Skip to Main Content
  • Questions

  • Redacting the Number Column using DBMS_REDACT

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question, Subramanian.

Asked: January 10, 2018 - 2:40 am UTC

Last updated: January 10, 2018 - 5:47 am UTC

Version: Oracle Database Release 12cR1

Viewed 1000+ times

You Asked

I have redacted the Number Column of a Database Table.The column contains Check Number which is ten digits. The redaction on this Check Number column is partially masked with 0 for first three digits.

When I query the column from the Database, it skips the first three digits and shows only the remaining 7 digits.If the redaction is applied with non-zero digits, it displays properly.

Again, in the UI when I try to edit and modify the last three digits of the check number field, while saving the data, it is saved with the actual redacted value itself in the table.

For Example, the value of Check Number field is 1234567890, If its partially masked with Zeros for first three digits, it displays in the UI/DB only 4567890.



If the same column is partially masked with 8 for first three digits instead of Zero, upon edit and save of the screen, the values gets saved in the database as it is.

For Example, the actual value in the column is 1234567890 and with redaction it displays as 8884567890.In the UI, I modify only the last digit of displayed value to 888456791.While saving the screen, the actual value in the table gets saved as "888456791" instead of 1234567891.



When I try to redact the NUMBER COlumn with * or # or with anyother special characters,I get an error saying "ORA-28074: The "REDACT_PARTIAL_MASKCHAR" field of the redaction parameters is not valid " while creating the policy itself.

How can this be achieved?

Below is what I do.

My Requirement is to partially Mask the First three digits of Check Number in UI.The Mask Character can be either Number or any special character.

Below is what I do to redact the first three digits of the Check Number with special character *(Asterik).


BEGIN
DBMS_REDACT.ADD_POLICY(
object_schema => 'OFSLLPOC',
object_name => 'UIX_CBC_FVW',
column_name => 'CBC_CHECK_NBR',
policy_name => 'redact_cnb_pm',
function_type => DBMS_REDACT.PARTIAL,
function_parameters=> '*,1,3',
expression => 'sys_context(''USER_RESP'',''RESP'') = ''COLLECTOR''',
enable=>true
);

END;



While compiling this policy, I get the error saying ORA-28074: The "REDACT_PARTIAL_MASKCHAR" field of the redaction parameters is not valid.



Is there anyway I can mask the number field with special character?



Since, the error came up as ORA-28074,I try creating the policy with Partial Mask of first three digits of the field. The policy is below.


BEGIN
DBMS_REDACT.ADD_POLICY(
object_schema => 'OFSLLPOC',
object_name => 'UIX_CBC_FVW',
column_name => 'CBC_CHECK_NBR',
policy_name => 'redact_cnb_pm',
function_type => DBMS_REDACT.PARTIAL,
function_parameters=> '0,1,3',
expression => 'sys_context(''USER_RESP'',''RESP'') = ''COLLECTOR''',
enable=>true
);

END;



When the actual value of Check Number is 1234567890, since I partially mask the first three digits to 0, it gets displayed in the UI as "4567890". The same is the case when I query the data from Database, as well.The output of the below query is

SELECT CBC_CHECK_NBR FROM UIX_CBC_FVW;

CBC_CHECK_NBR

--------------------------

4567890



Now, I try to update the last three digits of this masked field from UI(ADF) to 911, the data in the database gets stored as "45678911" instead of "12345678911" which is incorrect.The ADF Frame work generates update statement for UIX_CBC_FVW as "UPDATE UIX_CBC_FVW SET CBC_CHECK_NBR=:BV". Since, the masking of the digits is only possible with digits, it considers the masked value as an actual value and updates in the table.

and Connor said...

That is a "limitation" of redaction, in that we preserve data types. Otherwise, there becomes huge potential for application faults when redaction is applied. For example, if an application is expecting a date column to come back, and we sent back asterisks, then the chances are the application would crash.

If you want to redact a check number with asterisks, then it would need to be a varchar2 datatype.

Rating

  (1 rating)

Is this answer out of date? If it is, please let us know via a Comment

Comments

few more details

Rajeshwaran, Jeyabal, January 11, 2018 - 8:19 am UTC

Again, in the UI when I try to edit and modify the last three digits of the check number field, while saving the data, it is saved with the actual redacted value itself in the table.
For Example, the value of Check Number field is 1234567890, If its partially masked with Zeros for first three digits, it displays in the UI/DB only 4567890.
Consider redaction only for read-only data - but not for changes. this is clearly documented in the security guide.
https://docs.oracle.com/en/database/oracle/oracle-database/12.2/asoag/introduction-to-oracle-data-redaction.html#GUID-8D24DFB1-2ED8-46A7-88E0-678541BA76CC
<quote>
Oracle Data Redaction is particularly suited for call center applications and other applications that are read-only. Take care when using Oracle Data Redaction with applications that perform updates back to the database, because redacted data can be written back to this database.
</quote>
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's latest video and Chris's latest video from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

Design

New to good database design? Check out Chris Saxon's full fundamentals class.