Column Masking

Column masking is a security feature that allows sensitive data within specific columns of a database table to be obscured or partially concealed from users who do not have the appropriate access privileges. It ensures that only authorized users can view the complete data, while others may see masked or redacted versions. Column masking is typically used when there is a need to protect sensitive data stored in a database from unauthorized access.

The following types of masking are currently supported:

  1. Mask: In this type of column masking, the entire content of the column is replaced with placeholder characters or a predefined value to conceal the original data. It uses regex replacement functions. This ensures that no sensitive information is exposed.

  2. Mask First 4 characters: With this type of masking, only the first four characters of the column's data are retained, while the rest are replaced with placeholder characters or removed altogether. This allows for partial visibility while still protecting sensitive information.

  3. Mask Last 4 characters: Similar to masking the first four characters, this type of masking retains the majority of the data in the column while obscuring only the last four characters. It provides partial visibility while maintaining confidentiality.

  4. Hash (using SHA256): Hash is a cryptographic technique used to convert data into a fixed-size string of characters, known as a hash value. In column masking, the original data is replaced with its corresponding hash value generated using a hashing algorithm such as SHA256. This irreversible transformation ensures that the original data cannot be derived from the masked value, providing a high level of security and privacy protection.

Create Column Masking Privileges

To create a column masking privilege, follow these steps:

  1. Navigate to catalogs, and click on the desired catalog.

  2. Select the Privilege(Beta) tab.

  3. Click on Create Privileges to create a new privilege.

  4. Provide a name to privilege.

  5. Enter a description of the privilege (optional).

  6. Select the column masking from the type of privilege.

  7. Select the databases and tables

  8. Select columns and the type of masking you require.

  9. Select the user(s)/group(s) to whom you wish to provide access to the selected schema.

  10. Click on "Create."

  11. The privilege will be created and can be viewed in the privileges tab list.

User-Specific Column Masking Example

For user George, the column "cc_call_id" has been masked. Only the data in the "cc_call_id" column has been masked for the user George, while other column data remains visible.

For user Pranav, there are no restrictions, and he can view the data in the column "cc_call_id".

Limitations:

  • Column masking only applies to string data types.

  • For string fields with 4 characters, show_first_4 and show_last_4 masking types display the field without any masking.

  • When masked columns are used in string functions, e6data governance applies string functions first and then masks the data accordingly.

  • Column masking is not supported for values with special characters.

  • Masking of values in json_values functions is not supported. (If a masked column is aggregated then the final output is not masked).

Update Column Masking Privilege

To edit a privilege, follow these steps:

  1. Click on the three dots next to the privilege you want to edit.

  2. Select "Edit" from the dropdown menu.

  3. The privilege form will now be available for modification.

  4. If you want to change the description, update it accordingly.

  5. Choose the databases and tables.

  6. Select column and masking type in column masking.

  7. Select the users and groups you wish to grant access to for the selected schema.

  8. Finally, click on "Update" to save your changes.

Delete Column Masking Privilege

To delete a privilege, follow these steps:

  1. Click on the three dots next to the privilege you want to delete.

  2. Select "Delete" from the dropdown menu.

  3. Confirm the deletion by typing "Delete" in the alert box.

Last updated