which three situations will data not be redacted?

A redaction policy was added to the SAL column of the SCOTT.EMP table:

All users have their default set of system privileges.
For which three situations will data not be redacted?

A redaction policy was added to the SAL column of the SCOTT.EMP table:

All users have their default set of system privileges.
For which three situations will data not be redacted?

A.
SYS sessions, regardless of the roles that are set in the session

B.
SYSTEM sessions, regardless of the roles that are set in the session

C.
SCOTT sessions, only if the MGR role is set in the session

D.
SCOTT sessions, only if the MGR role is granted to SCOTT

E.
SCOTT sessions, because he is the owner of the table

F.
SYSTEM session, only if the MGR role is set in the session

Explanation:

* SYS_CONTEXT
This is a twist on the SYS_CONTEXT function as it does not use USERENV. With this usage
SYS_CONTEXT queries the list of the user’s current default roles and returns TRUE if the role is
granted.
Example:
SYS_CONTEXT(‘SYS_SESSION_ROLES’, ‘SUPERVISOR’)
conn scott/tiger@pdborcl
SELECT sys_context(‘SYS_SESSION_ROLES’, ‘RESOURCE’)
FROM dual;
SYS_CONTEXT(‘SYS_SESSION_ROLES’,’SUPERVISOR’)
———————————————FALSE
conn sys@pdborcl as sysdba
GRANT resource TO scott;
conn scott/tiger@pdborcl
SELECT sys_context(‘SYS_SESSION_ROLES’, ‘RESOURCE’)
FROM dual;
SYS_CONTEXT(‘SYS_SESSION_ROLES’,’SUPERVISOR’)
———————————————TRUE

Show Hint

Leave a Reply 9

Your email address will not be published. Required fields are marked *

Jeroen

Jeroen

A,B,D. Look below

sqlplus ocp/ocp

SQL*Plus: Release 12.1.0.1.0 Production on Fri May 2 08:59:19 2014

Copyright (c) 1982, 2013, Oracle. All rights reserved.

Last Successful login time: Fri May 02 2014 08:44:37 +02:00

Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.1.0 – 64bit Production
With the Partitioning, OLAP, Advanced Analytics, Real Application Testing
and Unified Auditing options

SQL>create table t (k1 number);

insert into t values (8);

select * from ocp.t;
K1
———-
8

SQL> commit;

Commit complete.

SQL> connect sys/***** as sysdba
Connected.

BEGIN
DBMS_REDACT.ADD_POLICY(
object_schema => ‘ocp’,
object_name => ‘t’,
column_name => ‘k1’,
policy_name => ‘redact_cust_user_ids’,
function_type => DBMS_REDACT.FULL,
expression => ‘SYS_CONTEXT(”SYS_SESSION_ROLES”,”MGR”) = ”FALSE”’);
END;
/
select * from ocp.t;
K1
———-
8

SQL> connect ocp/ocp
Connected.
SQL> select * from ocp.t;

K1
———-
0

SQL> connect system/*****
Connected.
SQL> select * from ocp.t;

K1
———-
8
SQL> connect sys/**** as sysdba;
Connected.
SQL> create role mgr;

Role created.

SQL> grant mgr to ocp;

Grant succeeded.

SQL> connect ocp/ocp
Connected.
SQL> select * from ocp.t;

K1
———-
8

Reply

Noname

Noname

Thanks Jeroen, but ABC, not ABD

Reply

SK

SK

ABD is correct. The mgr role should be granted to scott else the set role will fail.

SQL> conn sys/************@pdb1 as sysdba
Connected.
SQL> create role mgr;

Role created.

SQL> grant mgr to ocp;

Grant succeeded.

SQL> conn ocp/ocp@pdb1
Connected.
SQL>
SQL> select * From t;

K1
———-
8

SQL> set role mgr;

Role set.

SQL> select * From t;

K1
———-
8

SQL> conn sys/********@pdb1 as sysdba
Connected.
SQL> revoke mgr from ocp;

Revoke succeeded.

SQL> conn ocp/ocp@pdb1
Connected.
SQL> select * From t;

K1
———-
0

SQL> set role mgr ;
set role mgr
*
ERROR at line 1:
ORA-01924: role ‘MGR’ not granted or does not exist

SQL> conn sys/*********@pdb1 as sysdba
Connected.
SQL> grant mgr to ocp;

Grant succeeded.

SQL> conn ocp/ocp@pdb1
Connected.
SQL> set role mgr ;

Role set.

SQL> select * From t;

K1
———-
8

Reply

H*T*H

H*T*H

The given answer, ADF is wrong.
A is correct. The SYS user is exempt from all redaction policies by default.
B is wrong (maybe). The roles which SYSTEM has are significant. The sys priv which allows a user to avoid redaction policies is EXEMPT REDACTION POLICY. This sys priv is granted to the role EXP_FULL_DATABASE which in turn is granted to the DBA role. The DBA role is granted to the SYSTEM user by default. Hence, out of the box, the SYSTEM user is also exempt from all redaction policies, just like SYS is. So, SYSTEM being exempt cannot be “regardless” of the roles set in its session. That said, the question states all users have their default set of system privileges, so data would not be redacted for SYSTEM irrespective of whether or not it had the MGR role.
C is correct (maybe). All roles granted to a user are active or enabled concurrently. The only exception is where a role is password protected. In which case, to enable that role, the user has to use SET ROLE IDENTIFIED BY ; That will enable the role in the current session. If the MGR role were password protected, then upon log in SCOTT would not have that role enabled. He would therefore not be able to see the non-redacted data in EMP.SAL. If he then used SET ROLE… then he would be able to see the non-redacted data.
D is correct (maybe). We are not told if the MGR role is password protected or not. If it were, granting MGR to SCOTT would not be sufficient to enable it. He would have to use SET ROLE… for the role to become active (enabled) in his session. If the MGR role were not password protected, then granting it to SCOTT would be sufficient to enable it when SCOTT logs in. In which case, he would be able to see the non-redacted data in EMP.SAL.
E is wrong. Ownership of the table is irrelevant. It is possible to enable a redaction policy which redacts data in a table you own. Just because you own the table does not mean you automatically have access to the data it contains where data redaction is concerned.
F is wrong for the reason given. Even if SYSTEM did not have the MGR role, it would still be able to see non-redacted data in SCOTT.EMP.SAL because it is granted EXEMPT REDACTION POLICY via the DBA role which it has by default.

H*T*H

Reply

Mohamed

Mohamed

As per the question “All users have their default set of system privileges.” and I do not think that MGR role is a default role!
This means that setting MGR role in the session is not applicable! C and F are incorrect.
E is incorrect for sure.
A and D are correct answers, not sure about B, because if we issued “set role none;” for the system user, he will not be able to see the redacted data!

I would select ABD.

Reply

Alex

Alex

I believe it should be ABC as MGR role should be not just granted to SCOTT but set for the session to see the data without redaction

Reply