Help Center/ DataArts Studio/ API Reference/ DataArts Security APIs/ Dynamic Data Masking/ Creating a Dynamic Data Masking Policy
Updated on 2025-11-17 GMT+08:00
View PDF

Creating a Dynamic Data Masking Policy

Function

This API is used to create a dynamic data masking policy.

Calling Method

For details, see Calling APIs.

URI

POST /v1/{project_id}/security/masking/dynamic/policies

Table 1 Path Parameters

Parameter

Mandatory

Type

Description

project_id

Yes

String

Project ID. For details about how to obtain the project ID, see Project ID and Account ID.

Request Parameters

Table 2 Request header parameters

Parameter

Mandatory

Type

Description

workspace

Yes

String

Workspace ID. For details about how to obtain the workspace ID, see Instance ID and Workspace ID.

X-Auth-Token

Yes

String

IAM token, which is obtained by calling the IAM API for obtaining a user token (value of X-Subject-Token in the response header). This parameter is mandatory for token authentication.
Table 3 Request body parameters

Parameter

Mandatory

Type

Description

name

Yes

String

Policy name. The value must start with a letter and can contain 2 to 64 characters, including letters, digits, and underscores (_).

datasource_type

Yes

String

Data Source Type

  • Hive

  • GaussDB(DWS)

  • DLI

cluster_id

Yes

String

Cluster ID You can obtain the cluster ID on the cluster management page. When the data source type is DLI, set this parameter to DLI.

cluster_name

Yes

String

Cluster name. You can obtain the cluster name on the cluster management page. When the data source type is DLI, set this parameter to DLI.

database_name

Yes

String

Database name. For details about how to obtain the data source, see Obtaining Tables in the Data Source.

table_id

No

String

Data table ID. For details about how to obtain the data table ID, see Obtaining Tables in the Data Source.

table_name

Yes

String

Data table name. For details about how to obtain the data table name, see Obtaining Tables in the Data Source.

user_groups

No

String

List of user groups. User group names are separated by commas (,). This parameter is optional, but either this parameter or users must be set. An example value is "userGroup1,userGroup2".

users

No

String

List of users. Usernames are separated by commas (,). This parameter is optional, but either this parameter or user_groups must be set. An example value is "user1,user2".

conn_name

Yes

String

Data connection name. For details about how to obtain it, see Querying a Data Connection List.

conn_id

Yes

String

Data connection ID. For details about how to obtain it, see Querying a Data Connection List.

schema_name

No

String

Name of a schema in the GaussDB(DWS) data

policy_list

Yes

Array of DynamicMaskingPolicyCreate objects

List of dynamic data masking policies
Table 4 DynamicMaskingPolicyCreate

Parameter

Mandatory

Type

Description

column_name

Yes

String

Name of a field in a table

column_type

Yes

String

Data type of a field in a table

algorithm_type

No

String

For details about the parameters of dynamic data masking rules, see "Managing Dynamic Masking Policies" in DataArts Studio User Guide.

Dynamic masking algorithms for Hive data

  • MASK: masks letters and digits.

  • MASK_SHOW_LAST_4: shows only the last four characters.

  • MASK_SHOW_FIRST_4: shows only the first four characters.

  • MASK_HASH: replaces a value with its hash value.

  • MASK_DATE_SHOW_YEAR: masks the month and date.

  • MASK_NULL NULL: replaces a value with null.

Dynamic masking algorithms for GaussDB(DWS) data

  • DWS_ALL_MASK: replaces all characters with asterisks (*).

  • DWS_BACK_KEEP: retains the last four characters and replaces the others with asterisks (*).

  • DWS_FRONT_KEEP: retains the first two characters and replaces the others with asterisks (*).

  • DWS_SELF_CONFIG: You need to enter the start position and end position and pass the character used for masking to the detail structure, for example, {"start": 1, "end": 2, "string_target": "*"}.

Dynamic masking algorithms for DLI data

  • MASK: masks letters and digits.

  • MASK_SHOW_LAST_4: shows only the last four characters.

  • MASK_SHOW_FIRST_4: shows only the first four characters.

  • MASK_HASH: replaces a value with its hash value.

  • MASK_DATE_SHOW_YEAR: masks the month and date.

  • MASK_NULL: replaces a value with null.

algorithm_detail

No

String

Details of the algorithm used in the dynamic masking policy

algorithm_detail_dto

No

AlgorithmDetailDTO object

Details of the algorithm used in the dynamic masking policy
Table 5 AlgorithmDetailDTO

Parameter

Mandatory

Type

Description

start

No

Integer

Start digit. The value must be greater than 0 and less than the value of end.

end

No

Integer

End digit. The value must be greater than or equal to the value of start.

int_target

No

Integer

Value type

string_target

No

String

String type. The value can be * or #.

Response Parameters

Status code: 200

Table 6 Response body parameters

Parameter

Type

Description

id

String

Policy ID.

name

String

Policy name. The value must start with a letter and can contain 2 to 64 characters, including letters, digits, and underscores (_).

datasource_type

String

Data Source Type

  • Hive

  • GaussDB(DWS)

  • DLI

cluster_id

String

Cluster ID You can obtain the cluster ID on the cluster management page. When the data source type is DLI, set this parameter to DLI.

cluster_name

String

Cluster name. You can obtain the cluster name on the cluster management page. When the data source type is DLI, set this parameter to DLI.

database_name

String

Database name. For details about how to obtain the data source, see Obtaining Tables in the Data Source.

table_id

String

Data table ID. For details about how to obtain the data table ID, see Obtaining Tables in the Data Source.

table_name

String

Data table name. For details about how to obtain the data table name, see Obtaining Tables in the Data Source.

user_groups

String

List of user groups. User group names are separated by commas (,). This parameter is optional, but either this parameter or users must be set. An example value is "userGroup1,userGroup2".

users

String

List of users. Usernames are separated by commas (,). This parameter is optional, but either this parameter or user_groups must be set. An example value is "user1,user2".

conn_name

String

Data connection name. For details about how to obtain it, see Querying a Data Connection List.

conn_id

String

Data connection ID. For details about how to obtain it, see Querying a Data Connection List.

sync_status

String

Synchronization status.

  • UNKNOWN: unknown status

  • NOT_SYNC: unsynchronized

  • SYNCING: synchronizing

  • SYNC_SUCCESS: synchronized successfully

  • SYNC_FAIL: synchronization failed

  • SYNC_PARTIAL_FAIL: synchronization partially failed

  • DELETE_FAIL: deletion failed

  • DELETING: deleting

  • UPDATING: updating

  • DATA_UPDATED: data updated

sync_msg

String

Policy synchronization information

sync_log

String

Synchronization run log, which consists of the field synchronization information and a newline character

create_time

Long

Time when the policy was created

create_user

String

User who created the policy

update_time

Long

Policy update time

update_user

String

User who updated the policy

schema_name

String

Name of a schema in the GaussDB(DWS) data

policy_list

Array of DynamicMaskingPolicy objects

List of dynamic data masking policies
Table 7 DynamicMaskingPolicy

Parameter

Type

Description

id

String

ID of a field masking policy

policy_set_id

String

ID of a dynamic masking policy

column_name

String

Name of a field in a table

column_type

String

Data type of a field in a table

algorithm_type

String

For details about the parameters of dynamic masking rules, see section "Dynamic Masking Rules" in User Guide.

Dynamic masking algorithms for Hive data

  • MASK: masks letters and digits.

  • MASK_SHOW_LAST_4: shows only the last four characters.

  • MASK_SHOW_FIRST_4: shows only the first four characters.

  • MASK_HASH: replaces a value with its hash value.

  • MASK_DATE_SHOW_YEAR: masks the month and date.

  • MASK_NULL NULL: replaces a value with null.

Dynamic masking algorithms for GaussDB(DWS) data

  • DWS_ALL_MASK: replaces all characters with asterisks (*).

  • DWS_BACK_KEEP: retains the last four characters and replaces the others with asterisks (*).

  • DWS_FRONT_KEEP: retains the first two characters and replaces the others with asterisks (*).

  • DWS_SELF_CONFIG: You need to enter the start position and end position and pass the character used for masking to the detail structure, for example, {"start": 1, "end": 2, "string_target": "*"}.

Dynamic masking algorithms for DLI data

  • MASK: masks letters and digits.

  • MASK_SHOW_LAST_4: shows only the last four characters.

  • MASK_SHOW_FIRST_4: shows only the first four characters.

  • MASK_HASH: replaces a value with its hash value.

  • MASK_DATE_SHOW_YEAR: masks the month and date.

  • MASK_NULL: replaces a value with null.

sync_status

String

Synchronization status.

  • UNKNOWN: unknown status

  • NOT_SYNC: unsynchronized

  • SYNCING: synchronizing

  • SYNC_SUCCESS: synchronized successfully

  • SYNC_FAIL: synchronization failed

  • SYNC_PARTIAL_FAIL: synchronization partially failed

  • DELETE_FAIL: deletion failed

  • DELETING: deleting

  • UPDATING: updating

  • DATA_UPDATED: data updated

algorithm_detail

String

Details of the algorithm used in the dynamic masking policy

algorithm_detail_dto

AlgorithmDetailDTO object

Details of the algorithm used in the dynamic masking policy
Table 8 AlgorithmDetailDTO

Parameter

Type

Description

start

Integer

Start digit. The value must be greater than 0 and less than the value of end.

end

Integer

End digit. The value must be greater than or equal to the value of start.

int_target

Integer

Value type

string_target

String

String type. The value can be * or #.

Status code: 400

Table 9 Response body parameters

Parameter

Type

Description

error_code

String

Error code.

error_msg

String

Error message.

Example Requests

  • Create a dynamic masking policy for Hive data.

    /v1/0833a5737480d53b2f25c010dc1a7b88/security/masking/dynamic/policies

{
  "name" : "OpenAPI_Hive_test",
  "datasource_type" : "HIVE",
  "cluster_id" : "dc425074-26b3-479c-9e2f-b103c0cdd90f",
  "cluster_name" : "mrs_3x_xxxx_do_not_del",
  "database_name" : "bigdatatest",
  "table_name" : "aaaa",
  "table_id" : "NativeTable-39dc19fb17034ab39e46ebe0420c6202-bigdatatest-aaaa",
  "user_groups" : "DataArts User",
  "users" : "",
  "conn_name" : "hive_3x_0330",
  "conn_id" : "39dc19fb17034ab39e46ebe0420c6202",
  "policy_list" : [ {
    "column_name" : "aa",
    "column_type" : "string",
    "algorithm_type" : "MASK_SHOW_LAST_4"
  } ]
}

  • Create a dynamic masking policy for GaussDB(DWS) data.

    /v1/0833a5737480d53b2f25c010dc1a7b88/security/masking/dynamic/policies

{
  "name" : "OpenAPI_DWS_test",
  "datasource_type" : "DWS",
  "cluster_id" : "c94a9133-ef65-47ad-9483-bfa8c5eaa101",
  "cluster_name" : "dws_ssl_4autotest_nomodify",
  "database_name" : "gaussdb",
  "table_name" : "all_column",
  "table_id" : "NativeTable-e2f6c44100654778aee017f8ad9e3ac9-gaussdb-public-all_column",
  "user_groups" : "DataArts_PDP5_NoPrivilleage",
  "users" : "autotest_tics",
  "conn_name" : "dws_0430",
  "conn_id" : "e2f6c44100654778aee017f8ad9e3ac9",
  "policy_list" : [ {
    "column_name" : "avarchar",
    "column_type" : "varchar",
    "algorithm_type" : "DWS_ALL_MASK",
    "algorithm_detail_dto" : null
  } ],
  "schema_name" : "public"
}

  • Create a dynamic masking policy for DLI data.

    /v1/0833a5737480d53b2f25c010dc1a7b88/security/masking/dynamic/policies

{
  "name" : "OpenAPI_DLI_test",
  "datasource_type" : "DLI",
  "cluster_id" : "DLI",
  "cluster_name" : "DLI",
  "database_name" : "bigdatatest",
  "table_name" : "dli_string_auto_20231116",
  "table_id" : "NativeTable-619d52a0e6954aa68844f5f010e06ef8-bigdatatest-dli_string_auto_20231116",
  "user_groups" : "",
  "users" : "",
  "conn_name" : "xu_dli_link",
  "conn_id" : "619d52a0e6954aa68844f5f010e06ef8",
  "policy_list" : [ {
    "column_name" : "varchar1",
    "column_type" : "string",
    "algorithm_type" : "MASK_NULL"
  } ]
}

Example Responses

Status code: 200

OK

{
  "cluster_id" : "dc425074-26b3-479c-9e2f-b103c0cdd90f",
  "cluster_name" : "mrs_3x_autotest_do_not_del",
  "conn_id" : "ae55cb5c44be4119b8958a3ba5d9a71f",
  "conn_name" : "hive_xxxx_0520",
  "create_time" : 1716195352790,
  "create_user" : "ei_dayu_xxxx_01",
  "database_name" : "bigdatatest",
  "datasource_type" : "HIVE",
  "id" : "e55577e76cb77f87cec2099b8074a88d",
  "name" : "xxxx_unique_test",
  "policy_list" : [ {
    "algorithm_detail" : null,
    "algorithm_detail_dto" : null,
    "algorithm_type" : "MASK_SHOW_LAST_4",
    "associated_id" : null,
    "associated_policy_name" : null,
    "column_name" : "name",
    "column_type" : "string",
    "id" : "607218bdfdf8452cd0abe9354639c472",
    "policy_set_id" : "e55577e76cb77f87cec2099b8074a88d",
    "sync_msg" : null,
    "sync_status" : "NOT_SYNC",
    "sync_time" : null
  }, {
    "algorithm_detail" : null,
    "algorithm_detail_dto" : null,
    "algorithm_type" : "MASK_SHOW_FIRST_4",
    "associated_id" : null,
    "associated_policy_name" : null,
    "column_name" : "a1",
    "column_type" : "string",
    "id" : "95cefff4b29e1db7fedb9b772739d7a0",
    "policy_set_id" : "e55577e76cb77f87cec2099b8074a88d",
    "sync_msg" : null,
    "sync_status" : "NOT_SYNC",
    "sync_time" : null
  } ],
  "schema_id" : null,
  "schema_name" : null,
  "sync_log" : null,
  "sync_msg" : null,
  "sync_status" : "NOT_SYNC",
  "table_id" : "NativeTable-ae55cb5c44be4119b8958a3ba5d9a71f-bigdatatest-dws_gglllsss",
  "table_name" : "dws_gglllsss",
  "update_time" : 1716195352790,
  "update_user" : "ei_dayu_xxxx_01",
  "user_groups" : "DataArts User",
  "users" : "user1,user2,user3,user4"
}

Status Codes

Status Code

Description

200

OK

400

Bad Request
Parent Topic: Dynamic Data Masking