ALTER MASKING POLICY

Function

ALTER MASKING POLICY modifies masking policies.

Precautions

  • Only users with the poladmin or sysadmin permission, or the initial user can perform this operation.
  • The masking policy takes effect only after enable_security_policy is set to on.
  • For details about the execution effect and supported data types of preset masking functions, see “Database Security > Dynamic Data Masking” in Feature Description.

Syntax

  • Modify the policy description.

    ALTER MASKING POLICY policy_name COMMENTS policy_comments;
    
  • Modify the masking method.

    ALTER MASKING POLICY policy_name [ADD | REMOVE | MODIFY] masking_actions[, ...]*;
    The syntax of masking_action.
        masking_function ON LABEL(label_name[, ...]*)
    
  • Modify the scenarios where the masking policies take effect.

    ALTER MASKING POLICY policy_name MODIFY(FILTER ON FILTER_TYPE(filter_value[, ...]*)[, ...]*);
    
  • Removes the filters of the masking policies.

    ALTER MASKING POLICY policy_name DROP FILTER;
    
  • Enable or disable the masking policies.

    ALTER MASKING POLICY policy_name [ENABLE | DISABLE];
    

Parameter Description

  • policy_name

    Specifies the masking policy name, which must be unique.

    Value range: a string. It must comply with the naming convention.

  • policy_comments

    Adds or modifies description of masking policies.

  • masking_function

    Specifies eight preset masking methods or user-defined functions. Schemas are supported.

    maskall is not a preset function. It is hard-coded and cannot be displayed by running \df.

    The masking methods during presetting are as follows:

    maskall | randommasking | creditcardmasking | basicemailmasking | fullemailmasking | shufflemasking | alldigitsmasking | regexpmasking 
    
  • label_name

    Specifies the resource label name.

  • FILTER_TYPE

    Specifies the types of information to be filtered by the policies: IP, ROLES, and APP.

  • filter_value

    Indicates the detailed information to be filtered, such as the IP address, app name, and username.

  • ENABLE|DISABLE

    Enables or disables the masking policy. If ENABLE|DISABLE is not specified, ENABLE is used by default.

Examples

-- Create users dev_mask and bob_mask.
openGauss=# CREATE USER dev_mask PASSWORD 'dev@1234';
openGauss=# CREATE USER bob_mask PASSWORD 'bob@1234';

-- Create table tb_for_masking.
openGauss=# CREATE TABLE tb_for_masking(col1 text, col2 text, col3 text);

-- Create a resource label for label sensitive column col1.
openGauss=# CREATE RESOURCE LABEL mask_lb1 ADD COLUMN(tb_for_masking.col1);

-- Create a resource label for label sensitive column col2.
openGauss=# CREATE RESOURCE LABEL mask_lb2 ADD COLUMN(tb_for_masking.col2);

-- Create a masking policy for the operation of accessing sensitive column col1.
openGauss=# CREATE MASKING POLICY maskpol1 maskall ON LABEL(mask_lb1);

-- Add description for masking policy maskpol1.
openGauss=# ALTER MASKING POLICY maskpol1 COMMENTS 'masking policy for tb_for_masking.col1';

-- Modify masking policy maskpol1 to add a masking method.
openGauss=# ALTER MASKING POLICY maskpol1 ADD randommasking ON LABEL(mask_lb2);

-- Modify masking policy maskpol1 to remove a masking method.
openGauss=# ALTER MASKING POLICY maskpol1 REMOVE randommasking ON LABEL(mask_lb2);

-- Modify masking policy maskpol1 to modify a masking method.
openGauss=# ALTER MASKING POLICY maskpol1 MODIFY randommasking ON LABEL(mask_lb1);

-- Modify masking policy maskpol1 so that it takes effect only for scenarios where users are dev_mask and bob_mask, client tools are psql and gsql, and the IP addresses are 10.20.30.40 and 127.0.0.0/24.
openGauss=# ALTER MASKING POLICY maskpol1 MODIFY (FILTER ON ROLES(dev_mask, bob_mask), APP(psql, gsql), IP('10.20.30.40', '127.0.0.0/24'));

-- Modify masking policy maskpol1 so that it takes effect for all user scenarios.
openGauss=# ALTER MASKING POLICY maskpol1 DROP FILTER;

-- Disable masking policy maskpol1.
openGauss=# ALTER MASKING POLICY maskpol1 DISABLE;

Helpful Links

CREATE MASKING POLICY and DROP MASKING POLICY

Feedback
编组 3备份
    openGauss 2024-10-14 01:18:03
    cancel