2

Summary of Post: I tried to full redact the TITLE column, but it's not working even though the script is executing just fine. I just want the data from the TITLE column in the FACULTY table to be redacted and not visible to users who aren't secmgr.

Hello, Below is my code and it executes perfectly (or so I thought). No error messages appear, but when I go to check if the redact policy works, I find that the data is not being redacted and it is is still visible. I check the priviledges of the test account (OO) but it hasn't been granted any privileged other thatn create session and select. Please help.


set echo on

show user;


---- Clean up workspace
drop table STUDENT;
drop table FACULTY;
drop table OFFERING;
drop table ENROLLMENT;

drop user oo;
drop user secmgr cascade;
drop user sysmgr cascade;
drop user u1;
drop user u2;

drop role pr;

---- Create the tables using DDL
create table STUDENT(
    STUDENTID number(3) not null,
    NAME varchar(10),
    MAJOR varchar(20),
    STATUS char(2),
    ADDRESS varchar(15),
    GPA number(3,2)
    );
    
create table FACULTY(    
    FACULTYID number(4),
    NAME varchar(10),
    ORGCD varchar (3),
    ADDRESS varchar(15),
    CC number(16),
    SALARY number (7),
    RANK varchar(12),
    TITLE varchar (4)
    );
    
create table OFFERING(
    OFFERINGNUM number(4) not null,
    COURSENUM char(5),
    FACULTYID number(4),
    TERM varchar(6),
    YEAR char(4),
    TIME varchar(8)
    );
    
create table ENROLLMENT(
    OFFERINGNUM number(4) not null,
    STUDENTID number(3) not null
    );

---- Populate the tables with data and check using DML 
insert all 
into STUDENT (STUDENTID, NAME, MAJOR, STATUS, ADDRESS, GPA) values (100, 'ABLE', 'HISTORY', 'SR', '1 UTAH', 3.00)
into STUDENT (STUDENTID, NAME, MAJOR, STATUS, ADDRESS, GPA) values (200, 'BAKER', 'ACCOUNTING', 'JR', '2 IOWA', 2.70)
into STUDENT (STUDENTID, NAME, MAJOR, STATUS, ADDRESS, GPA) values (300, 'CHARLES', 'MATH', 'SR', '3 MAINE', 3.50)
into STUDENT (STUDENTID, NAME, MAJOR, STATUS, ADDRESS, GPA) values (400, 'DRAKE', 'COMPUTER SCIENCEY', 'FR', '4 IDAHO', 2.80)
into STUDENT (STUDENTID, NAME, MAJOR, STATUS, ADDRESS, GPA) values (500, 'ELLIOT', 'COMPUTER SCIENCEY', 'SM', '5 NEVADA', 3.25)
SELECT * FROM dual;

SELECT * FROM STUDENT;

insert all 
into FACULTY (FACULTYID, NAME, ORGCD, ADDRESS, CC, SALARY, RANK, TITLE) values (0980, 'MARTIN', 'IM', '11 MAIN', 4560123450001234, 250000, 'DEAN', 'CEO')
into FACULTY (FACULTYID, NAME, ORGCD, ADDRESS, CC, SALARY, RANK, TITLE) values (5430, 'SEAVER', 'IS', '12 SOUTH', 4560123450002345, 180000, 'PROFESSOR', 'CIO')
into FACULTY (FACULTYID, NAME, ORGCD, ADDRESS, CC, SALARY, RANK, TITLE) values (7650, 'LOONEY', 'IT', '14 NORTH', 4560123450003456, 160000, 'INSTRUCTOR', 'CISO')
into FACULTY (FACULTYID, NAME, ORGCD, ADDRESS, CC, SALARY, RANK, TITLE) values (9870, 'MILLS', 'SA', '16 EAST', 4560123450004567, 90000, 'LECTURER', 'CFO')
into FACULTY (FACULTYID, NAME, ORGCD, ADDRESS, CC, SALARY, RANK, TITLE) values (9990, 'BOND', 'INT', '007 NE', 4560123450005678, 90000, 'COACH', 'SPY')
SELECT * FROM dual;

SELECT * FROM FACULTY;

insert all 
into OFFERING (OFFERINGNUM, COURSENUM, FACULTYID, TERM, YEAR, TIME) values (1111, 'IS320', 5430, 'FALL', '2012', '10 AM')
into OFFERING (OFFERINGNUM, COURSENUM, FACULTYID, TERM, YEAR, TIME) values (1233, 'IS320', 0980, 'FALL', '2012', '11 AM')
into OFFERING (OFFERINGNUM, COURSENUM, FACULTYID, TERM, YEAR, TIME) values (2222, 'IS460', 7650, 'SPRING', '2013', '10 AM')
into OFFERING (OFFERINGNUM, COURSENUM, FACULTYID, TERM, YEAR, TIME) values (3333, 'IT480', 5430, 'SPRING', '2013', '11 AM')
SELECT * FROM dual;

SELECT * FROM OFFERING;

insert all 
into ENROLLMENT (OFFERINGNUM, STUDENTID) values (1111, 100)
into ENROLLMENT (OFFERINGNUM, STUDENTID) values (1233, 500)
into ENROLLMENT (OFFERINGNUM, STUDENTID) values (2222, 300)
into ENROLLMENT (OFFERINGNUM, STUDENTID) values (3333, 400)
SELECT * FROM dual;

SELECT * FROM ENROLLMENT;

-- User created for testing redaction
create user oo identified by o;
grant create session to oo
grant select on FACULTY to oo;


-- Create a security manager who will create the redact policy
show user;

create user secmgr identified by s;
grant dba to secmgr;
grant create session to secmgr;

create user sysmgr identified by s2;
grant dba to sysmgr;
grant create session to sysmgr;

connect sysmgr/s2;
connect sys/ as sysdba;
grant execute on dbms_redact to secmgr;


-- Create the policy (full redact)
-- cleanup workspace
begin
  dbms_redact.drop_policy (
    object_schema => 'DBST_USER',
    object_name   => 'FACULTY',
    policy_name   => 'FACULTY_POL'
  );
end;
/

connect secmgr/s;
begin
  dbms_redact.add_policy
  (object_schema => 'DBST_USER',
  object_name => 'FACULTY',
  policy_name => 'FACULTY_POL',
  column_name => 'TITLE',
  function_type => DBMS_REDACT.FULL,
  expression => '1=1');
end;
/

connect oo/o;
select * from dbst_user.FACULTY;

I also checked to see if the policy was active and found the following; apparently, the FACULTY_POL is active, multiple times despite my dropping the policy. I can't seem to get rid of them. I have a feeling this is causing the problem.

active policies

WaffleCat
  • 45
  • 4
  • 1
    The policies you're seeing have all been dropped. The `BIN$...` object_name indicates these are in the recycle bin. They should not be causing any issues. – pmdba Oct 31 '22 at 04:48

0 Answers0