To mask XML type data in a result set, create three security rule sets.
The first and second rule sets are similar to result set masking for numeric, string, and date data types. The first rule set contains a rule that identifies the procedure call as a valid procedure call with a result set that you want to mask. Although you can use the Procedure Call matcher and provide the name of a stored procedure, you can also use other types of matchers in this rule, for example the From Clause or Text matcher. You cannot, however, use the Any matcher in this rule set. The matcher that you use works at the level of the SQL query. Use the Process Result action to specify the name of the second rule set that you create.
The second rule set that you create again contains the rule that identifies the column that contains the XML data that you want to mask. You must know and provide the name of the column that contains the XML data. When you configure the action for this rule, you select the Content Masking action. The Content Masking action specifies the final rule set that you create. If you want to mask multiple columns in a result set that contain XML data, you can define individual rule sets for each column. Similar to result set masking for string, numeric, and date data types, the second rule set for XML masking must also contain a final rule that includes the Apply Masking action. Without the final rule that includes the Apply Masking action, the result set is not masked.
The final rule set that you create for XML masking, which is specified in the previous rule set when you select the Content Masking action, contains rules that directly process the XML data itself and not the result set. For XML data type masking, you select the Masking action, the String data type, and a masking type. When you create these rules, use the Metadata matcher and select "XPath" as the content type. In the Text box under XPath, give a path that points to the XML element that you want to match. For example, if you give the following XPath:
, then all of the Name elements that match this XPath will be masked using the action that you select in the rule. You cannot use "text()" after the element to be masked in the XPath. For example, if you give the XPath as "
, the Name element will not be masked.
Similar to the second rule set that you created, the final rule set for XML masking must also contain a final rule that includes the Apply Masking action. Without the final rule that includes the Apply Masking action, the result set is not masked.
Dynamic Data Masking does not mask CDATA that is part of the XML data in the result set. Dynamic Data Masking also does not support result set masking for binary XML format, which is used by some Microsoft SQL Server clients.