in order to return text in the place of not null, you’d have to create a view over top of the table to change null into the static literal you wanted, as the only option in VPD would be to hide the rows or set the secret columns to NULL.

for your second part of your question, if you are using that check to determine who has access to the sensitive columns, you can use a role instead and have the VPD function check this like:

return 'exists (select null from session_roles where role = ''XXXXXX'')';

i.e. whomever has the role XXXXXX (just create an appropriate role and grant it to your privileged users) set in their session can see the data. That way you don’t need to hard code a bunch of user ids.

e.g:

if we create a role and grant it to a test user:

SQL> create role ACCESS_TABLEA_SEC_COL;

Role created.

SQL> grant ACCESS_TABLEA_SEC_COL to test;

Grant succeeded.

for my set up ive created a simple test table + a policy that stops people reading the your_sec_col column.

SQL> create or replace package pkg_security_control
  2  as
  3    function apply_access(p_owner in varchar2, p_obj_name  in  varchar2) return varchar2;
  4  end;
  5  /

Package created.

SQL> create or replace package body pkg_security_control
  2  as
  3    function apply_access(p_owner in varchar2, p_obj_name  in  varchar2)
  4      return varchar2
  5    is
  6    begin
  7      return 'exists (select null from session_roles where role = ''ACCESS_TABLEA_SEC_COL'')';
  8    end;
  9  end;
 10  /

Package body created.

SQL> create table TABLEA
  2  (
  3    id number primary key,
  4   your_sec_col  varchar2(30)
  5  );

Table created.

SQL> insert into tablea values (1, 'secret text1');

1 row created.

SQL> insert into tablea values (2, 'secret text2');

1 row created.

now if we select from that table and we don’t have the ACCESS_TABLEA_SEC_COL role, we’d get:

SQL> select *
  2    from tablea;

        ID YOUR_SEC_COL
---------- ------------------------------
         1
         2

but you want a string like xxxxx. VPD itself cannot do this, but a view could decode NULL to that string.

SQL> create view v_tablea
  2  as
  3  select id, case when your_sec_col is null then 'xxxxxx' else your_sec_col end your_sec_col
  4    from TABLEA;

View created.

now selecting from the view will , depending on whether the role is set:

SQL> set role none;

Role set.

SQL> select *
  2    from tablea;

        ID YOUR_SEC_COL
---------- ------------------------------
         1
         2

SQL> select *
  2    from v_tablea;

        ID YOUR_SEC_COL
---------- ------------------------------
         1 xxxxxx
         2 xxxxxx

SQL> set role all;

Role set.

SQL> select *
  2    from v_tablea;

        ID YOUR_SEC_COL
---------- ------------------------------
         1 secret text1
         2 secret text2

SQL> select *
  2    from tablea;

        ID YOUR_SEC_COL
---------- ------------------------------
         1 secret text1
         2 secret text2

so VPD still protects your table against anyone selecting from it, but you’d have clients select from the view to get the literal string instead. If your protected strings can contain NULL, and you want to differentiate those from no access, you can put the role check in the view instead.

create view v_tablea
as
select id, 
       case (select 'A' from session_roles where role = 'ACCESS_TABLEA_SEC_COL') 
         when 'A' then your_sec_col else 'xxxxxxxx' end your_sec_col
  from TABLEA;