Table of Contents

Search

  1. Preface
  2. Introduction to Dynamic Data Masking
  3. Rules
  4. Connection Rules
  5. Security Rules
  6. Security Rule Set Simulator
  7. Masking Functions
  8. XML Functions Reference
  9. Glossary

Mask Action

Mask Action

The Mask action rewrites the SELECT request. The Mask action uses a masking function to define how the Rule Engine rewrites the SELECT request.
The Rule Engine uses regular expression matching to verify whether the SQL statement contains sensitive object names. If a table name match occurs, the Rule Engine parses the SQL statement to identify select lists, which include the columns, aliases, objects, and inline queries. Based on the column names, objects, and mask functions you specify in the masking rule, Dynamic Data Masking rewrites the incoming SELECT request and changes the select list accordingly.
For masking functions, use the
\(col)
and
\(alias)
regular expressions to identify columns. For example, if you want to mask all columns that include a Social Security number, you can identify columns that you want to mask as
.*SSN.*
. The Mask rule action can include different column names, but you must define the Mask rule action only once. The Mask rule action might be
substring(\(col),1,2)||'xxxx')
.
The following table describes the Mask action parameters:
Parameter
Description
Table name
Defines the table name used in the statement request.
Column name
Defines the column name used in the statement request.
Masking function
Defines how the Rule Engine masks the select list. Use SQL functions to define the masking function.
Keep original number of rows
Preserves the original number of rows in the masked output. Select
Keep original number of rows
if the query contains the DISTINCT operator or a GROUP BY, HAVING, or ORDER BY clause and you want the output to contain the same number of rows as the original data set.
Default is unchecked and the original number of rows is not preserved.