How to Configure Dynamic Data Masking

Bytebase Dynamic Data Masking can mask sensitive data in the query result based on the context on the fly. It helps organizations to protect sensitive data from being exposed to unauthorized users.

Prerequisites#

• Docker
• Bytebase Enterprise plan, you can request a free trial here

Preparation#

1. Make sure your Docker is running, and start the Bytebase Docker container with command:

   docker run --rm --init \
     --name bytebase \
     --publish 8080:8080 --pull always \
     --volume ~/.bytebase/data:/var/opt/bytebase \
     bytebase/bytebase:2.23.1

2. Having Bytebase successfully running in Docker, visit it via localhost:8080. Register an admin account and it will be granted the workspace admin role automatically.

3. Acquire the Enterprise license. Enter Instances on the left. Select both instances to Assign License.

No Masking#

Enter SQL Editor on top right. Without any worksheet open (no tab page open on top), click Connect to a database or Select a database to start.

Choose database hr_prod under Prod Sample Instance within the Connection detail page. Run SELECT * FROM employee;, you'll see the following result without any masking.

Run the same query against database hr_test, the result is the same.

Global Masking Rule#

You may want to batch apply masking settings. Use Global Masking Rule to achieve this.

Here for example, we'll mask all the birth_date columns in all tables.

1. Within Workspace, enter Security & Policy > Data Masking on the left. Click Add on top right of Global Masking Rule page.

2. Name the rule as birth_date should be masked, select Column name, ==. Fill birth_date in the input box, and Confirm.

3. Go back to SQL Editor. Run SELECT * FROM employee; within hr_prod again. You'll see the birth_date is masked. Result within hr_test is the same.

For a more organized and hierarchical global masking management, check Data Classification.

Export data with masked columns#

Exported data is masked in the same way as query results.

1. Stay on the SQL Editor after querying, and click Export.

2. Fill in the export rows number, choose the format and click Confirm. The file will start downloading.

3. Open the downloaded file, you'll see the birth_date is masked.

Column Masking Rule#

If you want to mask a specific column in a specific table, you can use Column Masking Rule.

1. Enter Database > Databases within Sample Project. Choose table salary of database hr_prod.

2. Click the pencil icon by Masking level of row amount, choose Full for Masking level in Setting detail page.

3. Go back to SQL Editor. Run SELECT * FROM salary; within hr_prod. You'll see amount been masked.

   Switch to database hr_test to run the same command, amount will appear not masked.

   

Grant unmasked access to a user#

You can reveal masked data to a specific user by granting unmasked access.

1. Locate the column and click the pencil icon by Masking level of row amount, Grant Access. Select the user and Confirm.

   

2. Login as the granted user. Run SELECT * FROM salary; within database hr_prod in SQL Editor. amount data is shown as unmasked.

Related content#

• Docs for Dynamic Data Masking
• How to Manage Data Access for Developers