Masking precedence: Masking Exemption > Global Masking Rule > Column Masking.
Certain roles can grant masking exemption to the users to access the unmasked data:
  • Built-in roles: Workspace Admin, DBA, Project Owner.
  • Custom roles: bb.policies.create, bb.policies.update, bb.policies.delete.
To grant masking exemption:
  1. Go to the project, click Manage > Masking Exemptions.
  2. Click Grant Exemption. You can grant either Export or Query exemption.
  3. Select the user/groups and the database/table, and click Confirm. bb-grant-exemption
You can’t grant masking exemption to the service account. Because the intended use is to exempt human users from the masking policy when they query from SQL Editor.