Column masking is a simple way to hide you valuable data from certain users without having to apply encrypt/decrypt techniques and increase the column width to accommodate the new string like the old times. Through some simple configuration you can create policies to show your important columns as null without rewriting a single line of code on your application side.
There are 3 steps for accomplish column masking:
- A function to be used by the policy (function policy) created in next step.
- Use dbms_rls package to create the policy.
- Assign “exempt access policy” to users to be excluded from the policy. These users can see all data with no masking.
Step 1: Create Function Policy
This function will be called be the policy to create the column masking. Function name can be any name you select. In my case I called vpd_function. If predicate evaluated to true, then data will to show to all users. In my case I made sure that function will always evaluate to false by looking for (rowid = 0) which will never be true. I suggest creating the function under system account.
CREATE OR REPLACE FUNCTION vpd_function (obj_owner IN VARCHAR2, obj_name IN VARCHAR2) RETURN VARCHAR2 AS BEGIN RETURN 'rowid = ''0'''; END vpd_function; /
Step 2: Create Policy
BEGIN DBMS_RLS.ADD_POLICY(object_schema=> 'SCOTT', object_name=> 'EMP', policy_name=> 'scott_emp_policy', function_schema=> 'SYSTEM', policy_function=> 'vpd_function', sec_relevant_cols=> 'JOB', policy_type => DBMS_RLS.SHARED_STATIC, sec_relevant_cols_opt=> dbms_rls.ALL_ROWS); END; /
Step 3: Exclude Some Users from Policy
Users who need to see all the data without any masking need to be granted “exempt access policy”
- Dropping a table that has a policy will drop the policy but not the function policy.
- Renaming the table will NOT drop the policy or disable it. The policy will remain active.
- Export/Import will also export/import the policy along with the table, but will not export/import the function policy.
- When exporting a table under a policy, make sure the user exporting the table has “exempt access policy” grant, otherwise, the column under the policy will always be null and column data will be lost.
Some Important Views
Senior Oracle DBA