Overview - Bytebase Docs

Tutorial: Step-by-Step Guide to Data Masking

Dynamic Data Masking (DDM) can mask sensitive data in the SQL Editor query result based on the context. It helps organizations to protect sensitive data from being exposed to unauthorized users.

You can configure the masking policies from UI or via API. Check out this GitOps example to see how to codify the masking policies.

Configure Dynamic Data Masking

Workspace-level admins configure the Global Masking Rule, Semantic Types, and Masking Algorithm.
Project-level owners configure the Column Masking on the table column. This is only needed when the global masking rule is not applicable to a particular project.
Workspace-level admins or project-level owners grant Masking Exemption to the users to access the unmasked data.

Determine whether to mask data

Masking precedence

Masking Exemption. If user has been granted exemption, the data will not be masked.
Global Masking Rule. If no exemption is granted, the global masking rule will be applied.
Column Masking. If no global masking rule is configured, the column masking will be applied.

Masking algorithm

The global masking rule and column masking are both mapped to the Semantic Types. The semantic type determines the masking algorithm.

Masking propagation

When a column in a database table is masked, the masking effect is infectious in the sense that it propagates to any views or derived structures that depend on that column. This ensures that the protection applied to the underlying data is consistently enforced, even when accessed through alternative pathways like views.

SQL Editor

Database Permission

Dynamic Data Masking

Tutorial: Step-by-Step Guide to Data Masking

​Configure Dynamic Data Masking

​Determine whether to mask data

​Masking precedence

​Masking algorithm

​Masking propagation

Configure Dynamic Data Masking

Determine whether to mask data

Masking precedence

Masking algorithm

Masking propagation