Bytebase Dynamic Data Masking can mask sensitive data in the query result based on the context on the fly. It helps organizations to protect sensitive data from being exposed to unauthorized users.
This tutorial covers configuration via UI console. You can also codify the masking policies, check out this sample.
Make sure your Docker is running, and start the Bytebase Docker container with command:
Having Bytebase successfully running in Docker, visit it via localhost:8080
. Register an admin account and it will be granted the workspace admin
role automatically.
Acquire the Enterprise license. Enter Instances on the left. Select both instances to Assign License.
Enter SQL Editor on top right. Without any worksheet open (no tab page open on top), click Connect to a database or Select a database to start.
Choose database hr_prod
under Prod Sample Instance
within the Connection detail page. Run SELECT * FROM employee;
, you’ll see the following result without any masking.
Semantic type is a way to classify data into different categories. You may apply them to columns to apply the same masking rule.
There are two ways to apply the semantic type and its masking algorithm:
As a project owner, you may want to apply the semantic type to a column, usually it’s a column that you want to mask on production environment.
Go into the project Sample Project
, and click database hr_prod
.
Go into the employee
table, and set the birth_date
column to apply the birth_date
semantic type.
Go back to SQL Editor, run SELECT * FROM employee;
within hr_prod
. You’ll see the birth_date
is masked based on the masking algorithm.
As a DBA, you may want to batch apply masking settings. Use Global Masking Rule to achieve this.
Enter Data Access > Semantic Types, click Use Predefined Type.
Add the predefined type Default
.
Enter Data Access > Global Masking Rule, click Add.
Here define a global masking rule to mask all the birth_date
columns in all tables on production environment with semantic type Default
, and click Confirm.
Go back to SQL Editor, run SELECT * FROM employee;
within hr_prod
. You’ll see the birth_date
is masked.
You may also notice that the global masking rule take precedence over the column masking rule.
Exported data is masked in the same way as query results.
Stay on the SQL Editor after querying, and click Export.
Fill in the export rows number, choose the format and click Confirm. The file will start downloading.
Open the downloaded file, you’ll see the birth_date
is masked.
You can reveal masked data to a specific user by granting masking exemption.
Go into the project Sample Project
, and click Manage > Masking Exemptions.
Grant exemption to the user and click Confirm.
Go back to SQL Editor, run SELECT * FROM employee;
within database hr_prod
. You’ll see the birth_date
is unmasked.
If you export the data, the birth_date
is also unmasked.
Bytebase Dynamic Data Masking can mask sensitive data in the query result based on the context on the fly. It helps organizations to protect sensitive data from being exposed to unauthorized users.
This tutorial covers configuration via UI console. You can also codify the masking policies, check out this sample.
Make sure your Docker is running, and start the Bytebase Docker container with command:
Having Bytebase successfully running in Docker, visit it via localhost:8080
. Register an admin account and it will be granted the workspace admin
role automatically.
Acquire the Enterprise license. Enter Instances on the left. Select both instances to Assign License.
Enter SQL Editor on top right. Without any worksheet open (no tab page open on top), click Connect to a database or Select a database to start.
Choose database hr_prod
under Prod Sample Instance
within the Connection detail page. Run SELECT * FROM employee;
, you’ll see the following result without any masking.
Semantic type is a way to classify data into different categories. You may apply them to columns to apply the same masking rule.
There are two ways to apply the semantic type and its masking algorithm:
As a project owner, you may want to apply the semantic type to a column, usually it’s a column that you want to mask on production environment.
Go into the project Sample Project
, and click database hr_prod
.
Go into the employee
table, and set the birth_date
column to apply the birth_date
semantic type.
Go back to SQL Editor, run SELECT * FROM employee;
within hr_prod
. You’ll see the birth_date
is masked based on the masking algorithm.
As a DBA, you may want to batch apply masking settings. Use Global Masking Rule to achieve this.
Enter Data Access > Semantic Types, click Use Predefined Type.
Add the predefined type Default
.
Enter Data Access > Global Masking Rule, click Add.
Here define a global masking rule to mask all the birth_date
columns in all tables on production environment with semantic type Default
, and click Confirm.
Go back to SQL Editor, run SELECT * FROM employee;
within hr_prod
. You’ll see the birth_date
is masked.
You may also notice that the global masking rule take precedence over the column masking rule.
Exported data is masked in the same way as query results.
Stay on the SQL Editor after querying, and click Export.
Fill in the export rows number, choose the format and click Confirm. The file will start downloading.
Open the downloaded file, you’ll see the birth_date
is masked.
You can reveal masked data to a specific user by granting masking exemption.
Go into the project Sample Project
, and click Manage > Masking Exemptions.
Grant exemption to the user and click Confirm.
Go back to SQL Editor, run SELECT * FROM employee;
within database hr_prod
. You’ll see the birth_date
is unmasked.
If you export the data, the birth_date
is also unmasked.