用于动态数据掩蔽的系统视图
超级用户、具有 sys:operator
角色的用户和具有 ACCESS SYSTEM TABLE 权限的用户可以访问以下与 DDM 相关的系统视图。
使用 SVV_MASKING_POLICY 可查看在集群或工作组上创建的所有屏蔽策略。
-
使用 SVV_ATTACHED_MASKING_POLICY 可查看已在当前连接的数据库上附加了策略的所有关系和角色或用户。
SYS_APPLIED_MASKING_POLICY_LOG
使用 SYS_APPLIED_MASKING_POLICY_LOG 可跟踪屏蔽策略在引用受 DDM 保护关系的查询上的应用情况。
下面是使用系统视图可以找到的一些信息示例。
--Select all policies associated with specific users, as opposed to roles SELECT policy_name, schema_name, table_name, grantee FROM svv_attached_masking_policy WHERE grantee_type = 'user'; --Select all policies attached to a specific user SELECT policy_name, schema_name, table_name, grantee FROM svv_attached_masking_policy WHERE grantee = '
target_grantee_name
' --Select all policies attached to a given table SELECT policy_name, schema_name, table_name, grantee FROM svv_attached_masking_policy WHERE table_name = 'target_table_name
' AND schema_name = 'target_schema_name
'; --Select the highest priority policy attachment for a given role SELECT samp.policy_name, samp.priority, samp.grantee, smp.policy_expression FROM svv_masking_policy AS smp JOIN svv_attached_masking_policy AS samp ON samp.policy_name = smp.policy_name WHERE samp.grantee_type = 'role' AND samp.policy_name = mask_get_policy_for_role_on_column( 'target_schema_name
', 'target_table_name
', 'target_column_name
', 'target_role_name
') ORDER BY samp.priority desc LIMIT 1; --See which policy a specific user will see on a specific column in a given relation SELECT samp.policy_name, samp.priority, samp.grantee, smp.policy_expression FROM svv_masking_policy AS smp JOIN svv_attached_masking_policy AS samp ON samp.policy_name = smp.policy_name WHERE samp.grantee_type = 'role' AND samp.policy_name = mask_get_policy_for_user_on_column( 'target_schema_name
', 'target_table_name
', 'target_column_name
', 'target_user_name
') ORDER BY samp.priority desc; --Select all policies attached to a given relation. SELECT policy_name, schema_name, relation_name, database_name FROM sys_applied_masking_policy_log WHERE relation_name = 'relation_name' AND schema_name = 'schema_name';