¶ 1 Add a sensitive column rule
To flag a column as being a sensitive column the script API_SCURTY.ADD_SCOL_DISCOVER_RULE can be used. Any column which match all include patterns and non of the exclude patterns is automatically flagged as being a sensitive column. All of the include patterns have to be provided, while the exclude patterns and the rule comment are optional. However, one has to be careful with the include patterns, as by default they are all set to '.*' meaning that each schema, object, colum and comment will be flagged as belonging to the sensitive columns if those values are not changed accordingly.
In the example below we want to include all schemas starting with 'PSV_TEST', however schemas ending with '_RAW' or '_BA' schould be excluded. Furthermore, all objects ending with '_TAB' should be included and none of the objects should be excluded. For the columns we want to include all of them except for those containing TDATE in their name. Comment-wise we do not want to specifically include or exclude any of them.
¶ Example
EXECUTE SCRIPT API_SCURTY.ADD_SCOL_DISCOVER_RULE(
'PSV_TEST.*' -- p_schema_incl_pattern
,'.*_(RAW|BA)' -- p_schema_excl_pattern
,'.*_TAB' -- p_object_incl_pattern
,null -- p_object_excl_pattern
,'.*' -- p_column_incl_pattern
,'.*TDATE.*' -- p_column_excl_pattern
,'.*' -- p_comment_incl_pattern
,null -- p_comment_excl_pattern
,'scol-test' -- p_rule_comment
);
After issuing the command above an entry is added to the table SCURTY.REP_SCOL_DISCOVER_RULES.
| RULE_ID | SCHEMA_ INCL_ PATTERN | SCHEMA_ EXCL_ PATTERN | OBJECT_ INCL_ PATTERN | OBJECT_ EXCL_ PATTERN | COLUMN_ INCL_ PATTERN | COLUMN_ EXCL_ PATTERN | COMMENT_ INCL_ PATTERN | COMMENT_ EXCL_ PATTERN | RULE_ COMMENT |
|---|---|---|---|---|---|---|---|---|---|
| 43 | PSV_TEST.* | .*_(RAW|BA) | .*_TAB | (null) | .* | .*TDATE.* | .* | (null) | scol-test |
¶ 2 Change a sensitive column rule
To change any of the parameters of a sensitive columns rule one can use the script API_SCURTY.CHANGE_SCOL_DISCOVER_RULE. By providing a null for any of the parameters, the already saved valu for this parameter will be kept. By setting any other value for a parameter, this value will overwrite the current one. By providing ' ' the value will be set back to (null).
In the example below, all of the parameters stay the same except for the schema exclusion pattern, which will be set to 'null' and the rule comment. To be able to change these parameters the rule id of the rule that should be changed needs to be provided to the script. The rule id can be found in the table SCURTY.REP_SCOL_DISCOVER_RULES.
¶ Example
EXECUTE SCRIPT API_SCURTY.CHANGE_SCOL_DISCOVER_RULE(
43 -- p_rule_id
,null -- p_schema_incl_pattern
,' ' -- p_schema_excl_pattern
,null -- p_object_incl_pattern
,null -- p_object_excl_pattern
,null -- p_column_incl_pattern
,null -- p_column_excl_pattern
,null -- p_comment_incl_pattern
,null -- p_comment_excl_pattern
,'scol-test-change' -- p_rule_comment
);
After this command has been issued the changes can be seen in the table SCURTY.REP_SCOL_DISCOVER_RULES.
| RULE_ID | SCHEMA_ INCL_ PATTERN | SCHEMA_ EXCL_ PATTERN | OBJECT_ INCL_ PATTERN | OBJECT_ EXCL_ PATTERN | COLUMN_ INCL_ PATTERN | COLUMN_ EXCL_ PATTERN | COMMENT_ INCL_ PATTERN | COMMENT_ EXCL_ PATTERN | RULE_ COMMENT |
|---|---|---|---|---|---|---|---|---|---|
| 43 | PSV_TEST.* | (null) | .*_TAB | (null) | .* | .*TDATE.* | .* | (null) | scol-test-change |
¶ 3 Removing a sensitive column rule
To remove a rule which is used to flag a column as being a sensitive column the script API_SCURTY.REMOVE_SCOL_DISCOVER_RULE can be used. The rule id of the rule that should be removed has to be provided to that script. It can be found in the table SCURTY.REP_SCOL_DISCOVER_RULES.
¶ Example
EXECUTE SCRIPT API_SCURTY.REMOVE_SCOL_DISCOVER_RULE(
43 -- p_rule_id
);
After issuing the script above the entry for a sensitive column rule with the id 43 will be removed from the table SCURTY.REP_SCOL_DISCOVER_RULES.