Call now: 252-767-6166  
Oracle Training Oracle Support Development Oracle Apps

 E-mail Us
 Oracle Articles
New Oracle Articles

 Oracle Training
 Oracle Tips

 Oracle Forum
 Class Catalog

 Remote DBA
 Oracle Tuning
 Emergency 911
 RAC Support
 Apps Support
 Oracle Support

 SQL Tuning

 Oracle UNIX
 Oracle Linux
 Remote s
 Remote plans
 Application Server

 Oracle Forms
 Oracle Portal
 App Upgrades
 SQL Server
 Oracle Concepts
 Software Support

 Remote S


 Consulting Staff
 Consulting Prices
 Help Wanted!


 Oracle Posters
 Oracle Books

 Oracle Scripts

Don Burleson Blog 







dbms_redact data redaction tips

Oracle Database Tips by Donald BurlesonJune 25, 2013


Question:  What does the Oracle data redaction feature do in Oracle 12c?

Answer:  The data redaction feature, first introduced in Oracle 12c, allows for the masking of sensitive data from the end-user layer. Prior to Oracle 12c, you had to create views to "hide" sensitive column (pay rate, social_security_number, credit card numbers, etc.), but in 12c and beyond you can use the data redaction feature.

Any online user has experienced data redaction, which amounts to the replacement of sensitive data with asterisk list or other descriptive "masked" data.

In traditional data redaction, the data is never visible to the end-user and it is hidden via the use of views or via virtual private databases (VPD).  Unlike views and VPD's, the data remaining unchanged at the database level and it is only "hidden from viewing".

Examples of data redaction include:

             Password:    **********
   Credit card number:    0000-0000-0000-0000-3632   

For example, an end-user can updated a redacted data column, but they are unable to see the previous value of the data.  Oracle data redaction uses a package called dbms_redact, and allow for the control of the data masking at the application layer.

The Oracle docs have an example of using the dbms_redact for data redaction.  The base procedure is the add_policy procedure:

     object_schema        => 'scott',
     object_name          => 'emp',
     column_name          => 'social_security_number',
     policy_name          => 'emp_ssn',
     function_type        => DBMS_REDACT.PARTIAL,
     function_parameters  => '*,1,5',
     expression           => '1=1');

The dbms_redact policy prevents disclosure of redacted data at many levels:

  • CTAS - Redacted data is cannot be displayed:

create table temp as select emp_name, salary from employee;

ORA-28001 - Insufficient privileges - The command referenced a redacted object.

  • Data Pump Export (expdp) - Export will not allow a redacted object to be exported.

New privileges with dbms_redact.  The following new privileges are required to bypass dbms_redact:

  • exempt redaction policy
  • exempt DDL redaction policy
  • exempt DML redaction policy

The dbms_redact procedure introduces the following of ORA-error messages for data redaction.

ORA-28060 - A Data Redaction policy already exists on this column.
ORA-28061 - This object cannot have a Data Redaction policy defined on it.
ORA-28062 - The policy expression is too long.
ORA-28063 - The policy expression is empty.
ORA-28064 - The type of redaction function is not valid.
ORA-28066 - Invalid column column
ORA-28069 - A Data Redaction policy already exists on this object.
ORA-28073 - The column column_name has an unsupported datatype.
ORA-28074 - The field field_name of the masking parameters is not valid

The "field" value can be any of the following:

See Table 119-3 and Table 119-4 for examples of the field contents and field ordering.
ORA-28075 - The policy expression has unsupported functions
ORA-28076 - An attribute was not specified for SYS_SESSION_ROLES
ORA-28077 - The attribute specified (attribute) exceeds the maximum length
ORA-28078 - A regular expression parameter is missing or invalid
ORA-28082 - The parameter parameter is invalid (where the possible values are function_parameters, column_description , policy_name and policy_description )
ORA-28085 - The input and output lengths of the redaction do not match.

Oracle Training from Don Burleson 

The best on site "Oracle training classes" are just a phone call away! You can get personalized Oracle training by Donald Burleson, right at your shop!

Oracle training



Burleson is the American Team

Note: This Oracle documentation was created as a support and Oracle training reference for use by our DBA performance tuning consulting professionals.  Feel free to ask questions on our Oracle forum.

Verify experience! Anyone considering using the services of an Oracle support expert should independently investigate their credentials and experience, and not rely on advertisements and self-proclaimed expertise. All legitimate Oracle experts publish their Oracle qualifications.

Errata?  Oracle technology is changing and we strive to update our BC Oracle support information.  If you find an error or have a suggestion for improving our content, we would appreciate your feedback.  Just  e-mail:  

and include the URL for the page.


Burleson Consulting

The Oracle of Database Support

Oracle Performance Tuning

Remote DBA Services


Copyright © 1996 -  2020

All rights reserved by Burleson

Oracle ® is the registered trademark of Oracle Corporation.



Oracle Training at Sea
oracle dba poster

Follow us on Twitter 
Oracle performance tuning software 
Oracle Linux poster