Updated on 2024-05-07 GMT+08:00

ALTER MASKING POLICY

Function

Modifies a masking policy.

Precautions

  • Only user poladmin, user sysadmin, or the initial user can perform this operation.
  • The masking policy takes effect only after enable_security_policy is set to on.

Syntax

  • Modify the policy description.
    1
    ALTER MASKING POLICY policy_name COMMENTS policy_comments;
    
  • Modify the masking method.
    1
    2
    3
    ALTER MASKING POLICY policy_name [ADD | REMOVE | MODIFY] masking_actions[, ...];
    The syntax of masking_action.
        masking_function ON LABEL(label_name[, ...])
    
  • Modify the scenarios where the masking policies take effect.
    1
    ALTER MASKING POLICY policy_name MODIFY(FILTER ON FILTER_TYPE(filter_value[, ...])[, ...]);
    
  • Remove the filters of the masking policies.
    1
    ALTER MASKING POLICY policy_name DROP FILTER;
    
  • Enable or disable the masking policies.
    1
    ALTER MASKING POLICY policy_name [ENABLE | DISABLE];
    

Parameter Description

  • policy_name

    Specifies the masking policy name, which must be unique.

    Value range: a string. It must comply with the naming convention.

  • policy_comments

    Adds or modifies description of masking policies.

  • masking_function

    Specifies eight preset masking methods or user-defined functions. Schema is supported.

    maskall is not a preset function. It is hard-coded and cannot be displayed by running \df.

    The masking methods during presetting are as follows:

    maskall | randommasking | creditcardmasking | basicemailmasking | fullemailmasking | shufflemasking | alldigitsmasking | regexpmasking 
  • label_name

    Specifies the resource label name.

  • FILTER_TYPE

    Specifies the types of information to be filtered by the policies: IP, ROLES, and APP.

  • filter_value

    Indicates the detailed information to be filtered, such as the IP address, app name, and username.

  • ENABLE|DISABLE

    Enables or disables the masking policy. If ENABLE|DISABLE is not specified, ENABLE is used by default.

Examples

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
-- Create users dev_mask and bob_mask.
gaussdb=# CREATE USER dev_mask PASSWORD '********';
gaussdb=# CREATE USER bob_mask PASSWORD '********';

-- Create table tb_for_masking.
gaussdb=# CREATE TABLE tb_for_masking(col1 text, col2 text, col3 text);

-- Create a resource label for sensitive column col1.
gaussdb=# CREATE RESOURCE LABEL mask_lb1 ADD COLUMN(tb_for_masking.col1);

-- Create a resource label for sensitive column col2.
gaussdb=# CREATE RESOURCE LABEL mask_lb2 ADD COLUMN(tb_for_masking.col2);

-- Create a masking policy for the operation of accessing sensitive column col1.
gaussdb=# CREATE MASKING POLICY maskpol1 maskall ON LABEL(mask_lb1);

-- Add description for masking policy maskpol1.
gaussdb=# ALTER MASKING POLICY maskpol1 COMMENTS 'masking policy for tb_for_masking.col1';

-- Modify masking policy maskpol1 to add a masking method.
gaussdb=# ALTER MASKING POLICY maskpol1 ADD randommasking ON LABEL(mask_lb2);

-- Modify masking policy maskpol1 to remove a masking method.
gaussdb=# ALTER MASKING POLICY maskpol1 REMOVE randommasking ON LABEL(mask_lb2);

-- Modify masking policy maskpol1 to modify a masking method.
gaussdb=# ALTER MASKING POLICY maskpol1 MODIFY randommasking ON LABEL(mask_lb1);

-- Modify masking policy maskpol1 so that it takes effect only for scenarios where users are dev_mask and bob_mask, the client tool is gsql, and the IP addresses are 10.20.30.40 and 127.0.0.0/24.
gaussdb=# ALTER MASKING POLICY maskpol1 MODIFY (FILTER ON ROLES(dev_mask, bob_mask), APP(gsql), IP('10.20.30.40', '127.0.0.0/24'));

-- Modify masking policy maskpol1 so that it takes effect for all user scenarios.
gaussdb=# ALTER MASKING POLICY maskpol1 DROP FILTER;

-- Disable masking policy maskpol1.
gaussdb=# ALTER MASKING POLICY maskpol1 DISABLE;

-- Delete a masking policy.
gaussdb=# DROP MASKING POLICY maskpol1;

-- Delete a resource label.
gaussdb=# DROP RESOURCE LABEL mask_lb1, mask_lb2;

- Delete the tb_for_masking table.
gaussdb=# DROP TABLE tb_for_masking;

-- Delete the dev_mask and bob_mask users.
gaussdb=# DROP USER dev_mask, bob_mask;