Hide sensitive data with Oracle 10g column masking
by Bob Watkins
Takeaway: Oracle 10g's Virtual Private Database (VPD) feature has the ability to automatically mask out (set to NULL) certain columns in the results of a query on a row-by-row basis. This tip shows how to create a VPD policy that requests the column masking option.
<!---->
Oracle's Virtual Private Database (VPD) feature (also called Fine Grained Access Control) provides row-level security checking for DML statements such as SELECT. A PL/SQL policy function is associated with a table; the function can examine the current user context and return additional WHERE clause conditions (predicates) to be added to the query. A user or application might write:
SELECT * FROM employees;
But Oracle will actually see the statement as (for example):
SELECT * FROM employees
WHERE department_id = 60;
Therefore, only the allowed rows (those in department 60) would be returned by the query.
The new option in Oracle 10g is that you can request that Oracle return all rows the query would normally return and not just the authorized ones. However, certain columns (called "security relevant" columns) in the unauthorized rows will display as NULL instead of their actual data. All other columns will be shown as usual.
There are two things you must include in a VPD policy to enable column masking. First, you must designate certain columns as "security relevant" to create a column-level policy. Second, you must include the ALL_ROWS option to request that all rows be returned. The combination of the two parameters causes column masking to occur.
Listing A shows a policy function called rls_dept. It returns the predicate "department_id = 60," which means that for queries against the EMPLOYEES table, only rows for Department 60 will be returned. (In reality, this function would not return a static value, but would determine who the current user is and return the correct department number for that user.)
Listing B shows how that function is applied to create column masking. The ADD_POLICY procedure in the package DBMS_RLS creates a new policy called "restrict_dept_policy." The sec_relevant_cols parameter indicates that the salary and commission_pct columns are "security relevant." A query containing them is subject to the policy function, whereas a query without them is not. Finally, the sec_relevant_cols_opts parameter is set to the constant ALL_ROWS.
Column masking is only applied to SELECT statements, but it is enforced regardless of which client is used to access the database, whether it's SQL*Plus, a .NET application, or some other tool.
Miss a tip?
Check out the Oracle archive, and catch up on our most recent Oracle tips.
Bob Watkins (OCP, MCDBA, MCSE, MCT) is a computer professional with 25 years of experience as a technical trainer, consultant, and database administrator. Visit Bob's site
<newselement></newselement>
分享到:
相关推荐
Oracle 10g JDBC API Reference 是一份详细的文档,主要涵盖了Oracle数据库10g版本中用于Java编程的JDBC(Java Database Connectivity)接口、类和方法的详细信息。JDBC是Java平台上的一个标准API,它使得Java应用...
- Tokenization: Replacing sensitive data with non-sensitive equivalents. 4. **Developing Incident Response Plans:** - **Preparation:** - Establishing an Incident Response Team (IRT). - Defining ...
本文介绍了一个名为AppIntent的新型分析框架,用于分析Android平台上敏感数据的传输情况以检测隐私泄露。Android智能手机经常携带个人信息,这吸引了一些恶意开发者,他们可能会在Android应用程序中嵌入代码以窃取...
#### 一、Oracle 11g 版本特性概述 自 Oracle 11g 版本开始,Oracle 数据库默认开启了密码大小写敏感(case sensitivity)功能。在早期版本如 10g 及其之前的版本中,默认情况下密码是不区分大小写的。这一变化主要...
文档中提到,出现这些错误的上下文是在尝试从Oracle 10g R2建立到Oracle 11g R1的新数据库连接时。在Oracle 11g版本中,默认情况下用户密码是区分大小写的,这与早期版本如Oracle 10g中的默认设置不同。当从低版本...
--Oracle11g中Exp空表的问题:禁用插入数据时才分配空间功能 show parameter deferred_segment_creation alter system set deferred_segment_creation=false; -- 查找空表: select 'alter table '||table_name||'...
在Windows Server 2008操作系统中安装Oracle 11g数据库是一个相对复杂的过程,涉及到多个步骤和配置。以下是对整个过程的详细说明: 一、环境及安装文件准备: 在开始安装之前,确保你的系统满足Oracle 11g的硬件和...
With Oracle Data Masking, sensitive and valuable information can be replaced with realistic values. This allows data to be safely used in non-production and incompliance with regulatory requirements ...
3. **数据泵(Data Pump)**:Oracle Data Pump是Oracle数据库中的一种快速数据传输工具,用于导出(EXPDP)和导入(IMPDP)大量数据。它使用并行处理来提高效率,可以跨数据库版本工作,但有时可能会遇到与时区相关...
Provide synthetic data that emulates the behavior of sensitive data. This approach enables external advisors to work with you on projects involving data that you can't show them. If you’re intrigued ...
标题中的“Encrypting and decrypting sensitive data using CryptoAPI”指的是使用Windows操作系统提供的CryptoAPI来对敏感数据进行加密和解密的技术。CryptoAPI是微软提供的一组接口,它允许程序员实现安全的加密...
Oracle 9, Oracle 10, and Oracle 11 authentication in the Direct mode is supported Case sensitive login and password in the Direct mode is supported Unicode login and password in the Direct mode is ...
Oracle自定义脱敏函数是数据库管理中用于保护敏感数据的一种常见方法,尤其是在处理用户个人信息时。本文将深入解析Oracle自定义脱敏函数的实现细节,以确保在数据共享、备份或分析时不泄露关键信息。 首先,我们来...
总结来说,Oracle 11g版本中关于用户密码大小写敏感性的设置是通过一个简单的参数`sec_case_sensitive_logon`控制的。管理员可以根据实际的使用场景来选择是否需要对密码进行大小写敏感的验证。在进行设置更改时,...
达梦数据库CASE_SENSITIVE参数学习报告 CASE_SENSITIVE参数是达梦数据库中一个重要的参数,它控制着数据库中标识符的大小写敏感性。在安装数据库时,该参数需要进行设置,默认情况下是敏感的,且设置后不能更改。 ...
- If connected as sys with sysdba role, Types node displays built in data-types (e.g. BLOB, DATE, DECIMAL, etc.) If clicked on, will only see "create or replace". 1.4 Creating and Modifying Objects -...
在本文中,我们将深入探讨如何在CentOS 7.5系统上安装Oracle 19c数据库,这是一个耗时且细致的过程。首先,由于Oracle 19c对Linux内核有特定的要求,因此选择了CentOS 7.5版本,其内核版本为3.10.0-862.el7.x86_64。...
Database professionals in today’s world deal increasingly often with repeated data attacks against high-profile organizations and sensitive data. It is more important than ever to keep your company’...