Dynamic Data Masking

This feature is available in Enterprise Plan.

bb-masking-overview

Dynamic Data Masking (DDM) can mask sensitive data in the SQL Editor query result based on the context. It helps organizations to protect sensitive data from being exposed to unauthorized users.

You can configure the masking policies from UI or via API. Check out this GitOps example to see how to codify the masking policies.

How Dynamic Masking works

Bytebase dynamic masking transforms the original column data to the masked form in 2 steps:

  1. Determine the effective column masking level

  2. Determine the masking algorithm according to the masking level

Determine the effective column masking level

Bytebase defines 3 masking levels: No Masking, Partial Masking, Full Masking.

masking-level

The effective column masking level is determined by the inherent column masking level and the user access grant.

Inherent Column Masking LevelUser Access GrantEffective Column Masking Level
No MaskingNo MaskingNo Masking
Partial MaskingNo Masking
Partial MaskingNo MaskingNo Masking
Partial MaskingPartial Masking
Full MaskingNo MaskingNo Masking
Partial MaskingPartial Masking

Determine the masking algorithm

Once the masking level is determined, the next step is to determine the corresponding masking algorithm.

masking-algorithm

Bytebase provides the default masking algorithm for Partial Masking and Full Masking:

  • Partial Masking. Use * to cover the start and end of the text.
  • Full Masking. Use * to cover all text.

You can also customize the masking algorithm and specify it on the column.

Further, if you want to manage masking algorithms for different column categories, you can use Semantic Types.

Edit this page on GitHub

Subscribe toΒ Newsletter

By subscribing, you agree with Bytebase's Terms of Service and Privacy Policy.