What is Dynamic Data Masking and how do we enable it in SQL Server

What is Dynamic Data Masking and how do we enable it in SQL Server
What is Dynamic Data Masking and how do we enable it in SQL Server

In this article we will analyze what it is Dynamic Data Masking and what options do we have for its use in SQL Server.

Dynamic Data Masking is a function whose purpose is to hide sensitive data from the results of a query.

It does not require the change in the application code and does not modify the data stored in the database, which means that it is not an encryption solution but it prevents users who shouldn't have access to that data from seeing it.

To activate it we will have to run Data Definition Language statements that will modify each field of the table by adding the corresponding mask that will hide them.

Depending on the mask we use we can hide all characters or some.

We will see detailed examples with the options we have below.

The example

For our example we will make a table with four customers. We will also create a user that will have right select in this table.

create table pelates(
	id int identity(1,1),
	onoma varchar(100),
	epitheto varchar(100),
	tilefono varchar(100),
	email varchar(100));


insert into pelates values
('Stratos','Matzouranis','2101234567','matzouranis@dokimi.com'),
('Iwanna','Iwannidou','2109852157','iwannidou@dokimi.com'),
('Giwrgos','Gewrgiou','2251011111','gewrgiou@dokimi.com'),
('Laertis','Rwmanos','2310124598','rwmanos@dokimi.com');


create user "xristis" without login;
grant select on pelates to "xristis";

Since we have made them if we do select the table as this user, we will see that it sees all the data normally.

execute as user = 'xristis';
select * from pelates;
revert;
What is Dynamic Data Masking and how do we enable it in SQL Server

The options of masking rules

As we mentioned before there are many different masking functions, let's see some examples for our case applying masking to all fields.

Email masking

With the email masking only the first character and the domain suffix are displayed.

alter table pelates
alter column email add masked with (function='email()');
What is Dynamic Data Masking and how do we enable it in SQL Server

Default masking

With the default masking all characters in the field are hidden.

alter table pelates
alter column tilefono add masked with (function='default()');
What is Dynamic Data Masking and how do we enable it in SQL Server

Partial masking

By using it partial masking we can choose how many characters will be displayed from the beginning and the end and with which character the rest will be hidden.

Let's say that in the last name we want to display the first two characters and the last, while in between there are "xxxx" in place of the real elements, then in this case we would have to run the following:

alter table pelates
alter column epitheto add masked with (function='partial(2,"xxxxx",1)');
What is Dynamic Data Masking and how do we enable it in SQL Server

Accordingly, if we wanted only the first character to appear and nothing else, we would run the following:

alter table pelates
alter column onoma add masked with (function='partial(1,"xxxx",0)');
What is Dynamic Data Masking and how do we enable it in SQL Server

Random masking

With the random masking we set a random number to appear in place of the real one. In order for it to work, we must have defined the limits it will have, e.g. from the number 1 to 99,999.

alter table pelates
alter column id add masked with (function='random(1,99999)');
What is Dynamic Data Masking and how do we enable it in SQL Server

What to watch out for in Dynamic Data Masking

Since, as we said, Dynamic Data Masking is applied to the results of the data and not to the actual data, there are some limitations.

We should know that if a user who does not have right goes unmask to look for records that meet some criteria will show them, simple results will be masked.

Because of this, a user can guess field values and find out the number of records that meet them.

execute as user = 'xristis';
select * from pelates where onoma = 'Stratos'
revert;
What is Dynamic Data Masking and how do we enable it in SQL Server

How do we give the right to a user to see the data

By right unmask we can give some user can see the real data.

grant unmask to "xristis";
--revoke unmask to "xristis";
What is Dynamic Data Masking and how do we enable it in SQL Server

How to remove Dynamic Data Masking

If e.g. we would like to remove the masking from the email column we should drop the mask as below:

alter table pelates
alter column email drop masked;
What is Dynamic Data Masking and how do we enable it in SQL Server

Finally, in order to be able to add or remove a mask from a field, one must have the right ALTER ANY MASK.

Sources:

Share it

Leave a reply