A redaction policy was added to the SAL column of the SCOTT.EMP table:
All users have their default set of system privileges.
For which three situations will data not be redacted?
A.
SYS sessions, regardless of the roles that are set in the session
B.
SYSTEM sessions, regardless of the roles that are set in the session
C.
SCOTT sessions, only if the MGR role is set in the session
D.
SCOTT sessions, only if the MGR role is granted to SCOTT
E.
SCOTT sessions, because he is the owner of the table
F.
SYSTEM session, only if the MGR role is set in the session
Explanation:
* SYS_CONTEXT
This is a twist on the SYS_CONTEXT function as it does not use USERENV. With this usage
SYS_CONTEXT queries the list of the user’s current default roles and returns TRUE if the role is
granted.
Example:
SYS_CONTEXT(‘SYS_SESSION_ROLES’, ‘SUPERVISOR’)
conn scott/tiger@pdborcl
SELECT sys_context(‘SYS_SESSION_ROLES’, ‘RESOURCE’)
FROM dual;
SYS_CONTEXT(‘SYS_SESSION_ROLES’,’SUPERVISOR’)
———————————————FALSE
conn sys@pdborcl as sysdbaGRANT resource TO scott;
conn scott/tiger@pdborcl
SELECT sys_context(‘SYS_SESSION_ROLES’, ‘RESOURCE’)
FROM dual;
SYS_CONTEXT(‘SYS_SESSION_ROLES’,’SUPERVISOR’)
———————————————TRUE
A,B,D
http://docs.oracle.com/cd/E16655_01/network.121/e17729/redaction.htm#ASOAG594
A, B – TRUE
Both users SYS and SYSTEM automatically have the EXEMPT REDACTION POLICY system privilege. (SYSTEM has the EXP_FULL_DATABASE role, which includes the EXEMPT REDACTION POLICY system privilege.) This means that the SYS and SYSTEM users can always bypass any existing Oracle Data Redaction policies, and will always be able to view data from tables (or views) that have Data Redaction policies defined on them
D – TRUE
SYS_CONTEX test roles MGR and in this case is TRUE then TRUE = FALSE then redaction is off
http://www.morganslibrary.org/reference/sys_context.html
ABC
ABD
A B and D appears to be correct
ABC
ABC Tested option C:
create user c##scott identified by oracle default tablespace users;
create role c##mgr;
grant c##mgr,connect,resource,unlimited tablespace to c##scott;
create table c##scott.emp(empname varchar(100),sal number);
insert into c##scott.emp values(‘Peter’,1000);
insert into c##scott.emp values(‘David’,1500);
commit;
begin
dbms_redact.add_policy(
object_schema => ‘C##SCOTT’,
object_name => ‘EMP’,
policy_name => ‘C##SCOTT_EMP’,
column_name => ‘SAL’,
expression => ‘SYS_CONTEXT(”SYS_SESSION_ROLES”,”C##MGR”) = ”FALSE”’);
end;
/
SQL> conn c##scott
Enter password:
Connected.
SQL> col empname format a20
SQL> select * from emp;
EMPNAME SAL
——————– ———-
Peter 1000
David 1500
SQL> set role none;
Role set.
SQL> select * from emp;
EMPNAME SAL
——————– ———-
Peter 0
David 0
Options C and D are bit confusing..
But you should go with ABC as final answer.
ABC
why not F? This is also a connection by user SYSTEM, and SYSTEM has the excempt redaction policy privilege.
sorry ignore my last comment. system is always excempt, and is not restricted to roles.
ACF
here are my tests :
sqlplus / as sysdba
SQL> create user c##scott identified by oracle;
User created.
SQL> create role c##mgr;
Role created.
SQL> grant c##mgr,connect,resource,unlimited tablespace to c##scott;
Grant succeeded.
SQL> create table c##scott.emp(empname varchar(7),sal number);
Table created.
SQL> insert into c##scott.emp values(‘Peter’,1000);
1 row created.
SQL> insert into c##scott.emp values(‘David’,1500);
1 row created.
SQL> commit;
Commit complete.
SQL> begin
dbms_redact.add_policy(
object_schema => ‘C##SCOTT’,
object_name => ‘EMP’,
policy_name => ‘C##SCOTT_EMP’,
column_name => ‘SAL’,
expression => ‘SYS_CONTEXT(”SYS_SESSION_ROLES”,”C##MGR”) = ”FALSE”’);
end;
/
PL/SQL procedure successfully completed.
SQL> connect / as sysdba
Connected.
SQL> select user,e.* from c##scott.emp e;
USER EMPNAME SAL
—————————— ——- ———-
SYS Peter 1000
SYS David 1500
SQL> set role none;
Role set.
SQL> select user,e.* from c##scott.emp e;
USER EMPNAME SAL
—————————— ——- ———-
SYS Peter 1000
SYS David 1500
— A is correct
SQL> conn c##scott
Connected.
SQL> select user,e.* from emp e;
USER EMPNAME SAL
—————————— ——- ———-
C##SCOTT Peter 1000
C##SCOTT David 1500
SQL> set role none;
Role set.
SQL> select user,e.* from emp e;
USER EMPNAME SAL
—————————— ——- ———-
C##SCOTT Peter 0
C##SCOTT David 0
— C is correct, D is wrong, E is wrong
SQL> connect system
Connected.
SQL> select user,e.* from c##scott.emp e;
USER EMPNAME SAL
—————————— ——- ———-
SYSTEM Peter 1000
SYSTEM David 1500
SQL> set role none;
Role set.
SQL> select user,e.* from c##scott.emp e;
USER EMPNAME SAL
—————————— ——- ———-
SYSTEM Peter 0
SYSTEM David 0
— B is wrong, F is correct
sorry, my last test was wrong
SQL> connect system
Connected.
SQL> set role dba
2 ;
Role set.
SQL> select user,e.* from c##scott.emp e;
USER EMPNAME SAL
—————————— ——- ———-
SYSTEM Peter 1000
SYSTEM David 1500
— F is wrong, B is correct
ABC
NO NO!! sorry again, that question is very confusing
B.SYSTEM sessions, regardless of the roles that are set in the session
It says “regardless” so I can try with “set role none;” and then :
SQL> connect system
Connected.
SQL> select user,e.* from c##scott.emp e;
USER EMPNAME SAL
—————————— ——- ———-
SYSTEM Peter 1000
SYSTEM David 1500
SQL> set role none;
Role set.
SQL> select user,e.* from c##scott.emp e;
USER EMPNAME SAL
—————————— ——- ———-
SYSTEM Peter 0
SYSTEM David 0
— B is wrong, F is correct
ACF
my last call..
B is wrong beacause I can “set role none” and data is redacted
F is wrong because I can “set role dba” and data is not redacted
so AC
SQL>
BEGIN
DBMS_REDACT.ADD_POLICY(
object_schema => ‘SCOTT’,
object_name => ‘EMP’,
policy_name => ‘SCOTT_EMP’,
column_name => ‘SAL’,
expression => ‘SYS_CONTEXT (”SYS_SESSION_ROLES”,”MGR”) = ”FALSE”’);
END;
/SQL> 2 3 4 5 6 7 8 9
SQL>
SQL> select sal from scott.emp;
SAL
———-
0
0
0
0
0
0
0
0
0
0
0
SAL
———-
0
0
0
14 rows selected.
SQL> conn
Enter user-name: system/oracle_4U
Connected.
SQL>
SQL> select sal from scott.emp;
SAL
———-
800
1600
1250
2975
1250
2850
2450
3000
5000
1500
1100
SAL
———-
950
3000
1300
14 rows selected.
SQL> conn sys /as sysdba
Enter password:
Connected.
SQL> select sal from scott.emp;
SAL
———-
800
1600
1250
2975
1250
2850
2450
3000
5000
1500
1100
SAL
———-
950
3000
1300
14 rows selected.
SQL> SELECT * FROM DBA_ROLES WHERE ROLE LIKE ‘%SCOTT%’;
no rows selected
SQL> CREATE ROLE MGR;
Role created.
SQL> GRANT MGR TO SCOTT;
Grant succeeded.
PL/SQL procedure successfully completed.
SQL> conn
Enter user-name: scott/oracle_4U
Connected.
A, B, C
SQL> grant create table to mgr with admin option;
Grant succeeded.
SQL> grant mgr to system with admin option;
Grant succeeded.
SQL> conn
Enter user-name: system/oracle_4U
Connected.
SQL> select sal from scott.emp;
SAL
———-
800
1600
1250
2975
1250
2850
2450
3000
5000
1500
1100
SAL
———-
950
3000
1300
14 rows selected.
The reason your SYSTEM can see data is because you have granted MGR role which become active when logged in. if user is created with default role, then it doesn’t become active.
so B is incorrect.
AB is true.
Data is redacted only, if the EXPRESSION ‘SYS_CONTEXT (”SYS_SESSION_ROLES”,”MGR”) = ”FALSE”’ evaluates to true:
If you grant scott the mgr role and you do a
select SYS_CONTEXT (‘SYS_SESSION_ROLES’,’MGR’) from dual;
it returns “TRUE”.
As TRUE is not the wanted output (which is “FALSE”) the whole expression is FALSE. So data is NOT redacted. D is the third right answer.
If the MGR role is not granted to Scott, the SYS_CONTEXT select returns FALSE, which is the required return value and then data is redacted.
By the way – who is able to SET a role that was not granted before? So C is definitely wrong… (ora-01924)
=> ABD
Definitely A& F. Only SYS except from the redaction policy , but not SYSTEM.
C & D could have been elaborated.
If MGR role is granted to SCOTT – when he login, he will be set that role as there is no default role, so he can see the SAL column.
If MGR is not the default role – then it has to be explicitly set to MGR Role.
ABD
D because the MGR role is granted to Scott and AB because sys and system have the EXEMPT REDACTION POLICY system privilege
How Oracle Data Redaction Affects the SYS, SYSTEM, and Default Schemas
Both users SYS and SYSTEM automatically have the EXEMPT REDACTION POLICY system privilege.
SYSTEM has the EXP_FULL_DATABASE role, which includes the EXEMPT REDACTION POLICY system privilege.
This means that the SYS and SYSTEM users can always bypass any existing Oracle Data Redaction policies, and will always be able to view data from tables (or views) that have Data Redaction policies defined on them.
ABD.first grant,then can set role.
The expression parameter of the DBMS_REDACT.ADD_POLICY procedure defines a Boolean expression that must evaluate to TRUE before the redaction can table place.
Remember that for user SYS and users who have the EXEMPT REDACTION POLICY privilege, all of the Data Redaction policies are bypassed, so the results of their queries are not redacted.
http://docs.oracle.com/cloud/latest/db121/ASOAG/redaction_config.htm#ASOAG10584
Asnwer: A, C, F
My mistake:
Oracle Data Pump Security Model for Oracle Data Redaction
The DATAPUMP_EXP_FULL_DATABASE role includes the powerful EXEMPT REDACTION POLICY system privilege. Remember that by default the DBA role is granted the DATAPUMP_EXP_FULL_DATABASE role as well as DATAPUMP_IMP_FULL_DATABASE.
Correct answer: A,B,D
ABD, agree with JJ
SYS_CONTEXT(‘SYS_SESSION_ROLES’,’MGR’) would return TRUE by default when MGR is granted. So C is correct.
However, when you set the role explicitly to NONE or to some other roles not MGR. Then D becomes correct.
5.5.3 Applying the Redaction Policy Based on Database Role
To apply a Data Redaction policy based on database roles, you can use the SYS_SESSION_ROLES namespace in the SYS_CONTEXT function, which contains attributes for each role. The value of the attribute is TRUE if the specified role is enabled for the querying application user; the value is FALSE if the role is not enabled.
For example, suppose you wanted only supervisors to be allowed to see the actual data. Example 5-2 shows how to use the DBMS_REDACT.ADD_POLICY expression parameter to set the policy to show the actual data to any application user who has the supervisor role enabled, but redact the data for all of the other application users.
Example 5-2 Applying a Data Redaction Policy by Database Role
expression => ‘SYS_CONTEXT(”SYS_SESSION_ROLES”,”SUPERVISOR”) = ”FALSE”’
A: definitely correct
B: wrong – Q says “regardless of the roles set in the session”. If we set role none, the data is redacted. Tested.
C: correct. The role must be set, not only granted. Tested.
D: wrong. The role must be set, not only granted. Tested.
E: obviously wrong
F: wrong. Privileges in the default roles of SYSTEM exempt the user from redaction. Role MGR is not a must. Tested.
So it all depends on how the question is meant. If I had to pick two, I’d pick:
AC
Possible “good” answer combinations can be:
ACF
ABD (suggested by testking)
ACD
ABC
look very carefully, there are no tricks here but ‘smart use’ of sys_context
i.e. if MGR role is granted, data is redacted
when MGR is granted,
expression => sys_context(sys_session_roles,MGR) = false
=> true = false
=> invalid
=> policy does not take effect, no data redaction
when MGR is not granted,
expression => sys_context(sys_session_roles,MGR) = false
=> false = false
=> valid
=> policy take effect, data is redacted
ABD
A,C,F
SYS is the only user that see not redact, regardless of the roles that are set in the session.
SYSTEM and normal users need the role set in the sessions. They may see the data by default once connected (due the roles set in their session automatically), but you can’t say that only the GRANT of those roles are enough to see the data, if you unset the roles from the session you wont see the data.
reference https://docs.oracle.com/cloud/latest/db121/ASOAG/redaction_config.htm#ASOAG737
A. SYS sessions, regardless of the roles that are set in the session
=> SYS is always exempted. Even ‘set role none’ does not disable redaction
B. SYSTEM sessions, regardless of the roles that are set in the session
=> If you ‘set role none’ SAL will get redacted!
C. SCOTT sessions, only if the MGR role is set in the session
=> by default all roles are set when connect session. Noneed explicit set role.
D. SCOTT sessions, only if the MGR role is granted to SCOTT
=> true
E. SCOTT sessions, because he is the owner of the table
=> false
F. SYSTEM session, only if the MGR role is set in the session
=> false. By default SYSTEM have DBA role which have EXP_FULL_DATABASE role which is granted EXEMPT REDACTION POLICY system privilege
Another shitty question. My choice ACD