Use SYS_APPLIED_MASKING_POLICY_LOG to trace the application of dynamic data masking policies on queries that reference DDM-protected relations.

SYS_APPLIED_MASKING_POLICY_LOG is visible to the following users:

  • Superusers

  • Users with the sys:operator role

  • Users with the ACCESS SYSTEM TABLE permission

Regular users will see 0 rows.

Note that SYS_APPLIED_MASKING_POLICY_LOG isn’t visible to users with the sys:secadmin role.

For more information on dynamic data masking, go to Dynamic data masking.

Table columns

Column name Data type Description
policy_name text The name of the masking policy.
user_id text The ID of the user who ran the query.
record_time timestamp The time that the system view entry was recorded.
session_id int The process ID.
transaction_id long The transaction ID.
query_id int The query ID.
database_name text The name of the database on which the query was run.
relation_name text The name of the table that the masking policy is applied to.
schema_name text The name of the schema that the table is in.
attachment_id long The attached masking policy's ID.
relation_kind text The type of the relation that the masking policy is applied to. Possible values are TABLE, VIEW, LATE BINDING VIEW, and MATERIALIZED VIEW.

Sample queries

The following example shows that the mask_credit_card_full masking policy is attached to the credit_db.public.credit_cards table.

select policy_name, database_name, relation_name, schema_name, relation_kind from sys_applied_masking_policy_log; policy_name | database_name | relation_name | schema_name | relation_kind ----------------------+---------------+---------------+-------------+--------------- mask_credit_card_full | credit_db | credit_cards | public | table (1 row)