From 1bb2829d3c761295e9aca9fa1c647b9b7600a36d Mon Sep 17 00:00:00 2001 From: Kajal Singh Date: Tue, 15 Jul 2025 15:05:22 -0700 Subject: [PATCH 1/4] Create data-redaction --- data-redaction | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 data-redaction diff --git a/data-redaction b/data-redaction new file mode 100644 index 00000000..b7d62936 --- /dev/null +++ b/data-redaction @@ -0,0 +1,37 @@ +##Create redaction policy +BEGIN + DBMS_REDACT.ADD_POLICY( + object_schema => 'SH', + object_name => 'CUSTOMERS', + policy_name => 'REDACT_SENSITIVE_DATA', + expression => 'SYS_CONTEXT(''USERENV'',''SESSION_USER'') != ''SH''' + ); +END; +/ + +##Create redaction policy +CREATE OR REPLACE VIEW sh.customer_view AS + SELECT + cust_id, + UPPER(cust_first_name) AS FIRST_NAME, + UPPER(cust_last_name) AS LAST_NAME, + CASE + WHEN cust_marital_status IS NULL OR TRIM(cust_marital_status) = '' THEN 'UNKNOWN' + ELSE UPPER(cust_marital_status) + END AS marital_status, + cust_gender AS GENDER, + cust_email AS EMAIL, + cust_postal_code AS POSTAL_CODE, + cust_credit_limit AS CREDIT_LIMIT + FROM sh.customers; + +BEGIN + DBMS_REDACT.ALTER_POLICY ( + object_schema => 'SH', + object_name => 'CUSTOMERS', + policy_name => 'REDACT_SENSITIVE_DATA', + column_name => 'CUST_MARITAL_STATUS', + action => DBMS_REDACT.ADD_COLUMN, + function_type => DBMS_REDACT.FULL); +END; +/ From 34f0a60ac3e6cda4ed1bb64b0d2e04ba2bdfe078 Mon Sep 17 00:00:00 2001 From: Kajal Singh Date: Tue, 15 Jul 2025 15:14:42 -0700 Subject: [PATCH 2/4] Update data-redaction --- data-redaction | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/data-redaction b/data-redaction index b7d62936..4eedf8ef 100644 --- a/data-redaction +++ b/data-redaction @@ -1,4 +1,4 @@ -##Create redaction policy +--Create a redaction policy BEGIN DBMS_REDACT.ADD_POLICY( object_schema => 'SH', @@ -9,7 +9,7 @@ BEGIN END; / -##Create redaction policy +--Create a view CREATE OR REPLACE VIEW sh.customer_view AS SELECT cust_id, @@ -25,6 +25,7 @@ CREATE OR REPLACE VIEW sh.customer_view AS cust_credit_limit AS CREDIT_LIMIT FROM sh.customers; +--Add column to the readaction policy BEGIN DBMS_REDACT.ALTER_POLICY ( object_schema => 'SH', @@ -35,3 +36,8 @@ BEGIN function_type => DBMS_REDACT.FULL); END; / + +--Query the view +SELECT CUST_ID, FIRST_NAME, LAST_NAME, EMAIL, MARITAL_STATUS + FROM sh.customer_view + WHERE cust_id IN (101, 103, 176, 201); From dbbe9464e3826c304f34497df64353af3eb5f1b7 Mon Sep 17 00:00:00 2001 From: Kajal Singh Date: Tue, 22 Jul 2025 12:23:57 -0700 Subject: [PATCH 3/4] Update data-redaction --- data-redaction | 127 ++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 104 insertions(+), 23 deletions(-) diff --git a/data-redaction b/data-redaction index 4eedf8ef..25684d9d 100644 --- a/data-redaction +++ b/data-redaction @@ -1,3 +1,4 @@ +--Example: Expression-based view --Create a redaction policy BEGIN DBMS_REDACT.ADD_POLICY( @@ -10,34 +11,114 @@ END; / --Create a view -CREATE OR REPLACE VIEW sh.customer_view AS +CREATE OR REPLACE VIEW sh.customer_view AS SELECT - cust_id, - UPPER(cust_first_name) AS FIRST_NAME, - UPPER(cust_last_name) AS LAST_NAME, - CASE - WHEN cust_marital_status IS NULL OR TRIM(cust_marital_status) = '' THEN 'UNKNOWN' - ELSE UPPER(cust_marital_status) - END AS marital_status, - cust_gender AS GENDER, - cust_email AS EMAIL, - cust_postal_code AS POSTAL_CODE, - cust_credit_limit AS CREDIT_LIMIT - FROM sh.customers; + cust_id, + CONCAT(UPPER(cust_first_name), ' ', UPPER(cust_last_name)) AS FULL_NAME, + UPPER(cust_marital_status) AS MARITAL_STATUS, + FROM sh.customers; + --Add column to the readaction policy -BEGIN - DBMS_REDACT.ALTER_POLICY ( - object_schema => 'SH', - object_name => 'CUSTOMERS', - policy_name => 'REDACT_SENSITIVE_DATA', - column_name => 'CUST_MARITAL_STATUS', - action => DBMS_REDACT.ADD_COLUMN, - function_type => DBMS_REDACT.FULL); -END; -/ +BEGIN + DBMS_REDACT.ALTER_POLICY ( + object_schema => 'SH', + object_name => 'CUSTOMERS', + policy_name => 'REDACT_SENSITIVE_DATA', + column_name => 'CUST_MARITAL_STATUS', + action => DBMS_REDACT.ADD_COLUMN, + function_type => DBMS_REDACT.FULL); +END; +/ +-- You can use update_full_redaction_values to change the default value returned from Oracle. Here, it's been changed to return 'XXXX' for the varchar datatype +BEGIN + DBMS_REDACT.UPDATE_FULL_REDACTION_VALUES ( + column_datatype => DBMS_REDACT.VARCHAR2_TYPE, + value => 'XXXX'); +END; +/ --Query the view SELECT CUST_ID, FIRST_NAME, LAST_NAME, EMAIL, MARITAL_STATUS FROM sh.customer_view WHERE cust_id IN (101, 103, 176, 201); + + +-- Example: Extended statistics and function-based indexes on redacted columns +--Create a function-based index on customer last name +CREATE INDEX last_name_idx + ON customers (UPPER(cust_last_name)); + +-- Add a virtual column for salary +ALTER TABLE sh.customers ADD ( + rounded_salary AS (ROUND(salary, -3))); + +-- Apply redaction policy to the base last name and salary columns +BEGIN + DBMS_REDACT.ALTER_POLICY( + object_schema => 'SH', + object_name => 'CUSTOMERS', + column_name => 'cust_last_name', + policy_name => 'REDACT_SENSITIVE_DATA', + action => DBMS_REDACT.ADD_COLUMN, + function_type => DBMS_REDACT.FULL + ); +END; +/ + +BEGIN + DBMS_REDACT.ALTER_POLICY( + object_schema => 'SH', + object_name => 'CUSTOMERS', + column_name => 'SALARY', + policy_name => 'REDACT_SENSITIVE_DATA', + action => DBMS_REDACT.ADD_COLUMN, + function_type => DBMS_REDACT.FULL + ); +END; +/ + +-- Here, you can use update_full_redaction_values to change the default value to 'XXXX'. +BEGIN + DBMS_REDACT.UPDATE_FULL_REDACTION_VALUES ( + column_datatype => DBMS_REDACT.VARCHAR2_TYPE, + value => 'XXXX'); +END; +/ + +-- Query the Table +SELECT cust_id, UPPER(cust_last_name)AS last_name, rounded_salary +FROM sh.customers +WHERE cust_id IN (101, 103, 176, 201); + + +-- Example: Advaced SQL support +-- Apply redaction policy to the CUST_CREDIT_LIMIT column +BEGIN +DBMS_REDACT.ALTER_POLICY ( + object_schema => 'SH', + object_name => 'CUSTOMERS', + policy_name => 'REDACT_SENSITIVE_DATA', + column_name => 'CUST_CREDIT_LIMIT', + action => DBMS_REDACT.ADD_COLUMN, + function_type => DBMS_REDACT.FULL); +END; +/ + +-- Query the Table +SELECT + COUNT(*) AS total_customer_count, + AVG(cust_credit_limit ) AS avg_credit_limit, + SUM(CASE WHEN cust_credit_limit > (SELECT AVG(cust_credit_limit ) FROM sh.customers) THEN 1 ELSE 0 END) AS ABOVE_AVERAGE, + SUM(CASE WHEN cust_credit_limit < (SELECT AVG(cust_credit_limit ) FROM sh.customers) THEN 1 ELSE 0 END) AS BELOW_AVERAGE +FROM sh.customers; + + +-- Example: Redacting queries with DISTINCT, GROUP BY, and ORDER BY clauses +-- Query over redacted column +SELECT cust_postal_code, SUM(cust_credit_limit) AS TOTAL_CREDIT_LIMIT +FROM sh.customers +GROUP BY cust_postal_code +ORDER BY total_credit_limit DESC +FETCH FIRST 5 ROWS ONLY; + From dca5e46170a3f896483fd11dbe5ee590156c1945 Mon Sep 17 00:00:00 2001 From: Kajal Singh Date: Tue, 22 Jul 2025 14:50:29 -0700 Subject: [PATCH 4/4] Update data-redaction --- data-redaction | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/data-redaction b/data-redaction index 25684d9d..a7a12ba1 100644 --- a/data-redaction +++ b/data-redaction @@ -30,11 +30,11 @@ BEGIN function_type => DBMS_REDACT.FULL); END; / --- You can use update_full_redaction_values to change the default value returned from Oracle. Here, it's been changed to return 'XXXX' for the varchar datatype +-- You can use update_full_redaction_values to change the default value returned from Oracle. Here, it's been changed to return 'X' for the varchar datatype BEGIN DBMS_REDACT.UPDATE_FULL_REDACTION_VALUES ( column_datatype => DBMS_REDACT.VARCHAR2_TYPE, - value => 'XXXX'); + value => 'X'); END; / @@ -78,11 +78,11 @@ BEGIN END; / --- Here, you can use update_full_redaction_values to change the default value to 'XXXX'. +-- Here, you can use update_full_redaction_values to change the default value to 'X'. BEGIN DBMS_REDACT.UPDATE_FULL_REDACTION_VALUES ( column_datatype => DBMS_REDACT.VARCHAR2_TYPE, - value => 'XXXX'); + value => 'X'); END; /