Data Redaction ( dbms_redact ) in Oracle Database -1

Hi,

I will explain Data Redaction in Oracle Database in this article.

 

You can show critical data differently to unauthorized and unintended users in the Oracle database. Data Redaction does not change data on the physical disk such as the Transparent data Encryption feature, but only when the unauthorized users want to see the data, they can see masked or redacted data.

 

TDE

 

 

 

 

If you want to learn more Security options of Oracle database, you can read the following post.

Transparent Data Encryption ( TDE ) in Oracle

 

Oracle Data Redaction does not affect on Backup / Restore, Upgrade, Patch. Oracle Data Redaction has 4 different methods according to the purpose of use like following.

  • Full Redaction
  • Partial Redaction
  • RegExp Redaction
  • Random Redaction

 

 

Data Redaction

 

 

When we examine above 4 methods, we can understand very well what method does with practical exams. I usually use the Random method to be more secure. Because same Data seems differently to unauthorized users for every query in the random redaction and this is very important for the security of our data.

 

Data Redaction2

 

Let’s go and apply Random Data Redaction method  to the Card number, Card expire month and Card expire year columns in the CREDIT_CARD_INF table under TEST Schema. Data Redaction operations can be done in Oracle’s DBMS_REDACT package.

We can create Data Redaction process with the ADD_POLICY procedure. The authorized user in this example will be a TEST user and other users will be exposed to Data Redaction and see different data or Redacted data for every query.

 BEGIN
 DBMS_REDACT.ADD_POLICY (
 OBJECT_SCHEMA => 'TEST',
 object_name => 'CREDIT_CARD_INF',
 policy_name => 'CC_Redaction',
 expression => 'SYS_CONTEXT(''USERENV'', ''SESSION_USER'') != ''TEST'' OR SYS_CONTEXT(''USERENV'', ''SESSION_USER'') IS NULL');  
 END;   

Create the rule of the Random Redaction procedure for the columns ( Card number, Card expire month and Card expire year )  with the ALTER_POLICY procedure

 

 BEGIN
 DBMS_REDACT.ALTER_POLICY (
 OBJECT_SCHEMA => 'TEST',
 object_name => 'CREDIT_CARD_INF',
 policy_name => 'CC_Redaction',
 action => DBMS_REDACT.ADD_COLUMN,
 column_name => '"CARD_NUMBER"',
 function_type => DBMS_REDACT.RANDOM);
 END;
/

BEGIN
 DBMS_REDACT.ALTER_POLICY (
 OBJECT_SCHEMA => 'TEST',
 object_name => 'CREDIT_CARD_INF',
 policy_name => 'CC_Redaction',
 action => DBMS_REDACT.ADD_COLUMN,
 column_name => '"CARD_EXP_YEAR"',
 function_type => DBMS_REDACT.RANDOM);
 END;
/
BEGIN
 DBMS_REDACT.ALTER_POLICY (
 OBJECT_SCHEMA => 'TEST',
 object_name => 'CREDIT_CARD_INF',
 policy_name => 'CC_Redaction',
 action => DBMS_REDACT.ADD_COLUMN,
 column_name => '"CARD_EXP_MONTH"',
 function_type => DBMS_REDACT.RANDOM);
 END;
/

 

 

 

After successfully executing  PL / SQL code, When we query related table with Unauthorized user, we will see different data or redacted data.

 

SQL> SELECT * FROM TEST.CREDIT_CARD_INF;

redaction 1

 

 

 

When we run the above query again, CARD_NUMBER, CARD_EXP_MONTH and CARD_EXP_YEAR are randomly changed.

 

redaction 2

 

 

 

 

Do you want to learn Oracle Database for Beginners, then read the following articles.

https://ittutorial.org/oracle-database-19c-tutorials-for-beginners/

About Mehmet Salih Deveci

I am Founder of SysDBASoft IT and IT Tutorial and Certified Expert about Oracle & SQL Server database, Goldengate, Exadata Machine, Oracle Database Appliance administrator with 10+years experience.I have OCA, OCP, OCE RAC Expert Certificates I have worked 100+ Banking, Insurance, Finance, Telco and etc. clients as a Consultant, Insource or Outsource.I have done 200+ Operations in this clients such as Exadata Installation & PoC & Migration & Upgrade, Oracle & SQL Server Database Upgrade, Oracle RAC Installation, SQL Server AlwaysOn Installation, Database Migration, Disaster Recovery, Backup Restore, Performance Tuning, Periodic Healthchecks.I have done 2000+ Table replication with Goldengate or SQL Server Replication tool for DWH Databases in many clients.If you need Oracle DBA, SQL Server DBA, APPS DBA,  Exadata, Goldengate, EBS Consultancy and Training you can send my email adress [email protected].-                                                                                                                                                                                                                                                 -Oracle DBA, SQL Server DBA, APPS DBA,  Exadata, Goldengate, EBS ve linux Danışmanlık ve Eğitim için  [email protected] a mail atabilirsiniz.

Leave a Reply

Your email address will not be published. Required fields are marked *