Managing Dynamic Masking Policies
After a dynamic masking policy is created in DataArts Security, the system synchronizes the policy to the data source. The data source dynamically masks data columns based on specified rules. When the users and user groups specified in the policy access sensitive data, the system returns the data that is dynamically masked by the data source to protect sensitive data from being disclosed.
Note that dynamic masking policies configured for a DataArts Studio instance are visible to and take effect for all the workspaces of the instance.
Prerequisites
- Before creating MRS Hive data masking policies, you have created an MRS Ranger data connection. For details, see Creating a Data Connection.
- Before creating GaussDB(DWS) data masking policies, you have created a GaussDB(DWS) connection. For details, see Creating a Data Connection. The account in the GaussDB(DWS) connection must have the GRANT permission of the target table. (By default, only the owner of a database object or system administrator can run the GRANT command to grant the object permissions to other users.)
- Dynamic data masking policies need to be associated with data sources for specified users or user groups. Therefore, you need to synchronize user information from IAM to data sources first. For details, see Synchronizing Users.
- If you want to use the current user identity authentication to make the dynamic masking policy take effect during script execution and job tests in DataArts Factory, you need to enable permission applications by following the instructions in Enabling Permission Applications.
- If you want to view sensitive fields during the creation of a data masking policy, you need to create a sensitive data discovery task in advance and change the statuses of sensitive data fields to valid on the Sensitive Data Distribution page. For details, see Discovering Sensitive Data and Viewing Sensitive Data Distribution.
Constraints
- Only the DAYU Administrator, Tenant Administrator, or data security administrator can create, modify, or delete dynamic masking policies. Other common users do not have permission to perform these operations.
- Currently, dynamic masking policies support only MRS Hive and GaussDB(DWS) data sources, and do not support GaussDB(DWS) logical clusters. In addition, accounts in GaussDB(DWS) data connections must have the GRANT permission of the table to be masked. (After a database object is created, only the object owner or system administrator can grant the object permissions to other users using the GRANT command by default.)
- A table can be associated with only one dynamic data masking policy. Policies take effect only after they are synchronized successfully.
- During dynamic masking of MRS Hive data, MRS Ranger allows you to configure different rules for the same column, and the rules are matched in the sequence of their configuration time. Therefore, you can configure multiple masking policies for different content in the same cluster, database, table, and column.
- Dynamic data masking policies need to be associated with data sources for specified users or user groups. Therefore, you need to synchronize user information from IAM to data sources first. For details, see Synchronizing Users.
- Table 2 lists the masking rules supported by the MRS service. For Chinese characters, only null and hash masking are supported. If other masking methods are selected, masking does not take effect.
The SM3, Custom/Show First x and Last y Characters, and Custom/Mask First x and Last y Characters masking rules for the MRS Hive data source are not provided by the MRS Ranger component. Instead, they are implemented by UDF-defined functions. Therefore, to use any of the three masking rules, you must upload the JAR package on which the algorithm depends to the MRS cluster, and grant the UDF creation permission to the account in the Ranger data connection and the UDF usage permission to all users in advance. For details, see Reference: Configuring UDF-related Permissions in the Ranger Component.
- Table 3 lists the masking rules supported by GaussDB(DWS). Chinese characters cannot be masked. If you mask data that contains Chinese characters, garbled characters may be displayed.
Creating a Dynamic Masking Policy
- On the DataArts Studio console, locate an instance and click Access. On the displayed page, locate a workspace and click DataArts Security.
Figure 1 DataArts Security
- In the left navigation pane, choose Dynamic Masking.
Figure 2 Dynamic Masking
- Click Create and set the parameters listed in Table 1.
Figure 3 Setting parameters for the dynamic masking policy
The following table lists the parameters.Table 1 Policy parameters Parameter
Description
*Policy Name
Unique identifier of the dynamic masking policy. It must be unique in a DataArts Studio instance.
To facilitate policy management, you are advised to include the object to be masked and masking rule in the name.
*User Group/Username
User or user group in the current workspace members. When a specified object queries or exports sensitive data from DataArts Factory, the system dynamically masks the sensitive data to protect the sensitive data from being disclosed.
*Data Source Type
Currently, only MRS Hive and DWS are supported.
*Data Connection
If no data connection is available, create one by referring to Creating a Data Connection.
*Cluster Name
You do not need to set this parameter. The data source cluster in the data connection is automatically selected.
*Database
Database where the sensitive data is stored
*schema
Schema where the sensitive data is stored. This parameter is required only when Data Source Type is set to DWS.
*Data Table
Data table where the sensitive data is stored
*Data Column
*Column Name
Column to be masked. Administrators can select multiple columns and configure different masking rules for them.
Data type
You do not need to set this parameter. The data type of the current column is displayed.
Security Level
If sensitive data discovery has been performed on the selected table column and the statuses of the sensitive data fields are valid, the security level is displayed.
*Masking Rule
Select a proper masking rule based on the data type of the column.
The supported data masking rules vary depending on the data source. For details, see Reference: Dynamic Masking Rules.
- After setting all required parameters, click OK. After the dynamic masking policy is created, you need to click Synchronize to synchronize the policy to the data source.
Related Operations
- Synchronizing a policy: On the Dynamic Masking page, locate a policy and click Synchronize in the Operation column to synchronize the policy to the data source. To synchronize multiple policies, select them and click Synchronize above the list.
Policies take effect only after they are synchronized successfully. If the policy synchronization fails, you can view the policy run log in the policy details to locate the failure cause. After rectifying the fault, synchronize the policy again. If the synchronization still fails, contact technical support.
- Editing a policy: On the Dynamic Masking page, locate a policy and click Edit in the Operation column.
- Deleting policies: On the Dynamic Masking page, locate a policy and click Delete in the Operation column. To delete multiple policies, select them and click Delete above the list.
The deletion operation cannot be undone. Exercise caution when performing this operation.
- Viewing policy details: On the Dynamic Masking page, locate a policy and click its name to view its details.
Figure 4 Viewing policy details
Reference: Dynamic Masking Rules
- MRS Hive dynamic masking rules are provided by MRS Ranger. Table 2 lists the supported rules.
The SM3, Custom/Show First x and Last y Characters, and Custom/Mask First x and Last y Characters masking rules for the MRS Hive data source are not provided by the MRS Ranger component. Instead, they are implemented by UDF-defined functions. Therefore, to use any of the three masking rules, you must upload the JAR package on which the algorithm depends to the MRS cluster, and grant the UDF creation permission to the account in the Ranger data connection and the UDF usage permission to all users in advance. For details, see Reference: Configuring UDF-related Permissions in the Ranger Component.
- GaussDB(DWS) dynamic masking rules are provided by GaussDB(DWS). Table 3 lists the supported rules.
Data Type |
Masking Rule |
||||||||
---|---|---|---|---|---|---|---|---|---|
Mask Letters and Digits |
Show Only the Last Four Characters |
Show Only the First Four Characters |
Replace a Value with Its Hash Value |
Mask the Month and Date |
Replace a Value with Null |
SM3 |
Custom/Show First x and Last y Characters |
Custom/Mask First x and Last y Characters |
|
TINYINT |
The number of characters remains unchanged. All values are replaced with 1. |
No change. The maximum value is 127. |
No change. The minimum value is –128. |
The value changes to null. |
The number of characters remains unchanged. All values are replaced with 1. |
The value changes to null. |
Not supported |
Not supported |
Not supported |
SMALLINT |
The number of characters remains unchanged. All values are replaced with 1. |
No change. The maximum value is 12767. |
No change. The maximum value is –32768. |
The value changes to null. |
The number of characters remains unchanged. All values are replaced with 1. |
The value changes to null. |
Not supported |
Not supported |
Not supported |
INT |
The number of characters remains unchanged. All values are replaced with 1. |
The last four characters are shown. |
The first four characters are shown. |
The value changes to null. |
The number of characters remains unchanged. All values are replaced with 1. |
The value changes to null. |
Not supported |
Not supported |
Not supported |
BIGINT |
The number of characters remains unchanged. All values are replaced with 1. |
The last four characters are shown. |
The first four characters are shown. |
The value changes to null. |
The number of characters remains unchanged. All values are replaced with 1. |
The value changes to null. |
Not supported |
Not supported |
Not supported |
BOOLEAN |
The value changes to null. |
The value changes to null. |
The value changes to null. |
The value changes to null. |
The value changes to null. |
The value changes to null. |
Not supported |
Not supported |
Not supported |
FLOAT |
The value changes to null. |
The value changes to null. |
The value changes to null. |
The value changes to null. |
The value changes to null. |
The value changes to null. |
Not supported |
Not supported |
Not supported |
DOUBLE |
The value changes to null. |
The value changes to null. |
The value changes to null. |
The value changes to null. |
The value changes to null. |
The value changes to null. |
Not supported |
Not supported |
Not supported |
STRING |
Letters change to x, and digits change to n. |
Chinese characters remain unchanged, and letters change to X. |
Letters change to X. |
The value changes to its hash value of 64 bytes. |
Chinese characters remain unchanged with each character occupying one digit, and letters change to X. |
The value changes to null. |
Encryption using the SM3 algorithm |
Shows the first x characters and the last y characters. |
Hides the first x characters and the last y characters. |
TIMESTAMP |
The value changes to null. |
The value changes to null. |
The value changes to null. |
The value changes to null. |
The value changes to null. |
The value changes to null. |
Not supported |
Not supported |
Not supported |
CHAR |
Letters change to x, and digits change to n. |
Letters and digits change to X, and the last four characters are retained (a fixed length with spaces). |
Letters and digits change to X, and the first four characters are retained (a fixed length with spaces). |
The value changes to its hash value of 64 bytes. |
Chinese characters remain unchanged with each character occupying one digit, and letters change to X. |
The value changes to null. |
Encryption using the SM3 algorithm |
Shows the first x characters and the last y characters. |
Hides the first x characters and the last y characters. |
VARCHAR |
Letters change to x, and digits change to n. |
The last four characters are retained (Chinese characters remain unchanged with each character occupying one digit), and letters change to X. |
The first four characters are retained (Chinese characters remain unchanged with each character occupying one digit), and letters change to X. |
The value changes to its hash value of 64 bytes. |
Chinese characters remain unchanged with each character occupying one digit, and letters change to X. |
The value changes to null. |
Encryption using the SM3 algorithm |
Shows the first x characters and the last y characters. |
Hides the first x characters and the last y characters. |
DATE |
The date changes to 0001-01-01. |
The date changes to 0001-01-01. |
The date changes to 0001-01-01. |
The value changes to null. |
The year is retained, and other values change to 01. |
The value changes to null. |
Not supported |
Not supported |
Not supported |
Data Type |
Masking Rule |
|||
---|---|---|---|---|
Replace All Characters with Asterisks (*) |
Retain Last Four Characters and Replace Others with Asterisks (*) |
Retain First Two Characters and Replace Others with Asterisks (*) |
Custom |
|
Character bpchar, varchar, text, inet, macaddr, uuid, char, txt |
All characters are replaced with asterisks (*). |
The last four characters are retained, and the other characters are replaced with asterisks (*). |
The first two characters are retained, and the other characters are replaced with asterisks (*). |
The start and end positions for masking are customized. |
Value numeric, int2, int8, money, float8, float4, interval, decimal, double precision, real, integer, smallint, bigint |
All characters are replaced with asterisks (*). |
Not supported |
Not supported |
The start and end positions for masking are customized. |
Time timestamp, time, timetz, timestamptz, date, time without time zone, timestamp without time zone, time without time zone, timestamp without time zone |
All characters are replaced with asterisks (*). |
Not supported |
Not supported |
The year, month, or day can be masked as needed. |
Other |
All characters are replaced with asterisks (*). |
Not supported |
Not supported |
Not supported |
Reference: Configuring UDF-related Permissions in the Ranger Component
If you choose the SM3, Custom/Show First x and Last y Characters, or Custom/Mask First x and Last y Characters masking rule when configuring a dynamic masking policy for MRS Hive data, you must upload the JAR package on which the algorithm depends to the MRS cluster, and grant the UDF creation permission to the account in the Ranger data connection and the UDF usage permission to all users in advance. The procedure is as follows:
- Log in to MRS Manager as user admin.
- On the Manager page, choose Cluster > Services > Ranger. On the Ranger overview page, click RangerAdmin to go to the Ranger WebUI.
Figure 5 Accessing the Ranger WebUI
- Log out of the current account and use the Ranger administrator account to log in again. For a common cluster, the admin account for the Manager page can be used as the Ranger administrator account. For a security cluster, rangeradmin is the Ranger administrator account. For details about the default password of rangeradmin, see User Account List.
Figure 6 Logging out of the current account
- On the home page, click the component plug-in name in the HADOOP SQL area, for example, Hive.
- On the Access tab page, click Add New Policy.
Figure 7 Policy list
- On the Create Policy page, configure the policy parameters to grant the UDF creation permission to the account in the Ranger data connection and the UDF usage permission to all users.
- Policy Name: Enter a policy name, for example, creat_udf_access.
- database: Select default. The created UDF is stored in the default database by default.
- udf: Select * to match all UDFs.
- Permission 1 – UDF creation permission for the account in the Ranger data connection:
- Select User: Select the account in the Ranger data connection.
- Permissions: Select Create, which indicates the UDF creation permission.
- Permission 2 – UDF usage permission for all users:
- Select Group: Select public, which indicates all users.
- Permissions: Select select, which indicates the UDF usage permission.
Figure 8 Creating a policy
- Click add to finish configuring the permissions.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot