Skip to Main Content

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question, Subramanian.

Asked: January 10, 2018 - 2:36 am UTC

Last updated: January 10, 2018 - 5:38 am UTC

Version: Oracle Database Release 12cR1

Viewed 1000+ times

You Asked

Our applications works with ADF as UI and Oracle Database 12c in the Backend.

As a regulation requirement,we have to mask few columns of the applications.The Entity Objects in the ADF are based on the Views.


We have tried addressing these Columns Masking using DBMS_REDACT Feature and while doing it, we face the below issues.


1. Have created the Policies on the Table on the Respective Columns.On the UI, the data was masked and shown properly.Upon editing and modifying any redacted/non-redacted column,during save, we receive "ORA-28081: Insufficient privileges - the command references a redacted object"


2. Have dropped the policies from the table and created the Policies on the View on the Respective Columns.Upon editing and modifying any redacted/non-redacted column,during save, we are able to save the values.

Now, its observed that, when the policy is created on the table,the view cannot update any of the columns of the underlying table which is redacted.

Do we have any workarounds to get out of this situation or Is there a way I can achieve what I wanted to. My requirement is, while the Policy would still be present in the table, I want to perform DML Operations on the redacted table through the view.

Below is what I do.

1. I create a policy on a table with the partial mask.

     BEGIN
       DBMS_REDACT.ADD_POLICY(
         object_schema        => 'OFSLLPOC',
         object_name          => 'LOOKUPS',
         column_name          => 'LKC_DESC',
         policy_name          => 'redact_lkc_pm',
         function_type        => DBMS_REDACT.PARTIAL,
         function_parameters=> 'VVVVVVVVVVVVVVVVVVVVVVVVVVVVVV,VVVVVVVVVVVVVVVVVVVVVVVVVVVVVV,X,1,15',
         expression           => '1=1',
         enable=>true
         );
    END;


2. I have a view on the table on which Policy exists.

CREATE OR REPLACE VIEW UIX_LKC_FVW AS SELECT * FROM LOOKUPS;

3. Update uix_lkc_fvw set LKC_DESC='ABC' WHERE ROWNUM<2;

I get ORA-28081: Insufficient privileges - the command references a redacted object.



4. I drop the policy created in Step 1.

BEGIN                  
    DBMS_REDACT.DROP_POLICY (object_schema=>'OFSLLPOC'
                             ,object_name=>'LOOKUPS'
                             ,policy_name=>'redact_lkc_pm');
END;



5. I create the policy on the view created in Step 2 with the partial Mask.

      BEGIN
       DBMS_REDACT.ADD_POLICY(
         object_schema        => 'OFSLLPOC',
         object_name          => 'UIX_LKC_FVW',
         column_name          => 'LKC_DESC',
         policy_name          => 'redact_lkc_pm',
         function_type        => DBMS_REDACT.PARTIAL,
         function_parameters=> 'VVVVVVVVVVVVVVVVVVVVVVVVVVVVVV,VVVVVVVVVVVVVVVVVVVVVVVVVVVVVV,X,1,15',
         expression           => '1=1',
         enable=>true
         );
    END;


6. I update the underlying table of the view UIX_LKC_FVW.

UPDATE LOOKUPS SET LKC_DESC='ABC' WHERE ROWNUM<2;



1 Row updated.



The question is, while the Policy would still be present only in the table, I want to perform DML Operations on the redacted table through the view created based on the table.

In the example above, I want the policy to remain in LOOKUPS Table while I should be able to do DML Operations of the LOOKUPS table through UIX_LKC_FVW.

and Connor said...

That is how redaction is supposed to work, eg

SQL> conn scott/tiger
Connected.

SQL> create table t as select * from scott.emp;

Table created.

SQL> create or replace view vw as select * from t;

View created.

SQL>
SQL>
SQL> conn / as sysdba
Connected.

SQL> BEGIN
  2    DBMS_REDACT.add_policy(
  3      object_schema => 'SCOTT',
  4      object_name   => 't',
  5      column_name   => 'sal',
  6      policy_name   => 'redact_sal',
  7      function_type => DBMS_REDACT.full,
  8      expression    => '1=1'
  9    );
 10  END;
 11  /

PL/SQL procedure successfully completed.

SQL>
SQL> conn scott/tiger
Connected.

SQL> select * from t;

     EMPNO ENAME      JOB              MGR HIREDATE         SAL       COMM     DEPTNO
---------- ---------- --------- ---------- --------- ---------- ---------- ----------
      7369 SMITH      CLERK           7902 17-DEC-80          0                    20
      7499 ALLEN      SALESMAN        7698 20-FEB-81          0        300         30
      7521 WARD       SALESMAN        7698 22-FEB-81          0        500         30
      7566 JONES      MANAGER         7839 02-APR-81          0                    20
      7654 MARTIN     SALESMAN        7698 28-SEP-81          0       1400         30
      7698 BLAKE      MANAGER         7839 01-MAY-81          0                    30
      7782 CLARK      MANAGER         7839 09-JUN-81          0                    10
      7788 SCOTT      ANALYST         7566 09-DEC-82          0                    20
      7839 KING       PRESIDENT            17-NOV-81          0                    10
      7844 TURNER     SALESMAN        7698 08-SEP-81          0                    30
      7876 ADAMS      CLERK           7788 12-JAN-83          0                    20
      7900 JAMES      CLERK           7698 03-DEC-81          0                    30
      7902 FORD       ANALYST         7566 03-DEC-81          0                    20
      7934 MILLER     CLERK           7782 23-JAN-82          0                    10

14 rows selected.

SQL> select * from vw;

     EMPNO ENAME      JOB              MGR HIREDATE         SAL       COMM     DEPTNO
---------- ---------- --------- ---------- --------- ---------- ---------- ----------
      7369 SMITH      CLERK           7902 17-DEC-80          0                    20
      7499 ALLEN      SALESMAN        7698 20-FEB-81          0        300         30
      7521 WARD       SALESMAN        7698 22-FEB-81          0        500         30
      7566 JONES      MANAGER         7839 02-APR-81          0                    20
      7654 MARTIN     SALESMAN        7698 28-SEP-81          0       1400         30
      7698 BLAKE      MANAGER         7839 01-MAY-81          0                    30
      7782 CLARK      MANAGER         7839 09-JUN-81          0                    10
      7788 SCOTT      ANALYST         7566 09-DEC-82          0                    20
      7839 KING       PRESIDENT            17-NOV-81          0                    10
      7844 TURNER     SALESMAN        7698 08-SEP-81          0                    30
      7876 ADAMS      CLERK           7788 12-JAN-83          0                    20
      7900 JAMES      CLERK           7698 03-DEC-81          0                    30
      7902 FORD       ANALYST         7566 03-DEC-81          0                    20
      7934 MILLER     CLERK           7782 23-JAN-82          0                    10

14 rows selected.

SQL>
SQL> update vw
  2  set sal = sal + 10
  3  where rownum = 1;
where rownum = 1
               *
ERROR at line 3:
ORA-28081: Insufficient privileges - the command references a redacted object.


SQL>
SQL> update t
  2  set sal = sal + 10
  3  where rownum = 1;

1 row updated.

SQL>


But ADF should be able to handle this by

- querying via the view
- updating via the table

A description of that process is here

http://andrejusb.blogspot.com.au/2012/05/how-to-update-data-from-db-view-using.html

Is this answer out of date? If it is, please let us know via a Comment
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's latest video and Chris's latest video from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

Design

New to good database design? Check out Chris Saxon's full fundamentals class.