Available Redaction Methods
None No redaction is performed.
Full Columns are redacted to constant values based on the column data type.
Partial User-specified positions are replaced by a user-specified character.
Random Data type is preserved and different values are output each time.
Regular Expression A “match and replace” based on parameters is performed.
What Is a Redaction Policy?
The redaction policy dictates:
• What to redact, as specified by:
– Schema name (OBJECT_SCHEMA)
– Object name (OBJECT_NAME)
– Column name (COLUMN_NAME)
• How to redact, as specified by:
– Function type (FUNCTION_TYPE)
– Function parameters (FUNCTION_PARAMETERS) or regular expression parameters (REGEXP_*)
• When to redact, as specified in a policy expression (EXPRESSION)
When you create the policy, you can provide only one “how to redact” specification.
• You cannot redact SYS or SYSTEM schema objects.
• You cannot redact virtual columns.
• You cannot redact columns of specific data types.
• You can apply VPD policies only to columns that have not been redacted.
Managing Redaction Policies
• You use the procedures in the DBMS_REDACT package to manage redaction policies:
– ADD_POLICY: Add a redaction policy to a table.
– DROP_POLICY: Remove a redaction policy from a table.
– ALTER_POLICY: Change a redaction policy.
– ENABLE_POLICY: Enable a redaction policy after it is disabled.
– DISABLE_POLICY: Disable a redaction policy.
• EXECUTE privilege on DBMS_REDACT is required to
execute the procedures.
• Enterprise Manager Cloud Control 12c supports Oracle Data Redaction.
Use the DBMS_REDACT.ALTER_POLICY procedure to alter an existing redaction policy as follows:
• Modify the policy expression.
• Modify the type of redaction for a specified column.
• Modify the function parameters for a specified column.
• Add a column to the redaction policy.
• Remove a column from the redaction policy.
Exempting Users from Redaction Policies
• Conditions included in policy expressions may allow users to see actual data.
• SYS is exempt from all redaction policies.
• Grant the EXEMPT REDACTION POLICY system privilege to exempt other users from all redaction policies.
• Best Practices:
– Use default deny (white list) conditions in policy expressions.
– Grant the EXEMPT REDACTION POLICY privilege judiciously to ensure that the redaction policies are enforced appropriately.
The SYS user is exempt from redaction policies and is able to view actual values for data.
If other users need access to the actual values, you must grant them the EXEMPT REDACTION POLICY system privilege. This privilege exempts the users from all redaction policies.
Users who are granted the DBA role are also exempt from redaction policies because the DBA role contains the EXP_FULL_DATABASE role, which is granted the EXEMPT REDACTION POLICY system privilege.
Because applications may need to perform CREATE TABLE AS SELECT operations that involve redacted source columns, you can grant the application the EXEMPT DDL REDACTION POLICY system privilege.