1Z0-062 · Question #88
A redaction policy was added to the SAL column of the SCOTT.EMP table: All users have their default set of system privileges. For which three situations will data not be redacted?
The correct answer is A. SYS sessions, regardless of the roles that are set in the session B. SYSTEM sessions, regardless of the roles that are set in the session D. SCOTT sessions, only if the MGR role is granted to SCOTT. Oracle Data Redaction always exempts SYS and SYSTEM unconditionally, and suppresses redaction for any user when the policy expression evaluates to TRUE - such as when a qualifying role is directly granted and therefore active by default.
Question
A redaction policy was added to the SAL column of the SCOTT.EMP table:
All users have their default set of system privileges. For which three situations will data not be redacted?
Exhibit
Options
- ASYS sessions, regardless of the roles that are set in the session
- BSYSTEM sessions, regardless of the roles that are set in the session
- CSCOTT sessions, only if the MGR role is set in the session
- DSCOTT sessions, only if the MGR role is granted to SCOTT
- ESCOTT sessions, because he is the owner of the table
- FSYSTEM session, only if the MGR role is set in the session
How the community answered
(19 responses)- A47% (9)
- C26% (5)
- E16% (3)
- F11% (2)
Why each option
Oracle Data Redaction always exempts SYS and SYSTEM unconditionally, and suppresses redaction for any user when the policy expression evaluates to TRUE - such as when a qualifying role is directly granted and therefore active by default.
SYS is always exempt from Oracle Data Redaction policies by design at the database engine level. No policy expression, role assignment, or session context can cause data to be redacted for a SYS session.
SYSTEM is also always exempt from Oracle Data Redaction, so any session authenticated as SYSTEM will see unredacted column values regardless of which roles are enabled or disabled in that session.
A role that has not been granted to SCOTT cannot be legitimately set active in SCOTT's session, so this scenario is not a valid state - the correct exempting condition is the direct grant described in option D.
When the MGR role is directly granted to SCOTT, it is active in SCOTT's sessions by default, causing the redaction policy expression - which checks SYS_SESSION_ROLES for the MGR role - to evaluate as TRUE, thereby suppressing redaction and exposing the unmasked SAL value.
Table ownership does not exempt a user from Oracle Data Redaction - SCOTT as the owner of EMP will still see a redacted SAL value unless a role-based or privilege-based exemption applies to his session.
SYSTEM is unconditionally exempt from redaction at all times, making the conditional qualifier 'only if the MGR role is set in the session' factually incorrect - SYSTEM never requires any role to bypass redaction policies.
Concept tested: Oracle Data Redaction exemptions for privileged users and roles
Source: https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/using-oracle-data-redaction.html
Topics
Community Discussion
No community discussion yet for this question.
