Conclusiones

Configuring Oracle Data Redaction Policies 5-3 4. Decide on the type of redaction that you want to perform: full, random, partial,

regular expressions, or none.

5. Decide which users to apply the Data Redaction policy to.

6. Based on this information, create the Data Redaction policy by using the DBMS_ REDACT.ADD_POLICY procedure.

7. Configure the policy to have additional columns to be redacted, as described in

"Redacting Multiple Columns" on page 5-30.

After you create the Data Redaction policy, it is automatically enabled and ready to redact data.

General Syntax of the DBMS_REDACT.ADD_POLICY Procedure

To create a Data Redaction policy, use the DBMS_REDACT.ADD_POLICY procedure. The complete syntax is as follows:

DBMS_REDACT.ADD_POLICY ( DBMS_REDACT.ADD_POLICY (

object_schema IN VARCHAR2 := NULL, object_name IN VARCHAR2 := NULL, policy_name IN VARCHAR2, policy_description IN VARCHAR2 := NULL, column_name IN VARCHAR2 := NULL, column_description IN VARCHAR2 := NULL,

function_type IN BINARY_INTEGER := DBMS_REDACT.FULL, function_parameters IN VARCHAR2 := NULL,

expression IN VARCHAR2, enable IN BOOLEAN := TRUE, regexp_pattern IN VARCHAR2 := NULL, regexp_replace_string IN VARCHAR2 := NULL, regexp_position IN BINARY_INTEGER :=1, regexp_occurrence IN BINARY_INTEGER :=0, regexp_match_parameter IN VARCHAR2 := NULL);

In this specification:

■ object_schema: Specifies the schema of the object on which the Data Redaction policy will be applied. If you omit this setting (or enter NULL), then Oracle Database uses the current user’s name. Be aware that the meaning of "current user" here can change, depending on where you invoke the DBMS_REDACT.ADD_ POLICY procedure.

For example, suppose user mpike grants user fbrown the EXECUTE privilege on a definer’s rights PL/SQL package called mpike.protect_data in mpike’s schema. From within this package, mpike has coded a procedure called protect_cust_ data, which invokes the DBMS_REDACT.ADD_POLICY procedure. User mpike has set the object_schema parameter to NULL.

When fbrown invokes the protect_cust_data procedure in the mpike.protect_ data package, Oracle Database attempts to define the Data Redaction policy around the object cust_data in the mpike schema, not the cust_data object in the schema that belongs to fbrown.

■ object_name: Specifies the name of the table or view to which the Data Redaction policy applies.

■ policy_name: Specifies the name of the policy to be created. Ensure that this name is unique in the database instance. You can find a list of existing Data Redaction

General Syntax of the DBMS_REDACT.ADD_POLICY Procedure

policies by querying the POLICY_NAME column of the REDACTION_POLICIES data dictionary view.

■ policy_description: Specifies a brief description of the purpose of the policy.

■ column_name: Specifies the column whose data you want to redact. Note the following:

– You can apply the Data Redaction policy to multiple columns. If you want to apply the Data Redaction policy to multiple columns, then after you use DBMS_ REDACT.ADD_POLICY to create the policy, run the DBMS_REDACT.ALTER_POLICY

procedure as many times as necessary to add each of the remaining required columns to the policy. See "Altering an Oracle Data Redaction Policy" on page 5-27.

– Only one policy can be defined on a table or view. You can, however, create a new view on the table, and by defining a second redaction policy on this new view, you can choose to redact the columns in a different way when a query is issued against this new view. When deciding how to redact a given column, Oracle Database uses the policy of the earliest view in a view chain. See

"Example: How Oracle Data Redaction Affects Tables and Views" on page 5-33 for more information about using Data Redaction policies with views.

– If you do not specify a column (for example, by entering NULL), then no columns are redacted by the policy. This enables you to create your policies so that they are in place, and then later on, you can add the column

specification when you are ready.

– Do not use a column that is currently used in an Oracle Virtual Private Database (VPD) row filtering condition. In other words, the column should not be part of the VPD predicate generated by the VPD policy function. See

"Oracle Data Redaction and Oracle Virtual Private Database" on page 6-2 for more information about using Data Redaction with VPD.s

– You cannot define a Data Redaction policy on a virtual column. In addition, you cannot define a Data Redaction policy on a column that is involved in the SQL expression of any virtual column.

■ column_description: Specifies a brief description of the column that you are redacting.

■ function_type: Specifies a function that sets the type of redaction. See the following sections for more information:

– "Syntax for Creating a Full Redaction Policy" on page 5-8

– "Syntax for Creating a Partial Redaction Policy" on page 5-12

– "Syntax for Creating a Regular Expression-Based Redaction Policy" on page 5-19

– "Syntax for Creating a Random Redaction Policy" on page 5-24

– "Syntax for Creating a Policy with No Redaction" on page 5-26

If you omit the function_type parameter, then the default redaction function_ type setting is DBMS_REDACT.FULL.

■ function_parameters: Specifies how the column redaction should appear for partial redaction. See "Syntax for Creating a Partial Redaction Policy" on page 5-12.

■ expression: Specifies a Boolean SQL expression to determine how the policy is applied. Redaction takes place only if this policy expression evaluates to TRUE. See