Updated on 2025-02-27 GMT+08:00

CREATE MASKING POLICY

Description

Creates a masking policy.

Precautions

Only users with the POLADMIN or SYSADMIN permission, or the initial user can perform this operation.

The masking policy takes effect only after the security policy is enabled, that is, enable_security_policy is set to on.

Syntax

1
2
3
CREATE MASKING POLICY policy_name masking_clause[, ...]* policy_filter [ 
policy_filter_clause
 ][ENABLE | DISABLE];
  • masking_clause
    1
    masking_function ON LABEL(label_name[, ...])
    
  • masking_function

    The maskall function is not preset. It is hard-coded and cannot be displayed by running \df.

    The masking methods during presetting are as follows:
    { maskall | randommasking | creditcardmasking | basicemailmasking | fullemailmasking | shufflemasking | alldigitsmasking | regexpmasking }
  • policy_filter_clause:
    1
    FILTER ON { FILTER_TYPE ( filter_value [, ...]) } [, ...]
    
  • FILTER_TYPE:
    1
    IP | APP | ROLES
    

Parameters

  • policy_name

    Specifies the audit policy name, which must be unique.

    Value range: a string that complies with the Identifier Naming Conventions.

  • label_name

    Specifies the resource label name.

  • masking_clause

    Specifies the masking function to be used to anonymize database resources labeled by label_name. schema.function can be used to specify the masking function.

  • policy_filter

    Specifies the users for which the masking policy takes effect. If this parameter is left empty, the masking policy takes effect for all users.

  • FILTER_TYPE

    Specifies the types of information to be filtered by the policy, including IP, APP, and ROLES.

  • filter_value

    Specifies the detailed information to be filtered, such as the IP address, app name, and username.

  • ENABLE|DISABLE

    Enables or disables the masking policy. If ENABLE|DISABLE is not specified, ENABLE is used by default.

Examples

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
-- Create users dev_mask and bob_mask.
openGauss=# CREATE USER dev_mask PASSWORD '********';
openGauss=# CREATE USER bob_mask PASSWORD '********';

-- Create table tb_for_masking.
openGauss=# CREATE TABLE tb_for_masking(col1 text, col2 text, col3 text);

-- Create a resource label for sensitive column col1.
openGauss=# CREATE RESOURCE LABEL mask_lb1 ADD COLUMN(tb_for_masking.col1);

-- Create a resource label for sensitive column col2.
openGauss=# CREATE RESOURCE LABEL mask_lb2 ADD COLUMN(tb_for_masking.col2);

-- Create a masking policy for the operation of accessing sensitive column col1.
openGauss=# CREATE MASKING POLICY maskpol1 maskall ON LABEL(mask_lb1);

-- Create a masking policy that takes effect only for scenarios where users are dev_mask and bob_mask, the client tool is gsql, and IP addresses are 10.20.30.40, and 127.0.0.0/24.
openGauss=# CREATE MASKING POLICY maskpol2 randommasking ON LABEL(mask_lb2) FILTER ON ROLES(dev_mask, bob_mask), APP(gsql), IP('10.20.30.40', '127.0.0.0/24');

-- Drop masking policies.
openGauss=# DROP MASKING POLICY maskpol1, maskpol2;

-- Drop resource labels.
openGauss=# DROP RESOURCE LABEL mask_lb1, mask_lb2;

-- Drop the tb_for_masking table.
openGauss=# DROP TABLE tb_for_masking;

-- Drop the dev_mask and bob_mask users.
openGauss=# DROP USER dev_mask, bob_mask;