An Oracle Data Redaction policy defines the conditions in which redaction must occur.

A Data Redaction policy has the following characteristics:

• Oracle Data Redaction polices are applied to tables, views, or materialized views. You can apply only one policy on each object.

• The Data Redaction policy defines the following:

  • What to redact
  • How the redaction should occur
  • When the redaction takes place

• A Data Redaction policy can fully redact values, partially redact values, or randomly redact values. In addition, you can define a Data Redaction policy to not redact any data at all, for when you want to test your policies in a test environment.

• A Data Redaction policy can be defined with a policy expression which allows for different application users to be presented with either redacted data or actual data, based on whether the policy expression returns TRUE or FALSE. Redaction takes place when the boolean result of evaluating the policy expression is TRUE. For security reasons, the functions and operators that can be used in the policy expression are limited to SYS_CONTEXT and a few others. User-created functions are not allowed. Policy expressions can make use of the SYS_SESSION_ROLES namespace with the SYS_CONTEXT function to check for enabled roles.

• Different named Data Redaction policy expressions can be created and then applied individually for different columns within the same table or view.

• Oracle Database performs the redaction at execution time, just before the data is returned to the query.

Table 3-1 lists the procedures in the DBMS_REDACT package.