Dynamic Data Masking
Dynamic Data Masking (DDM) can mask sensitive data in the SQL Editor query result based on the context. It helps organizations to protect sensitive data from being exposed to unauthorized users.
You can configure the masking policies from UI or via API. Check out this GitOps example to see how to codify the masking policies.
Configure Dynamic Data Masking
-
Workspace-level admins configure the Global Masking Rule, Semantic Types, and Masking Algorithm.
-
Project-level owners configure the Column Masking on the table column. This is only needed when the global masking rule is not applicable to a particular project.
-
Workspace-level admins or project-level owners grant Masking Exemption to the users to access the unmasked data.
Determine whether to mask data
Masking precedence
-
Masking Exemption. If user has been granted exemption, the data will not be masked.
-
Global Masking Rule. If no exemption is granted, the global masking rule will be applied.
-
Column Masking. If no global masking rule is configured, the column masking will be applied.
Masking algorithm
The global masking rule and column masking are both mapped to the Semantic Types. The semantic type determines the masking algorithm.
Masking propagation
When a column in a database table is masked, the masking effect is infectious in the sense that it propagates to any views or derived structures that depend on that column. This ensures that the protection applied to the underlying data is consistently enforced, even when accessed through alternative pathways like views.