OCP 12C – Oracle Data Redaction

Cyrille Modiano
Latest posts by Cyrille Modiano (see all)

What is Oracle Data Redaction ?

  • Oracle Data Redaction is meant to mask (redact) sensitive data returned from application queries.
  • Oracle Data Redaction doesn’t make change to data on disk, the sensitive data is redacted on the fly before it is returned to the application.
  • You can redact column data by using one of the following methods:
    • Full redaction. You redact all of the contents of the column data.
    • Partial redaction. You redact a portion of the column data.
    • Regular expressions. You can use regular expressions to look for patterns of data to redact.
    • Random redaction. The redacted data presented to the querying application user appears as randomly generated values each time it is displayed, depending on the data type of the column.
    • No redaction. The None redaction type option enables you to test the internal operation of your redaction policies, with no effect on the results of queries against tables with policies defined on them.

Data Redaction

Restriction of Data Redaction

Activites not affected by Data Redaction

  • Rman Backup
  • Export and Import
  • Replication of  Data
  • Patching and Upgrades
  • All activities performed as SYS/SYSTEM and users with the EXEMPT REDACTION POLICY system privilege

Restrictions

  • You can’t redact objects owner by SYS/SYSTEM
  • You can’t redact columns of specific data types
  • You can’t redact virtual columns
  • You can’t create more than one policy for a table or view.
  • If you want to add column to the policy afterwards you need to use the DBMS_REDACT.ALTER_POLICY procedure.

Defining Redaction Policies

  • When you create a Policy, you need to define :
    • What to REDACT:
      • SCHEMA_NAME
      • OBJECT_NAME
      • COLUMN_NAME
    • When to REDACT:
      • Expression based on values derived from SYS_CONTEXT
    • How to REDACT:
      • FUNCTION_TYPE and FUNCTION_PARAMETERS
      • REGEXP (Regular Expression)

Manage your Data Redaction policies

  • DBMS_REDACT.ADD_POLICY : To add a policy to table or a view.
  • DBMS_REDACT.ALTER_POLICY : To modify an existing policy
  • DBMS_REDACT.ENABLE_POLICY : To enable a policy
  • DBMS_REDACT.DISABLE_POLICY : To disable a policy
  • DBMS_REDACT.DROP_POLICY : To drop a policy
  • DBMS_REDACT.UPDATE_FULL_REDACTION_VALUES : Modifies the default displayed values for a Data Redaction policy for full redaction

For more information and examples you can view the documentation here

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.