How to Configure Dynamic Data Masking
Bytebase Dynamic Data Masking can mask sensitive data in the query result based on the context on the fly. It helps organizations to protect sensitive data from being exposed to unauthorized users.
Prerequisites
Preparation
-
Make sure your Docker is running, and start the Bytebase Docker container with command:
-
Having Bytebase successfully running in Docker, visit it via
localhost:8080
. Register an admin account and it will be granted theworkspace admin
role automatically. -
Acquire the Enterprise license. Enter Instances on the left. Select both instances to Assign License.
No Masking
Enter SQL Editor on top right. Without any worksheet open (no tab page open on top), click Connect to a database or Select a database to start.
Choose database hr_prod
under Prod Sample Instance
within the Connection detail page. Run SELECT * FROM employee;
, you'll see the following result without any masking.
Run the same query against database hr_test
, the result is the same.
Global Masking Rule
You may want to batch apply masking settings. Use Global Masking Rule to achieve this.
Here for example, we'll mask all the birth_date
columns in all tables.
-
Within Workspace, enter Security & Policy > Data Masking on the left. Click Add on top right of
Global Masking Rule
page. -
Name the rule as
birth_date should be masked
, selectColumn name
,==
. Fillbirth_date
in the input box, and Confirm. -
Go back to SQL Editor. Run
SELECT * FROM employee;
withinhr_prod
again. You'll see thebirth_date
is masked. Result withinhr_test
is the same.
For a more organized and hierarchical global masking management, check Data Classification.
Export data with masked columns
Exported data is masked in the same way as query results.
-
Stay on the SQL Editor after querying, and click Export.
-
Fill in the export rows number, choose the format and click Confirm. The file will start downloading.
-
Open the downloaded file, you'll see the
birth_date
is masked.
Column Masking Rule
If you want to mask a specific column in a specific table, you can use Column Masking Rule.
-
Enter Database > Databases within
Sample Project
. Choose tablesalary
of databasehr_prod
. -
Click the pencil icon by
Masking level
of rowamount
, chooseFull
for Masking level in Setting detail page. -
Go back to SQL Editor. Run
SELECT * FROM salary;
withinhr_prod
. You'll seeamount
been masked.Switch to database
hr_test
to run the same command,amount
will appear not masked.
Grant unmasked access to a user
You can reveal masked data to a specific user by granting unmasked access.
-
Locate the column and click the pencil icon by
Masking level
of rowamount
, Grant Access. Select the user and Confirm. -
Login as the granted user. Run
SELECT * FROM salary;
within databasehr_prod
in SQL Editor.amount
data is shown as unmasked.