Solving a Data Redaction Mystery — When Data Was Masked Only in the Application!

-

Recently, I encountered an interesting challenge while working with Oracle Data Redaction.

A database user had been granted the following privilege:

GRANT EXEMPT REDACTION POLICY TO APP_SCHEMA;

Naturally, I expected that the redacted data would now appear unmasked everywhere.
But to my surprise — the data was clearly visible in SQL Developer, yet still masked inside the application. ๐Ÿค”

๐Ÿ” Investigating the Behavior

At first glance, this seemed like a strange inconsistency.
If the user APP_SCHEMA already had the EXEMPT REDACTION POLICY privilege, why was the data still masked in the application?

After checking with the client, they mentioned an important detail:

“Our application does not connect directly as APP_SCHEMA — it connects through a connection pool using another database user.”

๐Ÿ’ก That one line changed everything.

๐Ÿง  Understanding What Was Really Happening

Oracle Data Redaction works per database session, not by the logical application user.

Here’s what was actually happening behind the scenes:

  • ๐Ÿง‘‍๐Ÿ’ป SQL Developer connection:
    The session was created directly as APP_SCHEMA.
    → The EXEMPT REDACTION POLICY privilege applied, so the data appeared unmasked.

  • ๐ŸŒ Application connection:
    Sessions were created through a connection pool user (e.g., POOL_USER, WEB_USER, or APP_CONN_USER).
    → This user didn’t have the privilege — so the redaction still applied.

Even though the application logically acted as APP_SCHEMA, the real session user in the database was different.

๐Ÿงพ Verifying the Real Session User

To confirm my suspicion, I executed the following SQL from within the application session:

SELECT SYS_CONTEXT('USERENV','SESSION_USER') AS session_user,
       SYS_CONTEXT('USERENV','CURRENT_USER')  AS current_user
FROM dual;

The result revealed the truth — the session was connected using the connection pool user, not APP_SCHEMA.

Mystery solved! ๐Ÿ”

๐Ÿ”ง The Fix

Once the actual connection user was identified, the solution was simple:

GRANT EXEMPT REDACTION POLICY TO APP_CONN_USER;

After restarting the application (to refresh the pool connections), the issue was resolved.
Now the data appeared unmasked both in SQL Developer and in the application. ✅

⚙️ Bonus Tip — Identify Connection Pool Users

To check which users your application sessions are really using, run:

SELECT USERNAME, STATUS, COUNT(*) AS session_count
FROM v$session
WHERE USERNAME IS NOT NULL
GROUP BY USERNAME, STATUS
ORDER BY USERNAME, STATUS;

This quick query helps identify all active sessions and their respective users — perfect for troubleshooting connection pool issues.

✨ Final Thoughts

This experience reminded me of an important Oracle principle:

Privileges in Oracle depend on the actual session user — not the logical application user.

So whenever you notice data redaction behaving differently between tools and applications,
always check who’s actually connecting behind the scenes.

Sometimes, the solution is just one missing grant away. ๐Ÿ˜‰

Comments

Post a Comment

Popular posts from this blog

Enabling Transparent Data Encryption (TDE) in Oracle RAC on ODA with Data Guard – The Correct and Secure Approach

-
Image
Transparent Data Encryption (TDE) is a critical security feature in Oracle Database that protects sensitive data at rest by encrypting datafiles, tablespaces, or specific columns. In modern enterprise environments especially Oracle RAC deployments on Oracle Database Appliance (ODA) with Data Guard TDE implementation must be done carefully to avoid service disruption, Data Guard lag, or wallet inconsistencies. This article walks through the correct, production-safe method to enable TDE with Auto-Login Wallet while ensuring: ·                No exposure of sensitive credentials ·                Consistency across RAC nodes ·                Seamless synchronization with the physical standby   ⚠️ Important: This guide assumes Oracle Database 19c on ODA, RAC Primary, ...
Read more

[FATAL] [DBT-10503] Template file is not specified

-
I faced an error [FATAL] [DBT-10503] Template file is not specified and terminated operation when I was going to create 12c instance in silent mode .   ERROR: [FATAL] [DBT-10503] Template file is not specified.   REASON: This is due to the you are not set the “templateName” in response file.   SOLUTION: Set templateName=General_Purpose.dbc and execute the dbca again   ACTION: 1.        Open the dbca.rsp and set templateName as General_Purpose.dbc 2.        Save the dbca.rsp 3.        Execute the instance create statement again (dbca)
Read more

Resolving ORA-10635 and ORA-39171 Errors During BLOB Tablespace Maintenance

-
Recently, I came across an interesting situation while performing a space management task on one of our databases. The challenge involved a table that contained BLOB data distributed across multiple tablespaces . What seemed like a simple shrink operation ended up turning into a deeper learning experience that I’d like to share. ๐Ÿงฉ Background In this environment, the main table BINARY_ARCHIVE was stored in the MAIN_DATA tablespace. Its BLOB segment was placed separately in the ATTACHMENTS_DATA tablespace to improve performance and manage large object storage efficiently. Additionally, another table called BINARY_OBJECT_LINK maintained a foreign key reference to the BLOB data and resided in the LINK_DATA tablespace. When I attempted to reclaim space from the BLOB segment using the SHRINK SPACE command, Oracle returned the following error. ⚠️ The Error ORA -10635 : Invalid segment or tablespace type 10635. 00000 - " Invalid segment or tablespace type " *Ca...
Read more