Help Center> GaussDB> Distributed_2.x> SQL Reference> SQL Syntax> ALTER MASKING POLICY
Updated on 2023-10-23 GMT+08:00
View PDF

ALTER MASKING POLICY

Function

ALTER MASKING POLICY modifies anonymization policies.

Precautions

  • Only user poladmin, user sysadmin, or the initial user can perform this operation.
  • The masking policy takes effect only after enable_security_policy is set to on. For details about how to enable the masking policy, see "Database Configuration > Database Security Management Policies > Dynamic Data Masking" in the Security Hardening Guide.
  • For details about the execution effect and supported data types of preset masking functions, see "Database Security > Dynamic Data Masking" in Feature Description.

Syntax

  • Modify the policy description. 
    1
    		 
    ALTER MASKING POLICY policy_name COMMENTS policy_comments;
  • Modify the anonymization method. 
    1
2
3
    		 
    ALTER MASKING POLICY policy_name [ADD | REMOVE | MODIFY] masking_actions[, ...]*;
The syntax of masking_action.
    masking_function ON LABEL(label_name[, ...]*)
  • Modify the scenarios where the anonymization policies take effect. 
    1
    		 
    ALTER MASKING POLICY policy_name MODIFY(FILTER ON FILTER_TYPE(filter_value[, ...]*)[, ...]*);
  • Removes the filters of the anonymization policies. 
    1
    		 
    ALTER MASKING POLICY policy_name DROP FILTER;
  • Enable or disable the anonymization policies. 
    1
    		 
    ALTER MASKING POLICY policy_name [ENABLE | DISABLE];

Parameter Description

  • policy_name

    Specifies the anonymization policy name, which must be unique.

    Value range: a string. It must comply with the naming convention.

  • policy_comments

    Adds or modifies description of anonymization policies.

  • masking_function

    Specifies eight preset anonymization methods or user-defined functions. Schema is supported.

    maskall is not a preset function. It is hard-coded and cannot be displayed by running \df.

    The preset anonymization methods are as follows:

    maskall | randommasking | creditcardmasking | basicemailmasking | fullemailmasking | shufflemasking | alldigitsmasking | regepmasking
  • label_name

    Specifies the resource label name.

  • FILTER_TYPE

    Specifies the types of information to be filtered by the policies: IP, ROLES, and APP.

  • filter_value

    Indicates the detailed information to be filtered, such as the IP address, app name, and username.

  • ENABLE|DISABLE

    Enables or disables the masking policy. If ENABLE|DISABLE is not specified, ENABLE is used by default.

Examples

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
 
-- Create users dev_mask and bob_mask.
openGauss=# CREATE USER dev_mask PASSWORD 'dev@1234';
openGauss=# CREATE USER bob_mask PASSWORD 'bob@1234';

-- Create table tb_for_masking.
openGauss=# CREATE TABLE tb_for_masking(col1 text, col2 text, col3 text);

-- Create a resource label for label sensitive column col1.
openGauss=# CREATE RESOURCE LABEL mask_lb1 ADD COLUMN(tb_for_masking.col1);

-- Create a resource label for label sensitive column col2.
openGauss=# CREATE RESOURCE LABEL mask_lb2 ADD COLUMN(tb_for_masking.col2);

-- Create an anonymization policy for the operation of accessing sensitive column col1.
openGauss=# CREATE MASKING POLICY maskpol1 maskall ON LABEL(mask_lb1);

-- Add description for anonymization policy maskpol1.
openGauss=# ALTER MASKING POLICY maskpol1 COMMENTS 'masking policy for tb_for_masking.col1';

-- Modify anonymization policy maskpol1 to add an anonymization method.
openGauss=# ALTER MASKING POLICY maskpol1 ADD randommasking ON LABEL(mask_lb2);

-- Modify anonymization policy maskpol1 to remove an anonymization method.
openGauss=# ALTER MASKING POLICY maskpol1 REMOVE randommasking ON LABEL(mask_lb2);

-- Modify anonymization policy maskpol1 to modify an anonymization method.
openGauss=# ALTER MASKING POLICY maskpol1 MODIFY randommasking ON LABEL(mask_lb1);

-- Modify anonymization policy maskpol1 so that it takes effect only for scenarios where users are dev_mask and bob_mask, client tools are psql and gsql, and the IP addresses are 10.20.30.40 and 127.0.0.0/24.
openGauss=# ALTER MASKING POLICY maskpol1 MODIFY (FILTER ON ROLES(dev_mask, bob_mask), APP(psql, gsql), IP('10.20.30.40', '127.0.0.0/24'));

-- Modify anonymization policy maskpol1 so that it takes effect for all user scenarios.
openGauss=# ALTER MASKING POLICY maskpol1 DROP FILTER;

-- Disable anonymization policy maskpol1.
openGauss=# ALTER MASKING POLICY maskpol1 DISABLE;

Helpful Links

5.1.13.14.59-CREATE MASKING POLICY and 5.1.13.14.96-DROP MASKING POLICY

Parent topic: SQL Syntax