|Oracle® Database Advanced Security Guide
12c Release 1 (12.1)
|PDF · Mobi · ePub|
You can use Oracle Data Redaction with other Oracle products, such as Oracle Virtual Private Database or Oracle Enterprise Manager Data Masking Pack.
This chapter contains the following topics:
Oracle Virtual Private Database policies are unaffected by Oracle Data Redaction because the Virtual Private Database inline view, which contains the Virtual Private Database predicate, acts on actual values.
Oracle Data Redaction provides more redacting features than Oracle Virtual Private Database, which only supports
NULL redacting. Many applications cannot use
NULL redacting, so Data Redaction is a good solution for these applications.
Oracle Virtual Private Database policies can be static, dynamic, and context sensitive, whereas Data Redaction policies only allow static and context-sensitive policy expressions.
Data Redaction permits only one policy to be defined on a table or view, whereas you can define multiple Virtual Private Database policies on an object.
Data Redaction is when application users try to access an object that is protected by a Data Redaction policy using a synonym, but (unlike Oracle Virtual Private Database) Data Redaction does not support the creation of policies directly on the synonyms themselves.
Oracle Enterprise Manager Data Masking Pack enables you to create a development or test copy of the production database, by taking the data in the production database, masking this data in bulk, and then putting the resulting masked data in the development or test copy. You can still apply Data Redaction policies to the non-production database, in order to redact columns that contain data that was already masked by Oracle Enterprise Manager Data Masking Pack.
Remember that Oracle Enterprise Manager Data Masking Pack is used to mask data sets in bulk when you want to move the data to development and test environments. Data Redaction is mainly designed for redacting at runtime for production applications in a consistent fashion across multiple applications, without having to make application code changes.
Oracle Database Testing Guide for more information about data masking
"Using Oracle Data Redaction with Database Applications" for information about using Data Redaction in combination with Oracle Enterprise Manager Data Masking Pack and database applications
See Also:Oracle Database Real Application Security Administrator's and Developer's Guide for information about how you can protect table columns with custom application privileges
You can use Oracle Data Redaction in an Oracle Database Vault environment. For example, if there is an Oracle Database Vault realm around an object, a user who does not belong to the authorized list of realm owners or participants cannot see the object data, regardless of whether the user was granted the
EXEMPT REDACTION POLICY privilege. If the user attempts a DML or DDL statement on the data, error messages result.
When you use Oracle Data Redaction with Oracle Data Pump, you must consider the impact the
DATAPUMP_EXP_FULL_DATABASE role has, the ramifications of exporting objects that contain Data Redaction policies, and exporting data using the
This section contains the following topics:
DATAPUMP_EXP_FULL_DATABASE role includes the powerful
EXEMPT REDACTION POLICY system privilege. Remember that by default the
DBA role is granted the
DATAPUMP_EXP_FULL_DATABASE role (as well as
DATAPUMP_IMP_FULL_DATABASE). This enables users who were granted these roles to be exempt from Data Redaction policies. This means that, when you export objects with Data Redaction policies defined on them, the actual data in the protected tables is copied to the Data Pump target system without being redacted. Users with these roles, including users who were granted the
DBA role, are able to see the actual data in the target system.
However, by default, all of the Data Redaction policies associated with any tables and views in the Data Pump source system are also included in the export and import operation (along with the objects themselves) and applied to the objects in the target system, so the data is still redacted when users query the objects in the target system.
If you want to use Oracle Data Pump to export or import objects that have Oracle Data Redaction policies defined on them, you can find the type names used by Oracle Data Pump for the various data redaction data dictionary metadata types by running the query described in this section. Later on, you can use these types as parameters for the
INCLUDE directive to the
IMPDP utility, to selectively export only metadata of these specific types to the dump file.
SELECT OBJECT_PATH FROM DATABASE_EXPORT_OBJECTS WHERE OBJECT_PATH LIKE 'RADM_%';
Output similar to the following appears:
OBJECT_PATH ------------ RADM_FPTM RADM_POLICY
To export only the data dictionary metadata related to data redaction policies and full redaction settings, enter an
EXPDP utility command similar to the following. This kind of Data Pump export could, for example, be used if you must use the same set of Data Redaction policies and settings across development, test, and production databases. Because the flag
content=metadata_only is specified, the dump file does not contain any actual data.
expdp system/password \ full=y \ COMPRESSION=NONE \ content=metadata_only \ INCLUDE=RADM_FPTM,RADM_POLICY\ directory=my_directory \ job_name=my_job_name \ dumpfile=my_data_redaction_policy_metadata.dmp
When you are ready to import the objects, ensure that the
IMPDP utility command uses these names for the
INCLUDE parameter, based on the output from querying the
OBJECT_PATH column in the
If you are using Oracle Data Pump to perform full database export operations using the new Data Pump default settings (
direct_path), and if you receive error messages that you do not understand, then use this section to repeat the operation in such a way as to better understand the error.
If you try to use the Oracle Data Pump Export (
EXPDP) utility with the
access_method parameter set to
direct_path to export data from a schema that contains an object that has a Data Redaction policy defined on it, then the following error message may appear and the export operation fails:
ORA-31696: unable to export/import TABLE_DATA:"schema.table" using client specified DIRECT_PATH method
This problem only occurs when you perform a schema-level export as a user who was not granted the
EXP_FULL_DATABASE role. It does not occur during a full database export, which requires the
EXP_FULL_DATABASE role. The
EXP_FULL_DATABASE role includes the
EXEMPT REDACTION POLICY system privilege, which bypasses Data Redaction policies.
To find the underlying problem, try the
EXPDP invocation again, but do not set the
access_method parameter to
direct_path. Instead, use either
external_table. The underlying problem could be a permissions problem, for example:
ORA-28081: Insufficient privileges - the command references a redacted object.
See Also:Oracle Database Utilities for more information about using Data Pump Export.