Oracle 12c - Data Redaction
2013-12-17 13:30
316 查看
Env
Virtualbox + Oracle Linux 64bit 6.4 + Oracle database 12.1Introduction
A new security feature is intorudced in 12c, one of top-10 favourite new features of Tom Kyte. It's also known as data masking. Data redaction hides sensitive data from low-privileged users. For example, your credit card number, date of birth should be maskedin a CRM application.
Data redaction takes places on the fly, it does not change the data in the database.Data redaction does not apply to users with "EXEMPT REDACTION POLICY". SYSDBA and DBA are not affected by data redaction.
Adding a new redaction policy:
begin dbms_redact.add_policy(object_schema =< 'HR', object_name =< 'EMPLOYEES', column_name =< 'SALARY', policy_name =< 'SALARY_REDACTION', function_type =< dbms_redact.FULL, expression =< 'SYS_CONTEXT(''USERENV'',''SESSION_USER'') != ''HR'' OR SYS_CONTEXT(''USERENV'',''SESSION_USER'') IS NULL' ); end;
Privilege
User needs execute privilege on dbms_redact. Even if the user is the owner of the object. Say, user hr wanted to add a redaction policy to table employees, hiding column salary. But he's not allowed to do so until he gets select privilege on dbms_redact. Seethe error as follows:
ORA-06550: line 6, column 43:
PLS-00201: identifier 'DBMS_REDACT' must be declared
SQL< connect sys/123456@pdborcl as sysdba;
Connected.
SQL< show user;
USER is "SYS"
SQL< grant execute on dbms_redact to hr;
Grant succeeded.
Execute the add_policy again, you're all set.
Observing policies in the database:
select * from redaction_policies;
Examine the data redaction
Login as nobody who has select privilege on hr.employees.select first_name, last_name, salary from hr.employees;
FIRST_NAME LAST_NAME SALARY
-------------------- ------------------------- ----------
Steven King 0
Neena Kochhar 0
Lex De Haan 0
Drop the redaction policy
EXEC DBMS_REDACT.DROP_POLICY('HR','EMPLOYEES','SALARY_REDACTION');
Changing the display format:
begin dbms_redact.alter_policy(object_schema =< 'HR', object_name =< 'EMPLOYEES', policy_name =< 'SALARY_REDACTION', action =< dbms_redact.MODIFY_COLUMN, column_name =< 'SALARY', function_type =< dbms_redact.partial, function_parameters =< '9,1,8' ); end;
SQL< select first_name, last_name, salary from hr.employees where rownum < div>
FIRST_NAME LAST_NAME SALARY
-------------------- ------------------------- ----------
Steven King 99999
Neena Kochhar 99999
Lex De Haan 99999
相关文章推荐
- Oracle Data Redaction数据加密
- 12c_Data redaction 数据编写策略
- Oracle Data Redaction数据加密
- Red Hat Enterprise Linux 7.0 安装 oracle 12c
- oracle 12c data dictionary relationship
- Oracle 12c利用数据泵DataPump进行Oracle数据库备份
- Oracle Data Integrator 12c 安装(ODI安装)
- Oracle Data Integrator 12c 安装(ODI安装)
- Oracle Data Integrator 12c-模型(Model)和 数据存储(DataStore)
- Oracle Data Integrator 12c-第一个映射
- Oracle Data Integrator 12c-模型(Model)和 数据存储(DataStore)
- Oracle Data Integrator 12c----包(Package)
- Linux(Red Hat Enterprise Linux 6)安装Oracle(12c Release 2)数据库
- Oracle Data Integrator 12c-----场景(Scenario)和调度(Schedule)
- Transfering MySQL Data To Oracle 12c Using Kettle
- oracle 12c rac dbca建库,提示无法访问+DATA磁盘组
- Oracle Data Integrator 12c----简单CDC(Simple CDC)
- Oracle Data Integrator 12c-----场景(Scenario)和调度(Schedule)
- Oracle Data Integrator 12c-第一个映射
- Oracle Data Integrator 12c----一致性 CDC(Consistent CDC)