How to Configure Dynamic Data Masking

This feature is available in Enterprise Plan.
Estimated: 30 mins
How to Configure Dynamic Data Masking

Bytebase Dynamic Data Masking can mask sensitive data in the query result based on the context on the fly. It helps organizations to protect sensitive data from being exposed to unauthorized users.

bb-masking-overview

This tutorial covers configuration via UI console. You can also codify the masking policies, check out this sample.

Prerequisites

  • Docker
  • Bytebase Enterprise plan, you can request a free trial here

Preparation

  1. Make sure your Docker is running, and start the Bytebase Docker container with command:

    docker run --rm --init \
      --name bytebase \
      --publish 8080:8080 --pull always \
      --volume ~/.bytebase/data:/var/opt/bytebase \
      bytebase/bytebase:3.0.1
  2. Having Bytebase successfully running in Docker, visit it via localhost:8080. Register an admin account and it will be granted the workspace admin role automatically.

  3. Acquire the Enterprise license. Enter Instances on the left. Select both instances to Assign License.

No Masking

Enter SQL Editor on top right. Without any worksheet open (no tab page open on top), click Connect to a database or Select a database to start.

sql-editor-entry

Choose database hr_prod under Prod Sample Instance within the Connection detail page. Run SELECT * FROM employee;, you'll see the following result without any masking.

prod-without-masking

Run the same query against database hr_test, the result is the same.

Global Masking Rule

You may want to batch apply masking settings. Use Global Masking Rule to achieve this.

Here for example, we'll mask all the birth_date columns in all tables.

  1. Within Workspace, enter Security & Policy > Data Masking on the left. Click Add on top right of Global Masking Rule page.

  2. Name the rule as birth_date should be masked, select Column name, ==. Fill birth_date in the input box, and Confirm. global-birth-date

  3. Go back to SQL Editor. Run SELECT * FROM employee; within hr_prod again. You'll see the birth_date is masked. Result within hr_test is the same. query-prod-masked

For a more organized and hierarchical global masking management, check Data Classification.

Export data with masked columns

Exported data is masked in the same way as query results.

  1. Stay on the SQL Editor after querying, and click Export. prod-export

  2. Fill in the export rows number, choose the format and click Confirm. The file will start downloading.

  3. Open the downloaded file, you'll see the birth_date is masked. exported-data

Column Masking Rule

If you want to mask a specific column in a specific table, you can use Column Masking Rule.

  1. Enter Database > Databases within Sample Project. Choose table salary of database hr_prod.

  2. Click the pencil icon by Masking level of row amount, choose Full for Masking level in Setting detail page. prod-salary-amount

  3. Go back to SQL Editor. Run SELECT * FROM salary; within hr_prod. You'll see amount been masked. query-prod-salary-amount-masked

    Switch to database hr_test to run the same command, amount will appear not masked.

    query-prod-salary-amount-masked

Grant unmasked access to a user

You can reveal masked data to a specific user by granting unmasked access.

  1. Locate the column and click the pencil icon by Masking level of row amount, Grant Access. Select the user and Confirm. grant-access

    grant-access-detail

  2. Login as the granted user. Run SELECT * FROM salary; within database hr_prod in SQL Editor. amount data is shown as unmasked. dba-query-salary

Edit this page on GitHub

Subscribe to Newsletter

By subscribing, you agree with Bytebase's Terms of Service and Privacy Policy.