The ExampleBANK security administrator, further restricts data access by using column masks, a part of row and column access control. Column masks hide data returned to users or applications by column unless they are permitted to view the data.
Customer service representatives can see all clients in the ExampleBANK system, but, they are not permitted to view full account numbers unless they are using a specific application.
CREATE MASK ACCOUNT_COL_MASK ON RCACTSPM.CUSTOMER FOR
------------------------------------------------------------
-- Account number information:
-- Role customer service representative (CSR) is allowed to
-- access account number information only when they are using
-- the account update application. This application is
-- identified through stored procedure ACCOUNTS.ACCTUPDATE.
-- If a CSR queries this data outside of this application, the
-- account information is masked and the first 12 digits are
-- replaced with "x".
------------------------------------------------------------
COLUMN ACCOUNT RETURN
CASE WHEN (VERIFY_ROLE_FOR_USER (USER, 'CSR') = 1 AND
ROUTINE_SPECIFIC_NAME = 'ACCTUPDATE' AND
ROUTINE_SCHEMA = 'ACCOUNTS' AND
ROUTINE_TYPE = 'P')
THEN ACCOUNT
ELSE 'xxxx-xxxx-xxxx-' || SUBSTR(ACCOUNT,16,4)
END
ENABLE;
--Activate column access control to implement column masks
ALTER TABLE RCACTSPM.CUSTOMER ACTIVATE COLUMN ACCESS CONTROL;