Does Oracle have built-in dynamic data masking?

Yes — Data Redaction, via DBMS_REDACT. But it ships only with the Advanced Security option, an extra-cost license on Enterprise Edition; Standard and Express don't include it. And it redacts the result, not the query: a SELECT-only user can infer values through predicates, and SYSDBA or EXEMPT REDACTION POLICY holders see cleartext.

Do I need the Advanced Security option for Bytebase masking?

No. Bytebase masks outside the database, so masking works on any Oracle edition — Enterprise, Standard, Express, Autonomous — with no Advanced Security license and no DBMS_REDACT policies to maintain.

Does masking change the data stored in Oracle?

No. Values transform in the query result, at read time. Data at rest is untouched. Destroying data for lower environments is static masking — Oracle sells a separate Data Masking and Subsetting Pack for that.

Which Oracle deployments are supported?

Any Oracle Bytebase can connect to — on-prem Enterprise, Standard, and Express, Autonomous Database, Database@AWS, @Azure, @Google Cloud, and AWS RDS for Oracle. Masking runs outside the database, so there's no edition or option requirement.

How does this compare to native Data Redaction?

Data Redaction enforces at the database for every session, but it needs the Advanced Security license, SYSDBA and EXEMPT holders bypass it, predicates leak values, and expdp and RMAN read cleartext. Bytebase enforces on the through-Bytebase path with role-based rules, scoped time-bound exemptions, and audit — no license. They compose: native redaction for application traffic, Bytebase for human query traffic.

Oracle · Data MaskingOracle Data Redaction is a paid option. It still leaks the value.

Redaction needs the extra-cost Advanced Security option — and even then, a WHERE predicate leaks the real value to a SELECT-only user, while SYSDBA and EXEMPT holders read cleartext. Bytebase governs the query itself: role-based masking on the read path, with approval and audit, on any Oracle — no license.

Oracle Data Redaction is a licensed add-on with documented gaps: a SELECT-only user runs WHERE salary BETWEEN 99999 AND 100001 and the matching rows reveal the salary the redaction hides, while SYSDBA and EXEMPT REDACTION POLICY holders bypass redaction entirely and read cleartext. Redaction also requires the extra-cost Advanced Security option on Enterprise Edition.

Data Redaction is real dynamic masking — but it's a paid option, and it rewrites the result, not the query. The gaps are documented:

Licensed add-on, EE only

Redaction needs the Advanced Security option, an extra-cost license on Enterprise Edition. Standard and Express get nothing.

Inference leaks the value

A SELECT-only user probes: WHERE salary BETWEEN 99999 AND 100001 returns a redacted 0, but the matching rows give the value away.

SYSDBA and EXEMPT see cleartext

SYS, SYSDBA, and any holder of EXEMPT REDACTION POLICY bypass every policy. Redaction never applies to the most powerful sessions.

Exports and backups bypass it

Data Pump (expdp) and RMAN read the table directly — redaction is a query-time transform. A full export is cleartext.

Dynamic data masking in Bytebase

Govern the query, not just the result.

Queries route through the SQL Editor; Bytebase masks results before they leave it, by who is asking. SYSDBA and EXEMPT REDACTION POLICY on the instance don't bypass the policy, inference becomes an access decision, and there's no add-on to license — one model across Enterprise, Standard, Autonomous, and managed Oracle alike.

How Bytebase dynamic data masking works for Oracle: an analyst and a fraud investigator query through the Bytebase policy layer — global masking rule, column masking, masking exemption — to any Oracle deployment. The analyst sees masked values, the exempted investigator sees cleartext, every read is audited, and the application's direct connection bypasses masking.

Global Masking Rule

Workspace rules, first match wins. Conditions on environment, project, database, and classification pick the algorithm — full, partial, MD5, range, custom. One rule covers Enterprise, Standard, and Autonomous alike.

Column Masking

Project-level override for a single column.

Masking Exemption

Time-bound Query or Export exemptions for named users — service accounts excluded. Every grant logged. Every access logged.

Inference is closed on this path, and cleartext is a reviewed, time-bound, audited exemption — not a standing EXEMPT REDACTION POLICY grant. No Advanced Security license required.

What the analyst sees

Same query. Different result by role.

Partial masking on CUSTOMERS.EMAIL and CUSTOMERS.SSN — the table untouched:

-- Run in Bytebase SQL Editor as an analyst
SELECT id, email, ssn FROM customers FETCH FIRST 2 ROWS ONLY;

        ID EMAIL                 SSN
---------- --------------------- -------------
         1 a******@example.com   ***-**-4801
         2 m******@example.com   ***-**-2210

An exempted investigator runs the same query and sees cleartext. Both reads land in the audit log with per-column masking metadata.

Enforcement boundary

What this masks — and what it doesn't.

Bytebase masks the through-Bytebase path: SQL Editor queries and approved exports. Your application's direct connection bypasses it, by design — the gateway governs human access.

The pattern is symmetric: native Data Redaction at the database for application traffic, Bytebase on the human query path where approval and audit matter. Pair it with just-in-time access so humans hold no standing credentials.

How to implement DDM by access path Database access control

Oracle data masking questions

Common questions.

Does Oracle have built-in dynamic data masking?: Yes — Data Redaction, via DBMS_REDACT. But it ships only with the Advanced Security option, an extra-cost license on Enterprise Edition; Standard and Express don't include it. And it redacts the result, not the query: a SELECT-only user can infer values through predicates, and SYSDBA or EXEMPT REDACTION POLICY holders see cleartext.
Do I need the Advanced Security option for Bytebase masking?: No. Bytebase masks outside the database, so masking works on any Oracle edition — Enterprise, Standard, Express, Autonomous — with no Advanced Security license and no DBMS_REDACT policies to maintain.
Does masking change the data stored in Oracle?: No. Values transform in the query result, at read time. Data at rest is untouched. Destroying data for lower environments is static masking — Oracle sells a separate Data Masking and Subsetting Pack for that.
Which Oracle deployments are supported?: Any Oracle Bytebase can connect to — on-prem Enterprise, Standard, and Express, Autonomous Database, Database@AWS, @Azure, @Google Cloud, and AWS RDS for Oracle. Masking runs outside the database, so there's no edition or option requirement.
How does this compare to native Data Redaction?: Data Redaction enforces at the database for every session, but it needs the Advanced Security license, SYSDBA and EXEMPT holders bypass it, predicates leak values, and expdp and RMAN read cleartext. Bytebase enforces on the through-Bytebase path with role-based rules, scoped time-bound exemptions, and audit — no license. They compose: native redaction for application traffic, Bytebase for human query traffic.

Go deeper

Oracle · Data MaskingOracle Data Redaction is a paid option. It still leaks the value.

Licensed add-on, EE only

Inference leaks the value

SYSDBA and EXEMPT see cleartext

Exports and backups bypass it

Govern the query, not just the result.

Global Masking Rule

Column Masking

Masking Exemption

Same query. Different result by role.

What this masks — and what it doesn't.

Common questions.

Related reading.

Oracle Dynamic Data Masking

What is Dynamic Data Masking

Explore the standard for database development

Solutions & Platform

Comparisons

Legal

Resources

Company

Solutions & Platform

Resources

Comparisons

Company

Legal