Tutorial: Step-by-Step Guide to Data Masking

 bb-masking-overview Dynamic Data Masking (DDM) can mask sensitive data in the SQL Editor query result based on the context. It helps organizations to protect sensitive data from being exposed to unauthorized users.
You can configure the masking policies from UI or via API. Check out this GitOps example to see how to codify the masking policies.

Configure Dynamic Data Masking

Determine whether to mask data

bb-masking-detail

Masking precedence

  1. Masking Exemption. If user has been granted exemption, the data will not be masked.
  2. Global Masking Rule. If no exemption is granted, the global masking rule will be applied.
  3. Column Masking. If no global masking rule is configured, the column masking will be applied.

Masking algorithm

The global masking rule and column masking are both mapped to the Semantic Types. The semantic type determines the masking algorithm.

Masking propagation

When a column in a database table is masked, the masking effect is infectious in the sense that it propagates to any views or derived structures that depend on that column. This ensures that the protection applied to the underlying data is consistently enforced, even when accessed through alternative pathways like views.