Add Data Redaction Policy
Published by : Obay Salah , November 20, 2024
To create a Data Redaction Policy, you must use the procedure DBMS_REDACT.ADD_POLICY, as follows:
DBMS_REDACT.ADD_POLICY ( object_schema IN VARCHAR2 := NULL, object_name IN VARCHAR2, policy_name IN VARCHAR2, policy_description IN VARCHAR2 := NULL, column_name IN VARCHAR2 := NULL, column_description IN VARCHAR2 := NULL, function_type IN BINARY_INTEGER := DBMS_REDACT.FULL, function_parameters IN VARCHAR2 := NULL, expression IN VARCHAR2, enable IN BOOLEAN := TRUE, regexp_pattern IN VARCHAR2 := NULL, regexp_replace_string IN VARCHAR2 := NULL, regexp_position IN BINARY_INTEGER :=1, regexp_occurrence IN BINARY_INTEGER :=0, regexp_match_parameter IN VARCHAR2 := NULL);
Object_Schema: Specifies the schema that contains the object you want to redact. If this parameter is omitted or set to Null, the current schema is used.
Object_Name: Specifies the table or view for which you want to apply the Redact.
Policy_Name: Specifies the name of the Policy you want to create. Ensure that it has a unique name within this instance. You can query the list of Redaction Policies via REDACTION_POLICIES.
policy_description: Provides a description of the Policy to specify its purpose.
column_name: Specifies the column whose data you want to redact. You can apply the Redaction Policy to multiple columns. After using the procedure DBMS_REDACT.ADD_POLICY, you can use DBMS_REDACT.ALTER_POLICY to add other columns for redaction.
column_description: Specifies a brief description for the column you want to redact.
Function_type: Specifies the type of function used for redaction. It can be (FULL, PARTIAL, or REGEXP).
If this parameter is omitted, the default function type is FULL.
Function_parameters: Specifies how the redacted data will appear for Partial Data Redaction.
This parameter is required only if DBMS_REDACT.PARTIAL = Function_type.
Expression: Specifies when the policy will be applied. The redaction occurs only if this expression evaluates to True.
Enable: If set to True, the Policy is applied. If set to False, the Redaction Policy is created without being applied. The default value is True.
regexp_pattern: Describes the pattern used to search for the data to be redacted. If a match is found, the Oracle Database replaces the data as specified by regexp_replace_string, which is a parameter used for regular expressions.
regexp_replace_string: As mentioned earlier, this specifies how you want to replace the data that will be redacted. This is also a parameter for regular expressions.
regexp_position: Specifies the starting position for searching the data. The value entered here must be a positive number indicating the start of characters in the column. The default is 1, meaning that the Oracle Database starts searching from the first character of the column data.
regexp_occurrence: Specifies how the search and replace operation is performed. The value must be a non-negative integer indicating how the replacement should occur:
- If you set the value to 0 or DBMS_REDACT.RE_ALL, the Oracle Database replaces all occurrences of matching data.
- If you set it to DBMS_REDACT.RE_FIRST, the Oracle Database replaces the first occurrence of the match.
- If you set it to a positive integer n, the Oracle Database replaces the n-th occurrence of matching data.
regexp_match_parameter: Specifies a literal string that allows you to change the default matching behavior for the Function.
For example, you can create an Oracle Data Redaction Policy for the Salary column in the HR.EMPLOYEES table as follows:
BEGIN DBMS_REDACT.ADD_POLICY( object_schema => 'hr', object_name => 'employees', column_name => 'salary', policy_name => 'hr_emp_redact_comp_pol', function_type => DBMS_REDACT.FULL, expression => '1=1'); END;
In this example, the procedure ADD_POLICY from the DBMS_REDACT package is used to define an Oracle Data Redaction Policy named hr_emp_redact_comp_po. The function type DBMS_REDACT.FULL is used, which means a full redaction of the values retrieved from the salary column, replacing the retrieved numeric values with zero (0).
Comments
no comment yet!