Help Center/ GaussDB/ Developer Guide(Distributed_V2.0-2.x)/ SQL Reference/ SQL Syntax/ ALTER MASKING POLICY
Updated on 2025-08-19 GMT+08:00
View PDF

ALTER MASKING POLICY

Description

Alters a masking policy.

Precautions

  • Only users with the POLADMIN or SYSADMIN permission, or the initial user can perform this operation.
  • The masking policy takes effect only after enable_security_policy is enabled.

Syntax

  • Modify the policy description. 
    1
    		 
    ALTER MASKING POLICY policy_name COMMENTS policy_comments;
  • Modify the masking method. 
    1
2
3
    		 
    ALTER MASKING POLICY policy_name [ADD | REMOVE | MODIFY] masking_actions[, ...]*;
The syntax of masking_action:
    masking_function ON LABEL(label_name[, ...]*)
  • Modify the scenarios where the masking policy takes effect. 
    1
    		 
    ALTER MASKING POLICY policy_name MODIFY(FILTER ON FILTER_TYPE(filter_value[, ...]*)[, ...]*);
  • Remove the filters of the masking policy. 
    1
    		 
    ALTER MASKING POLICY policy_name DROP FILTER;
  • Enable or disable the masking policy. 
    1
    		 
    ALTER MASKING POLICY policy_name [ENABLE | DISABLE];

Parameters

  • policy_name

    Specifies the name of a masking policy, which must be unique.

    Value range: a string that complies with the Identifier Naming Conventions.

  • policy_comments

    Adds or modifies description of the masking policy.

  • masking_function

    Specifies eight preset masking methods or user-defined functions. Schemas are supported.

    The maskall function is not preset. It is hard-coded and cannot be displayed by running \df.

    The masking methods during presetting are as follows:

    maskall | randommasking | creditcardmasking | basicemailmasking | fullemailmasking | shufflemasking | alldigitsmasking | regexpmasking
  • label_name

    Specifies the resource label name.

  • FILTER_TYPE

    Specifies the types of information to be filtered by the masking policy, including IP, ROLES, and APP.

  • filter_value

    Specifies the detailed information to be filtered, such as the IP address, app name, and username.

  • ENABLE|DISABLE

    Enables or disables the masking policy. If ENABLE|DISABLE is not specified, ENABLE is used by default.

Examples

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
 
-- Create users dev_mask and bob_mask.
openGauss=# CREATE USER dev_mask PASSWORD 'xxxxxxxxxx';
openGauss=# CREATE USER bob_mask PASSWORD 'xxxxxxxxxx';

-- Create table tb_for_masking.
openGauss=# CREATE TABLE tb_for_masking(col1 text, col2 text, col3 text);

-- Create a resource label for sensitive column col1.
openGauss=# CREATE RESOURCE LABEL mask_lb1 ADD COLUMN(tb_for_masking.col1);

-- Create a resource label for sensitive column col2.
openGauss=# CREATE RESOURCE LABEL mask_lb2 ADD COLUMN(tb_for_masking.col2);

-- Create a masking policy for the operation of accessing sensitive column col1.
openGauss=# CREATE MASKING POLICY maskpol1 maskall ON LABEL(mask_lb1);

-- Add description for masking policy maskpol1.
openGauss=# ALTER MASKING POLICY maskpol1 COMMENTS 'masking policy for tb_for_masking.col1';

-- Modify masking policy maskpol1 to add a masking method.
openGauss=# ALTER MASKING POLICY maskpol1 ADD randommasking ON LABEL(mask_lb2);

-- Modify masking policy maskpol1 to remove a masking method.
openGauss=# ALTER MASKING POLICY maskpol1 REMOVE randommasking ON LABEL(mask_lb2);

-- Modify masking policy maskpol1 to modify a masking method.
openGauss=# ALTER MASKING POLICY maskpol1 MODIFY randommasking ON LABEL(mask_lb1);

-- Modify masking policy maskpol1 so that it takes effect only for scenarios where users are dev_mask and bob_mask, the client tool is gsql, and the IP addresses are 10.20.30.40 and 127.0.0.0/24.
openGauss=# ALTER MASKING POLICY maskpol1 MODIFY (FILTER ON ROLES(dev_mask, bob_mask), APP(gsql), IP('10.20.30.40', '127.0.0.0/24'));

-- Modify masking policy maskpol1 so that it takes effect for all user scenarios.
openGauss=# ALTER MASKING POLICY maskpol1 DROP FILTER;

-- Disable masking policy maskpol1.
openGauss=# ALTER MASKING POLICY maskpol1 DISABLE;

-- Drop a masking policy.
openGauss=# DROP MASKING POLICY maskpol1;

-- Drop resource labels.
openGauss=# DROP RESOURCE LABEL mask_lb1, mask_lb2;

-- Drop the tb_for_masking table.
openGauss=# DROP TABLE tb_for_masking;

-- Drop the dev_mask and bob_mask users.
openGauss=# DROP USER dev_mask, bob_mask;

Helpful Links

CREATE MASKING POLICY and DROP MASKING POLICY

Parent topic: SQL Syntax