Skip to main content

Oracle Data Redaction and Delphix (KBA5791)




KBA# 5791

Delphix maintains a rigorous test plan for interoperability with core RDMBS functions for Masking and Virtualization features as new versions of Oracle are released for general availability.  However, not all product features available are part of the testing and certification process.  Data Redaction is one such feature, and as such is not discussed in core product documentation.

How does Oracle Data Redaction affect Delphix Virtualization?

As discussed in Oracle documentation, the Data Redaction feature: transparent to application users because it preserves the original data type and (optionally) the formatting. It is highly transparent to the database because the data remains the same in buffers, caches, and storage—only being changed at the last minute just before SQL query results are returned to the caller.

And also referenced in Oracle DOC-1005680:

Data Redaction is done at the last minute of the query execution and thus does not hamper the data processing happening at the back end. This makes the redaction seen only on the result set of the query. Data redaction can be done in different methods and is achieved by defining a redaction policy using the DBMS_REDACT package against the desired table. A redaction policy redacts the data at the runtime based on the conditions that match the expression values or the SYS_CONTEXT values.

A redaction policy does not apply to the SYS user and the users with the EXEMPT REDACTION POLICY privilege. In other words, these users will be able to view the actual data in the result set of the query. 

The current functionality of the Data Redaction feature is such that data at rest is not modified, only the results from SQL query given to a user/application. Based on this implementation, this feature is not expected to have any negative impact on Delphix Virtualization operations, as data ingestion is completed via RMAN backup to the Delphix appliance, and optional transmission of archive and redo logs.  

After provision, any desired Data Redaction configuration may have to be reapplied to the virtual database (VDB).

How does Oracle Data Redaction affect Delphix Masking?

The configuration of Data Redaction may affect the Delphix Masking solution, depending on the connector configuration and the database user configured for Masking. In order to be functional, the Masking configuration and user credentials would want to have the EXEMPT REDACTION POLICY privilege configured so the original data could be read and masked as needed. 

However, the Delphix Masking platform is ultimately a more secure solution than the Oracle Redaction, since the Masking operation on a database or VDB would actually change the content of data at rest, where the Oracle solution only transforms the query results.  Any data breach on a host where only Data Redaction is configured would still ultimately expose original data if the database or VDB were accessed by a malicious third party.

Related Articles 

The following articles may provide more information or related information to this article: