Updated on 2024-09-02 GMT+08:00

ALTER REDACTION POLICY

Function

ALTER REDACTION POLICY modifies a data redaction policy applied to a specified table.

Precautions

Only the table object owner and users with the gs_redaction_policy preset role can modify the masking policy.

Syntax

  • Modify the expression used for a redaction policy to take effect.
    1
    ALTER REDACTION POLICY policy_name ON table_name [INHERIT] WHEN (new_when_expression);
    
  • Enable or disable a redaction policy.
    1
    ALTER REDACTION POLICY policy_name ON table_name ENABLE | DISABLE;
    
  • Rename a redaction policy.
    1
    ALTER REDACTION POLICY policy_name ON table_name RENAME TO new_policy_name;
    
  • Add, modify, or delete a column on which the redaction policy is used.
    1
    2
    ALTER REDACTION POLICY policy_name ON table_name 
        action;
    

    There are several clauses of action:

    1
    2
    3
    [INHERIT] ADD COLUMN column_name WITH function_name ( arguments )
      | [INHERIT] MODIFY COLUMN column_name WITH function_name ( arguments )
      | DROP COLUMN column_name
    

Parameter Description

  • policy_name

    Specifies the name of the redaction policy to be modified.

  • table_name

    Specifies the name of the table to which the redaction policy is applied.

  • INHERIT

    Specifies whether the masking policy or operation is inherited from other masking policies or operations. This parameter is not recommended.

  • new_when_expression

    Specifies the new expression used for the redaction policy to take effect.

  • ENABLE | DISABLE

    Specifies whether to enable or disable the current redaction policy.

    • ENABLE

      Enables the redaction policy that was previously disabled for the table.

    • DISABLE

      Disables the redaction policy currently applied to the table.

  • new_policy_name

    Specifies the new name of the redaction policy.

  • column_name

    Specifies the name of the table column to which the redaction policy is applied.

    To add a column, use a column name that has not been bound to any redaction functions.

    To modify a column, use the name of an existing column.

    To delete a column, use the name of an existing column.

  • function_name

    Specifies the name of a redaction function.

  • arguments

    Specifies the list of arguments of the redaction function.

    • MASK_NONE: indicates that no masking is performed.
    • MASK_FULL: indicates that all data is masked to a fixed value.
    • MASK_PARTIAL: indicates that partial masking is performed based on the specified character type, numeric type, or time type.

Examples

Modify the expression for a redaction policy to make it take effect for the specified role (If no user is specified, the redaction policy takes effect for the current user by default.):

1
2
ALTER REDACTION POLICY mask_emp ON emp WHEN (pg_has_role(current_user, 'redact_role', 'member'));
ALTER REDACTION POLICY mask_emp ON emp WHEN (pg_has_role('redact_role', 'member'));

Modify the expression for the data redaction policy to make it take effect for all users.

1
ALTER REDACTION POLICY mask_emp ON emp WHEN (1=1);

Disable the redaction policy.

1
ALTER REDACTION POLICY mask_emp ON emp DISABLE;

Enable the redaction policy again.

1
ALTER REDACTION POLICY mask_emp ON emp ENABLE;

Change the redaction policy name to mask_emp_new.

1
ALTER REDACTION POLICY mask_emp ON emp RENAME TO mask_emp_new;

Add a column with the redaction policy used.

1
ALTER REDACTION POLICY mask_emp_new ON emp ADD COLUMN name WITH mask_partial(name, '*', 1, length(name));

Modify the redaction policy for the name column. Use the MASK_FULL function to redact all data in the name column.

1
ALTER REDACTION POLICY mask_emp_new ON emp MODIFY COLUMN name WITH mask_full(name);

Delete an existing column where the redaction policy is used.

1
ALTER REDACTION POLICY mask_emp_new ON emp DROP COLUMN name;