Skip to main content

Data Masking Policy

IOMETE allows you to protect sensitive data using data masking. With this feature, you can create policies that mask or anonymize specific columns containing sensitive data, such as PII, PCI, and PHI, dynamically in the query output.


Policy details

Policy details includes the following properties.
FieldDescription
Policy nameEnter an appropriate policy name. This name cannot be duplicated in another policy.
Enabled & DisabledThe policy is enabled by default. If disabled, the policy will not affect user queries.
Normal & OverrideWhen switched to Override, the access permissions in the policy override the access permissions in existing policies.
Add Validity PeriodSpecify a start and end time for the policy. (Optional)
DescriptionDescribe the purpose of the policy. (Optional)

Policy resources

FieldDescription
DatabaseChoose only one database. All available options are displayed in the selection. The search function helps you find an exact match.
TableChoose only one table. All available options are displayed in the selection based on the chosen database. The search function helps you find an exact match.
ColumnChoose only one column. All available options are displayed in the selection based on the chosen database and table. The search function helps you find an exact match.
Wildcard

Wildcard matching is not supported in data masking policy.

Mask Conditions

IOMETE provides the mask conditions for the management of fine-grained data masking. The condition includes the following properties.

FieldDescription
Select Group

Specify one or more groups for whom this policy should be applied. If no group is specified, you must provide a user.

Select User

Specify one or more users for whom this policy should be applied. If no user is specified, you must provide a group.

Masking options

To create a masking filter for the specified users, groups, click Select Masking Option, then select a masking type:
- Redact – mask all alphabetic characters with "x" and all numeric characters with "n".
- Partial mask: show last 4 – Show only the last four characters.
- Partial mask: show first 4 – Show only the first four characters.
- Hash – Replace all characters with a hash of the entire cell value.
- Nullify – Replace all characters with a NULL value.
- Unmasked (retain original value) – No masking is applied.
- Date: show only year – Show only the year portion of a date string and default the month and day to 01/01.

New condition

To add additional conditions, click on the Add new condition button. The conditions are evaluated in the order they appear in the policy. The top condition is applied first, followed by the second, third, and so on.

Drag items from the left-side icon to reorder.

Data masking policy use cases

Use case: Masking phone number in Customers Table

Let's use the customers table for data-masking feature use cases as well.

This use case focuses on implementing a masking policy for the phone_number column within the customers table. The objective is to provide a certain level of data privacy while granting access to the data for the public group.

data masking use

Policy details:

  • Target Table: customers
  • Target Column: phone_number data masking UI

Masking rule:

  • The policy enforces that members of the public group can only view the last 4 digits of the phone_number column.
  • All other digits preceding the last 4 should be masked or obfuscated, ensuring that sensitive information remains protected.

Access permissions:

  • The public group is granted read access to the phone_number column within the customers table.
  • This allows the public group members to view the partially masked phone numbers for customers while ensuring that critical digits are concealed. data masking permission

Query results

SELECT * from default.customers;
  • Sample Data Before Applying Masking Policy for public group: Consider a few records in the customers table before the masking policy is applied:

    data masking example

  • Sample Data After Applying Masking Policy public group: Once the masking policy is applied, the phone_number column will show different results based on the user group's access level.

    data masking sample