# Oracle Data Masking — Past Data Redaction's License and Leaks > Oracle Data Redaction is a paid Advanced Security add-on on Enterprise Edition — and a WHERE predicate still leaks the value while SYSDBA and EXEMPT holders read cleartext. Bytebase governs the query path with role-based masking, approval, and audit across every Oracle deployment, no license required. Source: https://www.bytebase.com/databases/oracle/data-masking/ --- ## Oracle Data Redaction is a paid option. It still leaks the value. Redaction needs the extra-cost Advanced Security option — and even then, a WHERE predicate leaks the real value to a SELECT-only user, while SYSDBA and EXEMPT holders read cleartext. Bytebase governs the query itself: role-based masking on the read path, with approval and audit, on any Oracle — no license. Data Redaction is real dynamic masking — but it's a paid option, and it rewrites the result, not the query. The gaps are documented: ### Licensed add-on, EE only Redaction needs the Advanced Security option, an extra-cost license on Enterprise Edition. Standard and Express get nothing. ### Inference leaks the value A SELECT-only user probes: WHERE salary BETWEEN 99999 AND 100001 returns a redacted 0, but the matching rows give the value away. ### SYSDBA and EXEMPT see cleartext SYS, SYSDBA, and any holder of EXEMPT REDACTION POLICY bypass every policy. Redaction never applies to the most powerful sessions. ### Exports and backups bypass it Data Pump (expdp) and RMAN read the table directly — redaction is a query-time transform. A full export is cleartext. ## Govern the query, not just the result. Queries route through the SQL Editor; Bytebase masks results before they leave it, by who is asking. SYSDBA and EXEMPT REDACTION POLICY on the instance don't bypass the policy, inference becomes an access decision, and there's no add-on to license — one model across Enterprise, Standard, Autonomous, and managed Oracle alike. Inference is closed on this path, and cleartext is a reviewed, time-bound, audited exemption — not a standing EXEMPT REDACTION POLICY grant. No Advanced Security license required. ### Global Masking Rule Workspace rules, first match wins. Conditions on environment, project, database, and classification pick the algorithm — full, partial, MD5, range, custom. One rule covers Enterprise, Standard, and Autonomous alike. ### Column Masking Project-level override for a single column. ### Masking Exemption Time-bound Query or Export exemptions for named users — service accounts excluded. Every grant logged. Every access logged. ## Same query. Different result by role. Partial masking on CUSTOMERS.EMAIL and CUSTOMERS.SSN — the table untouched: ``` -- Run in Bytebase SQL Editor as an analyst SELECT id, email, ssn FROM customers FETCH FIRST 2 ROWS ONLY; ID EMAIL SSN ---------- --------------------- ------------- 1 a******@example.com ***-**-4801 2 m******@example.com ***-**-2210 ``` An exempted investigator runs the same query and sees cleartext. Both reads land in the audit log with per-column masking metadata. ## What this masks — and what it doesn't. Bytebase masks the through-Bytebase path: SQL Editor queries and approved exports. Your application's direct connection bypasses it, by design — the gateway governs human access. The pattern is symmetric: native Data Redaction at the database for application traffic, Bytebase on the human query path where approval and audit matter. Pair it with just-in-time access so humans hold no standing credentials. ## Common questions. ### Does Oracle have built-in dynamic data masking? Yes — Data Redaction, via DBMS_REDACT. But it ships only with the Advanced Security option, an extra-cost license on Enterprise Edition; Standard and Express don't include it. And it redacts the result, not the query: a SELECT-only user can infer values through predicates, and SYSDBA or EXEMPT REDACTION POLICY holders see cleartext. ### Do I need the Advanced Security option for Bytebase masking? No. Bytebase masks outside the database, so masking works on any Oracle edition — Enterprise, Standard, Express, Autonomous — with no Advanced Security license and no DBMS_REDACT policies to maintain. ### Does masking change the data stored in Oracle? No. Values transform in the query result, at read time. Data at rest is untouched. Destroying data for lower environments is static masking — Oracle sells a separate Data Masking and Subsetting Pack for that. ### Which Oracle deployments are supported? Any Oracle Bytebase can connect to — on-prem Enterprise, Standard, and Express, Autonomous Database, Database@AWS, @Azure, @Google Cloud, and AWS RDS for Oracle. Masking runs outside the database, so there's no edition or option requirement. ### How does this compare to native Data Redaction? Data Redaction enforces at the database for every session, but it needs the Advanced Security license, SYSDBA and EXEMPT holders bypass it, predicates leak values, and expdp and RMAN read cleartext. Bytebase enforces on the through-Bytebase path with role-based rules, scoped time-bound exemptions, and audit — no license. They compose: native redaction for application traffic, Bytebase for human query traffic. ## Get Started - [Contact us](https://www.bytebase.com/contact-us/) - [Start now (cloud)](https://console.bytebase.com)