Oracle has recently introduced masking as one of the facilities. Masking allows data to be hidden from users / or only display part of the content. Other users can still the normal content. Let us take an example. A salary can shown as a random number to some users while others might still see the original content.
A well known example is a credit card number. If I look at my Amazon account, I see that my credit card is shown as “Master Card ending in 6211”. The original content is masked: only part is shown. As the last numbers of my credit card is shown, I know Amazon has my correct credit card number. On the other hand such display is sure; if someone sees my screen, he has no knowledge of my credit card number.
Masking is fundamentally different from encrypting. If my data are masked, my data are either not shown or just partly shown to some users. The data might still be stored in a plain form, leaving them exposed to whomever has access to them. Encrypted data are not exposed; even a dba can not read them if he doesn’t have the key to decrypt them. Some dba even do not want to have keys to, say, the encrypted passwords.
If one would like to use this Oracle facility, you should has have the newest version of Oracle (12c) and the newest version of SQL developer (version 18 or above).
Next grants are necessary to implement masking:
grant select on Sys.redaction_policies to C##SCOTT;
grant select on Sys.redaction_columns to C##SCOTT;
grant execute on dbms_redact to C##SCOTT;
If we then log in as C##SCOTT, we can select a table in SQL developer. Right click on the table and choose the option “redaction”:
The menu is rather straight forward. One must indicate the scheme, table, column and the masking type:
Click on “apply” and the rule is set. One may verify this by selecting the data from the table:
A final note: we may exempt some users from the masking rule. In above menu, we have exempted c##kijk from the masking rule. C##kijk is created by:
create user c##kijk identified by "AA1234!!";
grant connect, resource to C##kijk;
grant select on c##redact_user.employees to c##kijk;
And if log in as c##kijk, we see unmasked values:
