White Paper: Just-in-Time Database Access Best Practices

Masking Exemption

Masking precedence: Masking Exemption > Global Masking Rule > Column Masking.

Certain roles can grant masking exemption to the users to access the unmasked data:

  • Built-in roles: Workspace Admin, DBA, Project Owner.
  • Custom roles: bb.policies.create, bb.policies.update, bb.policies.delete.

To grant masking exemption:

  1. Go to the project, click Manage > Masking Exemptions.

  2. Click Grant Exemption. You can grant either Export or Query exemption.

  3. Select the user/groups and the database/table, and click Confirm.

    bb-grant-exemption

You can't grant masking exemption to the service account. Because the intended use is to exempt human users from the masking policy when they query from SQL Editor.

Edit this page on GitHub