nerdexam
Oracle

1Z0-062 · Question #88

A redaction policy was added to the SAL column of the SCOTT.EMP table: All users have their default set of system privileges. For which three situations will data not be redacted?

The correct answer is A. SYS sessions, regardless of the roles that are set in the session B. SYSTEM sessions, regardless of the roles that are set in the session D. SCOTT sessions, only if the MGR role is granted to SCOTT. Oracle Data Redaction always exempts SYS and SYSTEM unconditionally, and suppresses redaction for any user when the policy expression evaluates to TRUE - such as when a qualifying role is directly granted and therefore active by default.

Administering User Security

Question

A redaction policy was added to the SAL column of the SCOTT.EMP table:

All users have their default set of system privileges. For which three situations will data not be redacted?

Exhibit

1Z0-062 question #88 exhibit

Options

  • ASYS sessions, regardless of the roles that are set in the session
  • BSYSTEM sessions, regardless of the roles that are set in the session
  • CSCOTT sessions, only if the MGR role is set in the session
  • DSCOTT sessions, only if the MGR role is granted to SCOTT
  • ESCOTT sessions, because he is the owner of the table
  • FSYSTEM session, only if the MGR role is set in the session

How the community answered

(19 responses)
  • A
    47% (9)
  • C
    26% (5)
  • E
    16% (3)
  • F
    11% (2)

Why each option

Oracle Data Redaction always exempts SYS and SYSTEM unconditionally, and suppresses redaction for any user when the policy expression evaluates to TRUE - such as when a qualifying role is directly granted and therefore active by default.

ASYS sessions, regardless of the roles that are set in the sessionCorrect

SYS is always exempt from Oracle Data Redaction policies by design at the database engine level. No policy expression, role assignment, or session context can cause data to be redacted for a SYS session.

BSYSTEM sessions, regardless of the roles that are set in the sessionCorrect

SYSTEM is also always exempt from Oracle Data Redaction, so any session authenticated as SYSTEM will see unredacted column values regardless of which roles are enabled or disabled in that session.

CSCOTT sessions, only if the MGR role is set in the session

A role that has not been granted to SCOTT cannot be legitimately set active in SCOTT's session, so this scenario is not a valid state - the correct exempting condition is the direct grant described in option D.

DSCOTT sessions, only if the MGR role is granted to SCOTTCorrect

When the MGR role is directly granted to SCOTT, it is active in SCOTT's sessions by default, causing the redaction policy expression - which checks SYS_SESSION_ROLES for the MGR role - to evaluate as TRUE, thereby suppressing redaction and exposing the unmasked SAL value.

ESCOTT sessions, because he is the owner of the table

Table ownership does not exempt a user from Oracle Data Redaction - SCOTT as the owner of EMP will still see a redacted SAL value unless a role-based or privilege-based exemption applies to his session.

FSYSTEM session, only if the MGR role is set in the session

SYSTEM is unconditionally exempt from redaction at all times, making the conditional qualifier 'only if the MGR role is set in the session' factually incorrect - SYSTEM never requires any role to bypass redaction policies.

Concept tested: Oracle Data Redaction exemptions for privileged users and roles

Source: https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/using-oracle-data-redaction.html

Topics

#data redaction#data security#data masking#privileges

Community Discussion

No community discussion yet for this question.

Full 1Z0-062 Practice