Call now: 252-767-6166  
Oracle Training Oracle Support Development Oracle Apps

 
 Home
 E-mail Us
 Oracle Articles
 New Oracle Articles


 Oracle Training
 Oracle Tips
 Oracle Forum
 Class Catalog


 Remote DBA
 Oracle Tuning
 Emergency 911
 RAC Support
 Apps Support
 Analysis
 Design
 Implementation
 Oracle Support


 SQL Tuning
 Security
 Oracle UNIX
 Oracle Linux
 Monitoring
 Remote support
 Remote plans
 Remote services
 Application Server
 Applications
 Oracle Forms
 Oracle Portal
 App Upgrades
 SQL Server
 Oracle Concepts
 Software Support
 Remote Support  
 Development  
 Implementation


 Consulting Staff
 Consulting Prices
 Help Wanted!

 


  Oracle Posters
 Oracle Books
  Oracle Scripts
 Ion
 Excel-DB  

Don Burleson Blog 


 

 

 


 

 
 
 

dbms_redact data redaction tips

Oracle Database Tips by Donald BurlesonJune 25, 2013

 

Question:  What does the Oracle data redaction feature do in Oracle 12c?

Answer:  The data redaction feature, first introduced in Oracle 12c, allows for the masking of sensitive data from the end-user layer. Prior to Oracle 12c, you had to create views to "hide" sensitive column (pay rate, social_security_number, credit card numbers, etc.), but in 12c and beyond you can use the data redaction feature.

Any online user has experienced data redaction, which amounts to the replacement of sensitive data with asterisk list or other descriptive "masked" data.

In traditional data redaction, the data is never visible to the end-user and it is hidden via the use of views or via virtual private databases (VPD).  Unlike views and VPD's, the data remaining unchanged at the database level and it is only "hidden from viewing".

Examples of data redaction include:

             Password:    **********
   Credit card number:    0000-0000-0000-0000-3632   

For example, an end-user can updated a redacted data column, but they are unable to see the previous value of the data.  Oracle data redaction uses a package called dbms_redact, and allow for the control of the data masking at the application layer.

The Oracle docs have an example of using the dbms_redact for data redaction.  The base procedure is the add_policy procedure:

BEGIN
   DBMS_REDACT.ADD_POLICY(
     object_schema        => 'scott',
     object_name          => 'emp',
     column_name          => 'social_security_number',
     policy_name          => 'emp_ssn',
     function_type        => DBMS_REDACT.PARTIAL,
     function_parameters  => '*,1,5',
     expression           => '1=1');
END;

The dbms_redact policy prevents disclosure of redacted data at many levels:

  • CTAS - Redacted data is cannot be displayed:

create table temp as select emp_name, salary from employee;

ORA-28001 - Insufficient privileges - The command referenced a redacted object.

  • Data Pump Export (expdp) - Export will not allow a redacted object to be exported.

New privileges with dbms_redact.  The following new privileges are required to bypass dbms_redact:

  • exempt redaction policy
  • exempt DDL redaction policy
  • exempt DML redaction policy

The dbms_redact procedure introduces the following of ORA-error messages for data redaction.

ORA-28060 - A Data Redaction policy already exists on this column.
 
ORA-28061 - This object cannot have a Data Redaction policy defined on it.
 
ORA-28062 - The policy expression is too long.
 
ORA-28063 - The policy expression is empty.
 
ORA-28064 - The type of redaction function is not valid.
 
ORA-28066 - Invalid column column
 
ORA-28069 - A Data Redaction policy already exists on this object.
 
ORA-28073 - The column column_name has an unsupported datatype.
 
ORA-28074 - The field field_name of the masking parameters is not valid

The "field" value can be any of the following:
 
◦REDACT_PARTIAL_INPUT_FORMAT
 
◦REDACT_PARTIAL_OUTPUT_FORMAT
 
◦REDACT_PARTIAL_MASKCHAR
 
◦REDACT_PARTIAL_MASKFROM
 
◦REDACT_PARTIAL_MASKTO
 
◦REDACT_PARTIAL_DATE_MONTH
 
◦REDACT_PARTIAL_DATE_DAY
 
◦REDACT_PARTIAL_DATE_YEAR
 
◦REDACT_PARTIAL_DATE_HOUR
 
◦REDACT_PARTIAL_DATE_MINUTE
 
◦REDACT_PARTIAL_DATE_SECOND

See Table 119-3 and Table 119-4 for examples of the field contents and field ordering.
 
ORA-28075 - The policy expression has unsupported functions
 
ORA-28076 - An attribute was not specified for SYS_SESSION_ROLES
 
ORA-28077 - The attribute specified (attribute) exceeds the maximum length
 
ORA-28078 - A regular expression parameter is missing or invalid
 
ORA-28082 - The parameter parameter is invalid (where the possible values are function_parameters, column_description , policy_name and policy_description )
 
ORA-28085 - The input and output lengths of the redaction do not match.

   
Oracle Training from Don Burleson 

The best on site "Oracle training classes" are just a phone call away! You can get personalized Oracle training by Donald Burleson, right at your shop!
Oracle training
  
 

 
 

Burleson is the American Team

Note: This Oracle documentation was created as a support and Oracle training reference for use by our DBA performance tuning consulting professionals.  Feel free to ask questions on our Oracle forum.

Verify experience! Anyone considering using the services of an Oracle support expert should independently investigate their credentials and experience, and not rely on advertisements and self-proclaimed expertise. All legitimate Oracle experts publish their Oracle qualifications.

Errata?  Oracle technology is changing and we strive to update our BC Oracle support information.  If you find an error or have a suggestion for improving our content, we would appreciate your feedback.  Just  e-mail:  

and include the URL for the page.


                    









Burleson Consulting

The Oracle of Database Support

Oracle Performance Tuning

Remote DBA Services


 

Copyright © 1996 -  2020

All rights reserved by Burleson

Oracle ® is the registered trademark of Oracle Corporation.

 

 
��  
 
 
Oracle Training at Sea
 
 
 
 
oracle dba poster
 

 
Follow us on Twitter 
 
Oracle performance tuning software 
 
Oracle Linux poster