0 0
Read Time:1 Minute, 42 Second

During this post we will discuss about the “IS_GRANTED_TO_INVOKER_ROLE” access control property. It Returns TRUE if the role returned by the INVOKER_ROLE function inherits the privileges of the specified role in the argument.

is_granted_to_invoker_role( ‘<string_literal>‘ )

We will be using IS_GRANTED_TO_INVOKER_ROLE property in conjunction with Dynamic Masking. This Role function passed into a masking policy body as part of a condition. When the function evaluates to TRUE, the role in the function argument is in the INVOKER_ROLE hierarchy.

However, To get more clarity on this function, we will implement the below scenario:

For Instance, we have CUSTOMER_DATA table which stores PII information like SSN and Phone.

Customer_Data

As part of this requirement ,PHONE should be masked using Dynamic Masking and IS_GRANTED_TO_INVOKER_ROLE SYSTEM FUNCTION.

Currently we have two Roles in system: REP and FLM. As of now there is no hierarchy among these Roles and will create Masking Policy inside the FLM.

Login to the FLM account :

CREATE OR REPLACE MASKING POLICY CUSTOMER_PII_PHONE

AS (PHN NUMBER) RETURNS NUMBER ->

CASE

when is_granted_to_invoker_role('REP1') then PHN

ELSE '0'

END;

Assign this Policy to CUSTOMER_DATA table on PHONE number column:

ALTER TABLE CUSTOMER_DATA MODIFY COLUMN PHONE SET MASKING POLICY CUSTOMER_PII_PHONE;

Login to FLM and query the table: Phone is mask for FLM.

As REP1 does not belongs to FLM hierarchy and hence Masking Policy moves into the ELSE condition.

Masked Data

Now Grant the Role REP1 — > FLM (via ACCOUNTADMIN)

GRANT ROLE REP1 to ROLE FLM;

Login to FLM and query the table: Phone is visible for FLM.

UnMasked Data

And if we try to query the table via ACCOUNTADMIN, Data would be masked as REP1 is not part of ACCOUNTADMIN in hierarchy.

Average Rating

5 Star
0%
4 Star
0%
3 Star
0%
2 Star
0%
1 Star
0%

Leave a Reply

Your email address will not be published. Required fields are marked *