We have a requirement like this: User1 loads a jsp page say Client Screen with credit card information, in that screen the card number shall be masked.
But another user say user2 with higher privilege (say admin), loads the same Client Screen then he should see the exact card number.
To implement this, was thinking to use the concept of Oracle 12C dbms_redact.add_policy.
But the web application, uses only one userId (in the web.xml, the entire application connect to DB by one user) to connect the Oracle. So, to apply different masking policy, do I need to add another user in web.xml, and web application shall be configured to dynamically connect with different userId, to achieve the above requirement?
Is there any other way to achieve it in more elegant way?
Oracle redaction policies can look at SYS_CONTEXT values, so perhaps you can set one based on the user's privileges when they authenticate?