11 Using Oracle Data Redaction in Oracle Enterprise Manager

As an example of the Oracle Data Redaction formats, a set of Social Security number formats enable you to quickly designate ways to redact Social Security numbers, such as redacting the first five numbers of the Social Security number.

Oracle Database provides several default Oracle Data Redaction formats.

Figure 11-3 displays the default Oracle Data Redaction formats.

Figure 11-3 Default Oracle Data Redaction Formats

Description of "Figure 11-3 Default Oracle Data Redaction Formats"

Each default Oracle Data Redaction format consists of a specific redaction function that determines the redacted output when the redaction format is used in an Oracle Data Redaction policy. For example, the Credit Card Numbers - NUMBER default redaction format replaces the first twelve digits of the column data with the digit 0, when it is used in an Oracle Data Redaction policy. That is, if the column data is 5555555555554444, the redacted output will be 0000000000004444.

If you have deployed the Enterprise Manager for Oracle Database plug-in 12.1.0.7 or higher on your system, then you can also create and save custom redaction formats, which you can then use in your redaction policies.

You can create and save a custom Oracle Data Redaction format using Enterprise Manager Cloud Control (Cloud Control).

1. Log into Oracle Enterprise Manager Cloud Control as either user SYSTEM or SYSMAN.
   The URL is as follows:
   https://host:port/em
2. From the Targets menu, select Databases.
3. Select Search List, then click the name of a database target.
4. On the home page of the database target, from the Security menu, select Data Redaction.
5. Log in to the database, if you are prompted to do so.
   Ensure that you log in to the database as a user that has the EXECUTE privilege on the DBMS_REDACT PL/SQL package.
6. Select the Formats tab and then click Create.
   If you want to create a custom redaction format that is based on, or is similar to an existing redaction format, then click Create Like.
   If you select Create, then the following dialog box appears:
   
   
   Description of GUID-584EAE31-9E65-4732-8CE9-7F3A2BEC526A-default.png
   
7. Provide a name and a description for the redaction format that you want to create.
   If you want to map the redaction format to a particular sensitive column type (such that the created redaction format can be used to redact the data of a column that is associated with the sensitive column type), then select a value for Sensitive Column Type.
   Select the function that the format should use to redact the column data. For Redaction Function, select FULL if the format should redact the entire column data, PARTIAL if the format should redact only a part of the column data, REGEX if the format should redact data based on a regular expression, RANDOM if the format should redact data in a random manner, using randomly generated values, or NONE if the format will be used to only test the definition of a redaction policy, and not redact any column data. If you select PARTIAL, then ensure that you provide the function attributes, as well as the data type that you want to use the redaction format for. If you select REGEX, ensure that you provide the function attributes.
   For more information about the redaction functions you can use, and the patterns you can specify with each redaction function, see Oracle Data Redaction Features and Capabilities.
8. Click OK to create and save the custom redaction format.
   This format can now be used to create a redaction policy. For information about how to create a redaction policy, see Creating an Oracle Data Redaction Policy Using Enterprise Manager.

You can only edit custom Oracle Data Redaction formats using Cloud Control. You cannot edit the default redaction formats that Oracle provides.

1. Log into Oracle Enterprise Manager Cloud Control as either user SYSTEM or SYSMAN.
   The URL is as follows:
   https://host:port/em
2. From the Targets menu, select Databases.
3. Select Search List, then click the name of a database target.
4. On the home page of the database target, from the Security menu, select Data Redaction.
5. Log in to the database, if you are prompted to do so.
   Ensure that you log in to the database as a user that has the EXECUTE privilege on the DBMS_REDACT PL/SQL package.
6. Select the Formats tab and then click Create.
7. Select the custom redaction format that you want to edit, then click Edit.
   A dialog box similar to the following appears:
   
   Description of GUID-18CEB6BC-DCD2-432B-9BBC-623DF5936C7C-default.png
   
8. (Optional) Choose to edit the format description, sensitive column type, redaction function, and the redaction function attributes.
9. Click OK to save the edited format.

You can view the details of the Oracle-supplied and custom Oracle Data Redaction formats by using Enterprise Manager Cloud Control (Cloud Control).

1. Log into Oracle Enterprise Manager Cloud Control as either user SYSTEM or SYSMAN.
   The URL is as follows:
   https://host:port/em
2. From the Targets menu, select Databases.
3. Select Search List, then click the name of a database target.
4. On the home page of the database target, from the Security menu, select Data Redaction.
5. Log in to the database, if you are prompted to do so.
   Ensure that you log in to the database as a user that has the EXECUTE privilege on the DBMS_REDACT PL/SQL package.
6. Select the Formats tab.
7. Select the required redaction format, then click View.
   The Data Redaction Formats page appears, similar to the following page.
   
   Description of GUID-216B4B3B-2C0C-48F8-A7F1-8993CEF25085-default.png
   

You can delete a custom Oracle Data Redaction format using Enterprise Manager Cloud Control (Cloud Control).

1. Log into Oracle Enterprise Manager Cloud Control as either user SYSTEM or SYSMAN.
   The URL is as follows:
   https://host:port/em
2. From the Targets menu, select Databases.
3. Select Search List, then click the name of a database target.
4. On the home page of the database target, from the Security menu, select Data Redaction.
5. Log in to the database, if you are prompted to do so.
   Ensure that you log in to the database as a user that has the EXECUTE privilege on the DBMS_REDACT PL/SQL package.
6. Select the Formats tab.
7. Select the custom redaction format that you want to delete, and then click Delete.
8. In the Confirmation dialog box, click Yes or No.

The Data Redaction page enables you to manage Oracle Data Redaction policies.

To redact the data present in a particular database table or view column, you must create an Oracle Data Redaction policy. Data is redacted using a redaction format that is specified by the Oracle Data Redaction policy. To redact data, you can use any of the Oracle-supplied redaction formats, or create and use a custom redaction format. If the table or view column that contains the data that you want to redact is mapped to a sensitive column type, Oracle uses the mapping to recommend suitable redaction formats for the data. Thus, Oracle Data Redaction policies encapsulate database schemas, database table and view columns, sensitive column types, and Oracle Data Redaction formats.

Figure 11-4 shows the Data Redaction page, which enables you to create and manage Oracle Data Redaction policies in Cloud Control.

Figure 11-4 Oracle Data Redaction Policies Page

Description of "Figure 11-4 Oracle Data Redaction Policies Page"

You can create an Oracle Data Redaction policy using Enterprise Manager Cloud Control (Cloud Control).

1. Log into Oracle Enterprise Manager Cloud Control as either user SYSTEM or SYSMAN.
   The URL is as follows:
   https://host:port/em
2. From the Targets menu, select Databases.
3. Select Search List, then click the name of a database target for which you want to create an Oracle Data Redaction policy.
4. On the home page of the database target, from the Security menu, select Data Redaction.
5. Log in to the database, if you are prompted to do so.
   Ensure that you log in to the database as a user that has the EXECUTE privilege on the DBMS_REDACT PL/SQL package.
6. In the Policies section of the Policies tab, select Create.
7. On the Create Data Redaction Policy page, enter the following information:

   • Schema: Enter (or search for) the name of the schema that contains the data you want to redact.

   • Table/View: Enter (or search for) the table or field that contains the column you want to redact.

   • Policy Name: Enter a for the policy, such as emp_wages_pol.

   • Policy Expression: Enter a policy expression. The default is 1=1, which means that the policy always will be enforced. If you are not familiar with the components of a policy expression, click the pencil icon beside the Policy Expression field to use Policy Expression Builder. Select Policy is in effect when, select the required conditions, then click Add. Click Edit if you want to edit the policy expression manually. After building the required policy expression, click OK. The Policy Expression Builder appears as follows:

     
     Description of GUID-92F1FBA3-E411-481A-AB33-0D42181F5B0B-default.png
8. In the Object Columns section, click Add to add a table or view column to the redaction policy.
   The following dialog box appears:
   
   Description of GUID-656228D7-9604-4B30-A61A-B583D5F7FFD8-default.png
   

   The redaction policy is applied only on the table or view columns that are added to it.

9. From the Column menu, select the table or view column to which you want to apply the redaction policy.
   To the right of the Column menu is an icon that you can click to view the contents of the selected column.
   For example:
   
   Description of em_red_col_data.png
   
   If the column contains sensitive data and has been mapped to a sensitive column type, then from the Sensitive Column Type menu, select the sensitive column type that it has been mapped to. If the search pattern in the Sensitive Column Type menu matches, then the sensitive column type is selected by default. For example, for a column listing credit card numbers, if there is a match, then the menu will list Undefined and CREDIT_CARD_TYPE. If there is no sensitive column type created, then the default Sensitive Column Type menu listing is only Undefined.
10. From the Redaction Format menu, select the redaction format that you want to use.
    The drop-down list is populated with the Oracle Database-supplied redaction formats, as well as the custom redaction formats that you have created and saved. For information about how to create and save a redaction format, see Creating a Custom Oracle Data Redaction Format.

    If you do not want to use a pre-defined redaction format (that is, an Oracle-Database supplied redaction format, or a custom redaction format that you have created), and instead want to specify the redaction details while creating the redaction policy, select CUSTOM for Redaction Format.

    The Add dialog box adjusts to accommodate the type of redaction format and function that you select. For example, if you select the CUSTOM redaction format and the REGEX redaction function, then the Function Attributes region appears in the dialog box.

11. From the Redaction Function menu, select the function that you want to use to redact the column data.
    Select FULL if you want to redact the entire column data, PARTIAL if you want to redact only a part of the column data, REGEX if you want to redact the column data based on a regular expression, RANDOM if you want to redact the column data in a random manner, using randomly generated values, or NONE if you only want to test the definition of the redaction policy, and not redact any column data. Note that all the redaction functions may not be applicable for a particular redaction format. The drop-down list displays only the redaction functions that are applicable for the selected redaction format.
    If you selected CUSTOM for Redaction Format in the previous step, and PARTIAL or REGEX for Redaction Function, ensure that you specify the function attributes.
    See Oracle Data Redaction Features and Capabilitiesfor more information and examples of the available redaction formats.
12. Click OK.
13. Repeat these steps starting with Step 8 for all the columns that you want to add to the redaction policy.
14. On the Create Data Redaction Policy page, click OK to create the data redaction policy.
    The new policy appears, similar to the following image:
    
    Description of em_create_red_pol.png
    

    Note:

    When you create an Oracle Data Redaction policy, it is enabled by default. For information on how to disable an enabled redaction policy, see Enabling or Disabling an Oracle Data Redaction Policy Using Enterprise Manager.

You can edit an Oracle Data Redaction policy using Enterprise Manager Cloud Control (Cloud Control).

1. Log into Oracle Enterprise Manager Cloud Control as either user SYSTEM or SYSMAN.
   The URL is as follows:
   https://host:port/em
2. From the Targets menu, select Databases.
3. Select Search List, then search for and click the name of the database target for which the Oracle Data Redaction policy that you want to edit was created.
4. On the home page of the database target, from the Security menu, select Data Redaction.
5. Log in to the database, if you are prompted to do so.
   Ensure that you log in to the database as a user that has the EXECUTE privilege on the DBMS_REDACT PL/SQL package.
6. In the Policies section of the Policies tab, select the redaction policy that you want to edit, then click Edit..
   
   Description of em_red_edit.png
   
7. On the Edit Data Redaction Policy page, choose to edit the policy expression, add new columns to the redaction policy, modify the redaction details of a column that is a part of the policy, or delete a column from the redaction policy.
   To add a new column to the redaction policy, in the Object Columns section, click Add, select the table or view column that you want to add, then specify the redaction details. To modify the redaction details of a column that is a part of the policy, select the column, click Modify, then edit the redaction details. To delete a column from the redaction policy, select the column, then click Delete.
   For information on how to specify or edit the policy expression, see Step 6 described in Creating an Oracle Data Redaction Policy Using Enterprise Manager. For information about how to specify or edit the redaction details of a column, see Step 7.
8. On the Edit Data Redaction Policy page, after editing the required fields, click OK to save and enable the edited redaction policy.

An Oracle Data Redaction policy is executed at run time only if it is enabled. When you create an Oracle Data Redaction policy, it is enabled by default.

1. Log into Oracle Enterprise Manager Cloud Control as either user SYSTEM or SYSMAN.
   The URL is as follows:
   https://host:port/em
2. From the Targets menu, select Databases.
3. Select Search List, then search for and click the name of the database target for which the Oracle Data Redaction policy that you want to view was created.
4. On the home page of the database target, from the Security menu, select Data Redaction.
5. Log in to the database, if you are prompted to do so.
6. In the Policies section of the Policies tab, select the required redaction policy, then click View.

An Oracle Data Redaction policy is executed at run time only if it is enabled. When you create an Oracle Data Redaction policy, it is enabled by default.

1. Log into Oracle Enterprise Manager Cloud Control as either user SYSTEM or SYSMAN.
   The URL is as follows:
   https://host:port/em
2. From the Targets menu, select Databases.
3. Select Search List, then search for and click the name of the database target for which the Oracle Data Redaction policy that you want to enable or disable was created.
4. On the home page of the database target, from the Security menu, select Data Redaction.
5. Log in to the database, if you are prompted to do so.
   Ensure that you log in to the database as a user that has the EXECUTE privilege on the DBMS_REDACT PL/SQL package.
6. In the Policies section of the Policies tab, select the redaction policy that you want to enable or disable, and then click Enable or Disable.
   
   Description of GUID-83F4748A-D686-4653-9D98-219B75EF667A-default.png
7. In the Confirmation dialog box, click Yes or No.

You can delete an Oracle Data Redaction policy using Enterprise Manager Cloud Control (Cloud Control).

1. Log into Oracle Enterprise Manager Cloud Control as either user SYSTEM or SYSMAN.
   The URL is as follows:
   https://host:port/em
2. From the Targets menu, select Databases.
3. Select Search List, then search for and click the name of the database target for which the Oracle Data Redaction policy that you want to delete was created.
4. On the home page of the database target, from the Security menu, select Data Redaction.
5. Log in to the database, if you are prompted to do so.
   Ensure that you log in to the database as a user that has the EXECUTE privilege on the DBMS_REDACT PL/SQL package.
6. In the Policies section of the Policies tab, select the redaction policy that you want to delete, and then click Delete.
7. In the Confirmation dialog box, click Yes or No.