CREATE REDACTION POLICY
Function
CREATE REDACTION POLICY creates a data redaction policy on a database table.
DWS provides a column-level data redaction policy (REDACTION POLICY) feature. For certain sensitive information (such as ID card numbers, mobile numbers, bank card numbers, etc.), the original data is transformed and rewritten by applying redaction functions, achieving reliable protection of sensitive private data and enhancing the product's capabilities in data security and privacy protection.
Precautions
- The data redaction feature is controlled by the GUC parameter feature_support_options. If the error message "REDACTION POLICY is not yet supported, please add enable_data_redaction into feature_support_options." or "Cannot use the feature of data redaction, please drop existed redaction policy or add enable_data_redaction into feature_support_options." is displayed, the data redaction feature is not enabled. You need to contact technical support to set the feature_support_options parameter and enable the data redaction feature.
- Only the owner of the table object and users granted the gs_redaction_policy preset role have the permission to create a redaction policy.
- Users with the sysadmin permission can bypass the redaction policy check and always have visibility of the redacted column data, meaning the redaction policy does not take effect for them.
- Data redaction policies can only be created on regular tables and foreign tables that are not under an EXTERNAL SCHEMA (OBS, HDFS, GDS, collaborative analysis foreign tables). Redaction policies cannot be created for system tables, foreign tables under an EXTERNAL SCHEMA, temporary tables, UNLOGGED tables, views, or function objects.
- There is a one-to-one correspondence between a table object and its redaction policy. A redaction policy is a collection of data redaction functions that can be applied to multiple columns in a table. You can set different redaction functions for different columns.
- A redaction policy is enabled by default upon its creation, that is, the enable parameter of the policy is true by default.
- Data redaction policies can be matched with specified roles.
- Creating a redaction policy on a regular table object through a synonym is not supported.
Syntax
1 2 3 4 | CREATE REDACTION POLICY policy_name ON table_name [ { AFTER | BEFORE } old_policy_name ] [INHERIT] [ WHEN (when_expression) ] [ ADD COLUMN column_name WITH redaction_function_name ( [ argument [, ...] ] )] [, ... ]; |
Parameter Description
| Parameter | Description | Value Range |
|---|---|---|
| policy_name | Specifies the name of a redaction policy. | - |
| table_name | Specifies the name of the table to which the redaction policy is applied. | A valid table name. |
| BEFORE | AFTER | Specifies the relative location where the current policy is created. Generally, one masking policy is used for one table. The default value indicates that the current policy is created after the last candidate policy of the target table recorded in the current system catalog. | - |
| WHEN ( when_expression ) | Specifies the expression used for the redaction policy to take effect. The redaction policy takes effect only when this expression is true. | When a query statement is querying a table where a redaction policy is enabled, the redacted data is invisible in the query only if the WHEN expression for the redaction policy is true. Generally, the WHEN clause is used to specify the users for which the redaction policy takes effect. The WHEN clause must comply with the following rules:
|
| column_name | Specifies the name of the column on the table to which the redaction policy is applied. | - |
| redaction_function_name | Specifies the name of the redaction function. | - |
| arguments | Specifies the argument list of the redaction function. DWS supports three built-in redaction functions: MASK_NONE, MASK_FULL, and MASK_PARTIAL. User-defined redaction functions created using C language or PL/pgSQL language are also supported. For details, see Data Redaction Functions. |
|
Example 1: Creating a Redaction Policy for a Specified User
- Enable the data redaction function.
Contact technical support to set the feature_support_options parameter and enable the data redaction feature.
gs_guc set -Z coordinator -Z datanode -N all -I all -c "feature_support_options=enable_data_redaction" gs_om -t stop && gs_om -t start
- Create users alice and matu.
1 2
CREATE ROLE alice PASSWORD '{password}'; CREATE ROLE matu PASSWORD '{password}';
- Create the table object emp as user alice and insert data.
1 2
CREATE TABLE emp(id int, name varchar(20), salary NUMERIC(10,2)); INSERT INTO emp VALUES(1, 'July', 1230.10), (2, 'David', 999.99);
- View the table data.
1SELECT * FROM emp;

- Create the redaction policy mask_emp for the table object emp as user alice and make the salary column invisible to user matu.
1CREATE REDACTION POLICY mask_emp ON emp WHEN(current_user = 'matu') ADD COLUMN salary WITH mask_full(salary);
- Grant the SELECT permission on table emp to user matu as user alice.
1GRANT SELECT ON emp TO matu;
- Switch to user matu.
1SET ROLE matu PASSWORD '{password}';
- Query table emp as user matu. Data in the salary column is redacted.
1SELECT * FROM emp;

Example 2: Creating a Redaction Policy for a Specified Role
- Create the role redact_role.
1CREATE ROLE redact_role PASSWORD '{password}';
- Add users matu and alice to the role redact_role.
1GRANT redact_role to matu,alice;
- Create the table object emp1 as the administrator and insert data.
1 2
CREATE TABLE emp1(id int, name varchar(20), salary NUMERIC(10,2)); INSERT INTO emp1 VALUES(3, 'Rose', 2230.20), (4, 'Jack', 899.88);
- View the data in table emp1.
1SELECT * FROM emp1;

- Create a redaction policy mask_emp1 for the table object emp1 as the administrator to make the salary column invisible to role redact_role.
1CREATE REDACTION POLICY mask_emp1 ON emp1 WHEN(pg_has_role(current_user, 'redact_role', 'member')) ADD COLUMN salary WITH mask_full(salary);
If no user is specified, the default is the current user current_user.
1CREATE REDACTION POLICY mask_emp1 ON emp1 WHEN (pg_has_role('redact_role', 'member')) ADD COLUMN salary WITH mask_full(salary);
- Grant the SELECT permission on table emp1 to user matu as the administrator.
1GRANT SELECT ON emp1 TO matu;
- Switch to user matu.
1SET ROLE matu PASSWORD '{password}';
- Query table emp as user matu. Data in the salary column is redacted.
1SELECT * FROM emp1;

Helpful Links
Usage Practices
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot