3.1 About Oracle Data Redaction Policies

An Oracle Data Redaction policy defines the conditions in which redaction must occur.

A Data Redaction policy has the following characteristics:

  • Oracle Data Redaction polices are applied to tables, views, or materialized views. You can apply only one policy on each object.

  • The Data Redaction policy defines the following:
    • What to redact
    • How the redaction should occur
    • When the redaction takes place

  • A Data Redaction policy can fully redact values, partially redact values, or randomly redact values. In addition, you can define a Data Redaction policy to not redact any data at all, for when you want to test your policies in a test environment.

  • A Data Redaction policy can be defined with a policy expression which allows for different application users to be presented with either redacted data or actual data, based on whether the policy expression returns TRUE or FALSE. Redaction takes place when the boolean result of evaluating the policy expression is TRUE. For security reasons, the functions and operators that can be used in the policy expression are limited to SYS_CONTEXT and a few others. User-created functions are not allowed. Policy expressions can make use of the SYS_SESSION_ROLES namespace with the SYS_CONTEXT function to check for enabled roles.

  • Different named Data Redaction policy expressions can be created and then applied individually for different columns within the same table or view.

  • Oracle Database performs the redaction at execution time, just before the data is returned to the query.

Table 3-1 lists the procedures in the DBMS_REDACT package.

Table 3-1 DBMS_REDACT Procedures

Procedure Description

DBMS_REDACT.ADD_POLICY

Adds a Data Redaction policy to a table or view

DBMS_REDACT.ALTER_POLICY

Modifies a Data Redaction policy

DBMS_REDACT.APPLY_POLICY_EXPR_TO_COL

Applies a named Data Redaction policy expression to a table or view column

DBMS_REDACT.CREATE_POLICY_EXPRESSION

Creates a named Data Redaction policy expression

DBMS_REDACT.DISABLE_POLICY

Disables a Data Redaction policy

DBMS_REDACT.DROP_POLICY

Drops a Data Redaction policy

DBMS_REDACT.DROP_POLICY_EXPRESSION

Drops a named Data Redaction policy expression

DBMS_REDACT.ENABLE_POLICY

Enables a Data Redaction policy

DBMS_REDACT.UPDATE_FULL_REDACTION_VALUES

Globally updates the full redaction value for a given data type. You must restart the database instance before the updated values can be used.

DBMS_REDACT.UPDATE_POLICY_EXPRESSION

Updates a named Data Redaction policy expression

Related Topics

Parent topic: Configuring Oracle Data Redaction Policies