ALTER MASKING POLICY
Function
ALTER MASKING POLICY modifies anonymization policies.
Precautions
- Only user poladmin, user sysadmin, or the initial user can perform this operation.
- The masking policy takes effect only after enable_security_policy is set to on. For details about how to enable the masking policy, see “Database Configuration > Database Security Management Policies > Dynamic Data Masking” in the Security Hardening Guide.
Syntax
Modify the policy description.
ALTER MASKING POLICY policy_name COMMENTS policy_comments;Modify the anonymization method.
ALTER MASKING POLICY policy_name [ADD | REMOVE | MODIFY] masking_actions[, ...]*; The syntax of masking_action. masking_function ON LABEL(label_name[, ...]*)Modify the scenarios where the anonymization policies take effect.
ALTER MASKING POLICY policy_name MODIFY(FILTER ON FILTER_TYPE(filter_value[, ...]*)[, ...]*);Removes the filters of the anonymization policies.
ALTER MASKING POLICY policy_name DROP FILTER;Enable or disable the anonymization policies.
ALTER MASKING POLICY policy_name [ENABLE | DISABLE];
Parameter Description
policy_name
Specifies the anonymization policy name, which must be unique.
Value range: a string. It must comply with the naming convention.
policy_comments
Adds or modifies description of anonymization policies.
masking_function
Specifies seven preset anonymization methods.
maskall | randommasking | creditcardmasking | basicemailmasking | fullemailmasking | shufflemasking | alldigitsmaskinglabel_name
Specifies the resource label name.
FILTER_TYPE
Specifies the types of information to be filtered by the policies: IP, ROLES, and APP.
filter_value
Indicates the detailed information to be filtered, such as the IP address, app name, and username.
ENABLE|DISABLE
Enables or disables the masking policy. If ENABLE|DISABLE is not specified, ENABLE is used by default.
Examples
-- Create users dev_mask and bob_mask.
postgres=# CREATE USER dev_mask PASSWORD 'dev@1234';
postgres=# CREATE USER bob_mask PASSWORD 'bob@1234';
-- Create table tb_for_masking.
postgres=# CREATE TABLE tb_for_masking(col1 text, col2 text, col3 text);
-- Create a resource label for label sensitive column col1.
postgres=# CREATE RESOURCE LABEL mask_lb1 ADD COLUMN(tb_for_masking.col1);
-- Create a resource label for label sensitive column col2.
postgres=# CREATE RESOURCE LABEL mask_lb2 ADD COLUMN(tb_for_masking.col2);
-- Create an anonymization policy for the operation of accessing sensitive column col1.
postgres=# CREATE MASKING POLICY maskpol1 maskall ON LABEL(mask_lb1);
-- Add description for anonymization policy maskpol1.
postgres=# ALTER MASKING POLICY maskpol1 COMMENTS 'masking policy for tb_for_masking.col1';
-- Modify anonymization policy maskpol1 to add an anonymization method.
postgres=# ALTER MASKING POLICY maskpol1 ADD randommasking ON LABEL(mask_lb2);
-- Modify anonymization policy maskpol1 to remove an anonymization method.
postgres=# ALTER MASKING POLICY maskpol1 REMOVE randommasking ON LABEL(mask_lb2);
-- Modify anonymization policy maskpol1 to modify an anonymization method.
postgres=# ALTER MASKING POLICY maskpol1 MODIFY randommasking ON LABEL(mask_lb1);
-- Modify anonymization policy maskpol1 so that it takes effect only for scenarios where users are dev_mask and bob_mask, client tools are psql and gsql, and the IP addresses are 10.20.30.40 and 127.0.0.0/24.
postgres=# ALTER MASKING POLICY maskpol1 MODIFY (FILTER ON ROLES(dev_mask, bob_mask), APP(psql, gsql), IP('10.20.30.40', '127.0.0.0/24'));
-- Modify anonymization policy maskpol1 so that it takes effect for all user scenarios.
postgres=# ALTER MASKING POLICY maskpol1 DROP FILTER;
-- Disable anonymization policy maskpol1.
postgres=# ALTER MASKING POLICY maskpol1 DISABLE;