Column Masking using Virtual Private Database (VPD)

Column masking is a simple way to hide you valuable data from certain users without having to apply encrypt/decrypt techniques, In conventional Virtual Private Database the VPD Policy is applied to the whole row. By default a Column-Level VPD Policy allows you to restrict the rows displayed only if specified columns are accessed.

Column masking behaviour is implemented by using the "sec_relevant_cols_opt => DBMS_RLS.ALL_ROWS" parameter. This allows you to display all rows but mask the values of the specified columns for the restricted rows

There are 3 steps for accomplish column masking:

1. A function to be used by the policy (function policy) created in next step.
2. Use dbms_rls package to create the policy.
3. Assign “exempt access policy” to users to be excluded from the policy. These users can see all data with no masking.

Example

CONN sys/password@db10g AS SYSDBA GRANT EXECUTE ON dbms_rls TO scott;

CONN scott/tiger@db10g -- Create the policy function to restrict access to SAL and COMM columns -- if the employee is not part of the department 20. CREATE OR REPLACE FUNCTION pf_job (oowner IN VARCHAR2, ojname IN VARCHAR2) RETURN VARCHAR2 AS   con VARCHAR2 (200); BEGIN   con := 'deptno = 20';   RETURN (con); END pf_job; /

-- Add policy BEGIN   DBMS_RLS.ADD_POLICY (object_schema         => 'scott',                        object_name           => 'emp',                        policy_name           => 'sp_job',                        function_schema       => 'scott',                        policy_function       => 'pf_job',                        sec_relevant_cols     => 'sal,comm',                        sec_relevant_cols_opt => DBMS_RLS.ALL_ROWS); END; /

-- All rows are returned but the SAL and COMM values are only
-- shown for employees in department 20.

-- Remove the policy function from the table.

BEGIN   DBMS_RLS.DROP_POLICY (object_schema => 'scott', object_name => 'emp', policy_name => 'sp_job'); END; /