Skip to Main Content

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question, DEVALAM.

Asked: August 13, 2019 - 3:53 pm UTC

Last updated: August 14, 2019 - 3:11 am UTC

Version: 12c

Viewed 1000+ times

You Asked

Dear Tom,

We have a requirement to mask (data should not be readable) certain columns of a row, based on certain conditions.
For example, in a development environment, for data protection purposes, the information of the table customer needs to be masked based on certain condition. 

CREATE TABLE customer (
    last_name    VARCHAR2(25),
    first_name   VARCHAR2(25),
    address      VARCHAR2(25),
    sensitive_Data char
);

insert into customer values('A', 'A', '10','N'); 
insert into customer values('B', 'B', '11','N'); 
insert into customer values('C', 'C', '12','Y');

In the production environment, if we do a select on customer, the result will be as follows: 
select *
from customer;

LAST_NAME  FIRST_NAME  ADDRESS SENSITIVE_DATA 
-------- ---------- ------- -------------
A   A 10    N 
B    B  11   N 
C    C  12   Y

In the development environment, the same information needs to be masked as below:
LAST_NAME  FIRST_NAME  ADDRESS SENSITIVE_DATA 
-------- ---------- ------- -------------
A   A 10    N 
B    B  11   N 
XX    XX  12   Y

We tried to use DBMS_REDACT feature, this is masking the whole column instead of specific row, we would like to understand if ever there is any utility/package shared by oracle to meet this requirement

Thanks & Regards,
Devalam Suchindra

and Connor said...

Redaction is applied to an entire table (or view), so to achieve what you want using redaction you would do:

create view SENSITIVE as select * from CUSTOMER where SENSITIVE_DATA = 'Y';

create view V_CUSTOMER as
select * from SENSITIVE
union all
select * from CUSTOMER where SENSITIVE_DATA = 'N'


and then apply a redaction policy to just the view called SENSITIVE.

If you are prepared to simply null out the data, then you can use DBMS_RLS for that. See here for an example

https://asktom.oracle.com/pls/asktom/asktom.search?tag=column-masking

Another alternative is actually change the data to mask it when it is copied to Dev. See the following for more details

https://www.oracle.com/technetwork/database/options/data-masking-subsetting/overview/ds-security-dms-2245926.pdf

or build something with some PLSQL, eg

https://connor-mcdonald.com/2019/04/15/quick-and-easy-masking/

Is this answer out of date? If it is, please let us know via a Comment
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's latest video and Chris's latest video from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

Design

New to good database design? Check out Chris Saxon's full fundamentals class.