Some
Action Parameters of DBMS_REDACT.ALTER_POLICY we use in this blog examples:

Parameters of action Description
ADD_COLUMN Add a column to the redaction policy
DROP_COLUMN Drop a column from the redaction policy
MODIFY_COLUMN Modify a column in the redaction policy to change the redaction function_type or the function_parameters

Table – 3: Values for action Parameter of DBMS_REDACT.ALTER_POLICY

In order to perform the test operations, first a table will be created and some values will be inserted into table.
USER LIST:
DBMASTER USER – Redacting user
SEVAYYILMAZ USER- JUST READONLY USER (will see the data masked

And also, we need the EXECUTE privilege (DBMASTER user) on the DBMS_REDACT package in order to execute its subprograms.

CREATE USER DBMASTER IDENTIFIED BY <password>;
GRANT EXECUTE ON SYS.DBMS_REDACT TO DBMASTER;
GRANT DBA TO DBMASTER;

CREATE USER SEVAYYILMAZ IDENTIFIED BY <password>;
GRANT CONNECT TO SEVAYYILMAZ;
GRANT RESOURCE TO SEVAYYILMAZ;
ALTER USER SEVAYYILMAZ DEFAULT ROLE ALL;
GRANT SELECT ANT TABLE TO SEVAYYILMAZ;

The following grant must be given to the user with whom the redaction process will be performed. Connect DBMASTER user;

grant execute on sys.dbms_redact to DBMASTER;

create table payment_details (
  id          number       not null,
  customer_id number       not null,
  card_no     number       not null,
  card_string varchar2(19) not null,
  expiry_date date         not null,
  sec_code    number       not null,
  valid_date  date,
  constraint payment_details_pk primary key (id)
);

insert into payment_details values (1, 1001, 1234123412341234, '1234-1234-1234-1234', trunc(add_months(sysdate,12)), 123, null);
insert into payment_details values (2, 1002, 2345234523452345, '2345-2345-2345-2345', trunc(add_months(sysdate,12)), 234, null);
insert into payment_details values (3, 1003, 3456345634563456, '3456-3456-3456-3456', trunc(add_months(sysdate,12)), 345, null);
insert into payment_details values (4, 1004, 4567456745674567, '4567-4567-4567-4567', trunc(add_months(sysdate,12)), 456, null);
insert into payment_details values (5, 1005, 5678567856785678, '5678-5678-5678-5678', trunc(add_months(sysdate,12)), 567, null);
insert into payment_details values (6, 1006, 6786786786786786, '6786-6786-6786-6786', trunc(add_months(sysdate,12)), 678, null);
insert into payment_details values (7, 1007, 7897897897897891, '7897-7897-7897-7897', trunc(add_months(sysdate,12)), 789, null);
insert into payment_details values (8, 1008, 8910111213141516, '8910-8910-8910-8910', trunc(add_months(sysdate,12)), 910, null);
insert into payment_details values (9, 1009, 9998887776665554, '9998-9998-9998-9998', trunc(add_months(sysdate,12)), 112, null);
commit;


Add Policy:

begin
  dbms_redact.add_policy(
    object_schema =>  schema_name,
    object_name   => 'table_name',
    column_name   => 'column_name',
    policy_name   => 'policyname_whatyouwant',
    function_type => dbms_redact.functiontype
  );
end;
/


Full Redaction:

A full redaction policy is placed on the CARD_NO column with an expression of “1=1”.

begin
  dbms_redact.add_policy(
    object_schema =>  user,
    object_name   => 'payment_details',
    column_name   => 'card_no',
    policy_name   => 'redact_card_info',
    function_type => dbms_redact.full,
    expression    => '1=1'
  );
end;
/



Partial Redaction:

function_parameters is display 1st to 12th digits as 1.

begin
  dbms_redact.alter_policy (
    object_schema       => user,
    object_name         => 'payment_details',
    policy_name         => 'redact_card_info',
    action              => dbms_redact.modify_column,
    column_name         => 'card_no',
    function_type       => dbms_redact.partial,
    function_parameters => '1,1,12'
  );
end;
/



Another Example
: function_parameters is display 1st to 12th digits as 6.

begin
  dbms_redact.alter_policy (
    object_schema       => user,
    object_name         => 'payment_details',
    policy_name         => 'redact_card_info',
    action              => dbms_redact.modify_column,
    column_name         => 'card_no',
    function_type       => dbms_redact.partial,
    function_parameters => '6,1,12'
  );
end;
/



Let’s give an another example:

Show the values of the digits from 1 to 12 with a # sign.

begin
  dbms_redact.alter_policy (
    object_schema       => user,
    object_name         => 'payment_details',
    policy_name         => 'redact_card_info',
    action              => dbms_redact.add_column,
    column_name         => 'card_string',
    function_type       => dbms_redact.partial,
    function_parameters => 'vvvvfvvvvfvvvvfvvvv,vvvv-vvvv-vvvv-vvvv,#,1,12'
  );
end;
/

DBMASTER BİLGİ TEKNOLOJİLERİ A.Ş.
www.dbmaster.com.tr

SEVAY YILMAZ
Database Operations Manager

Share This