Help Center> DataArts Studio> User Guide> DataArts Security> Privacy Protection and Management> Dynamic Masking Tasks> Managing Dynamic Masking Policies
Updated on 2024-07-11 GMT+08:00
View PDF

Managing Dynamic Masking Policies

After a dynamic masking policy is created in DataArts Security, the system synchronizes the policy to the data source. The data source dynamically masks data columns based on specified rules. When the users and user groups specified in the policy access sensitive data, the system returns the data that is dynamically masked by the data source to protect sensitive data from being disclosed.

Note that dynamic masking policies configured for a DataArts Studio instance are visible to and take effect for all the workspaces of the instance.

Prerequisites

  • Before creating MRS Hive data masking policies, you have created an MRS Ranger data connection. For details, see Creating a Data Connection.
  • Before creating GaussDB(DWS) data masking policies, you have created a GaussDB(DWS) connection. For details, see Creating a Data Connection. The account in the GaussDB(DWS) connection must have the GRANT permission of the target table. (By default, only the owner of a database object or system administrator can run the GRANT command to grant the object permissions to other users.)
  • Dynamic masking policies for MRS Hive and GaussDB(DWS) need to be associated with data sources for specified users or user groups. Therefore, you need to synchronize user information from IAM to data sources first. For details, see Synchronizing IAM Users to the Data Source.
  • If you want to use the current user identity authentication to make the dynamic masking policy take effect during script execution and job tests in DataArts Factory, you need to enable permission applications by following the instructions in Enabling Fine-grained Authentication.
  • If you want to view sensitive fields during the creation of a data masking policy, you need to create a sensitive data discovery task in advance and change the statuses of sensitive data fields to valid on the Sensitive Data Distribution page. For details, see Discovering Sensitive Data and Viewing Sensitive Data Distribution.

Constraints

  • Only the DAYU Administrator, Tenant Administrator, or data security administrator can create, modify, or delete dynamic masking policies. Other common users do not have permission to perform these operations.
  • Currently, dynamic masking policies support only MRS Hive and GaussDB(DWS) data sources, and do not support GaussDB(DWS) logical clusters. In addition, accounts in GaussDB(DWS) data connections must have the GRANT permission of the table to be masked. (After a database object is created, only the object owner or system administrator can grant the object permissions to other users using the GRANT command by default.)
  • A table can be associated with only one dynamic data masking policy. Policies take effect only after they are synchronized successfully.
  • During dynamic masking of MRS Hive data, MRS Ranger allows you to configure different rules for the same column, and the rules are matched in the sequence of their configuration time. Therefore, you can configure multiple masking policies for different content in the same cluster, database, table, and column.
  • Dynamic masking policies for MRS Hive and GaussDB(DWS) need to be associated with data sources for specified users or user groups. Therefore, you need to synchronize user information from IAM to data sources first. For details, see Synchronizing IAM Users to the Data Source.
  • Table 2 lists the masking rules supported by the MRS service. For Chinese characters, only null and hash masking are supported. If other masking methods are selected, masking does not take effect.

    The SM3, Custom/Show First x and Last y Characters, and Custom/Mask First x and Last y Characters masking rules for the MRS Hive data source are not provided by the MRS Ranger component. Instead, they are implemented by UDF-defined functions. Therefore, to use any of the three masking rules, you must upload the JAR package on which the algorithm depends to the MRS cluster, and grant the UDF creation permission to the account in the Ranger data connection and the UDF usage permission to all users in advance. For details, see Reference: Configuring UDF-related Permissions in the Ranger Component.

  • Table 3 lists the masking rules supported by GaussDB(DWS). Chinese characters cannot be masked. If you mask data that contains Chinese characters, garbled characters may be displayed.

Creating a Dynamic Masking Policy

  1. On the DataArts Studio console, locate an instance and click Access. On the displayed page, locate a workspace and click DataArts Security.

    Figure 1 DataArts Security

  2. In the left navigation pane, choose Dynamic Masking.

    Figure 2 Dynamic Masking

  3. Click Create and set the parameters listed in Table 1.

    Figure 3 Setting parameters for the dynamic masking policy

    The following table lists the parameters.
    Table 1 Policy parameters

    Parameter

    Description

    *Policy Name

    Unique identifier of the dynamic masking policy. It must be unique in a DataArts Studio instance.

    To facilitate policy management, you are advised to include the object to be masked and masking rule in the name.

    *Data Source Type

    Currently, only MRS Hive and DWS are supported.

    MRS Hive

    *User Group/Username

    User or user group in the current workspace members. When a specified object queries or exports sensitive data from DataArts Factory, the system dynamically masks the sensitive data to protect the sensitive data from being disclosed.

    *Data Connection

    If no data connection is available, create one by referring to Creating a Data Connection.

    *Cluster Name

    You do not need to set this parameter. The data source cluster in the data connection is automatically selected.

    *Database

    Database where the sensitive data is stored

    *Data Table

    Data table where the sensitive data is stored

    *Data Column

    Select one or more columns to be masked and select a proper masking rule for each column based on the data type. Supported data masking rules vary depending on the data type of each data source. For details, see Reference: Dynamic Masking Rules.

    If sensitive data discovery has been performed on the selected columns and the statuses of the sensitive data fields are valid, the data security levels and classifications are displayed in the Data Column area.

    DWS

    *User Group/Username

    User or user group in the current workspace members. When a specified object queries or exports sensitive data from DataArts Factory, the system dynamically masks the sensitive data to protect the sensitive data from being disclosed.

    *Data Connection

    If no data connection is available, create one by referring to Creating a Data Connection.

    *Cluster Name

    You do not need to set this parameter. The data source cluster in the data connection is automatically selected.

    *Database

    Database where the sensitive data is stored

    *schema

    Schema where the sensitive data is stored

    *Data Table

    Data table where the sensitive data is stored

    *Data Column

    Select one or more columns to be masked and select a proper masking rule for each column based on the data type. Supported data masking rules vary depending on the data type of each data source. For details, see Reference: Dynamic Masking Rules.

    If sensitive data discovery has been performed on the selected columns and the statuses of the sensitive data fields are valid, the data security levels and classifications are displayed in the Data Column area.

  4. After setting all required parameters, click OK. After the dynamic masking policy is created, you need to click Synchronize to synchronize the policy to the data source.

Related Operations

  • Synchronizing a policy: On the Dynamic Masking page, locate a policy and click Synchronize in the Operation column to synchronize the policy to the data source. To synchronize multiple policies, select them and click Synchronize above the list.

    Policies take effect only after they are synchronized successfully. If the policy synchronization fails, you can view the policy run log in the policy details to locate the failure cause. After rectifying the fault, synchronize the policy again. If the synchronization still fails, contact technical support.

  • Editing a policy: On the Dynamic Masking page, locate a policy and click Edit in the Operation column.
  • Deleting policies: On the Dynamic Masking page, locate a policy and click Delete in the Operation column. In the displayed dialog box, confirm the policy to delete and click Yes. To delete multiple policies, select them and click Delete above the list.

    Deleted dynamic masking policies are moved to the recycle bin. You can restore them within 30 days. After 30 days, they will be deleted permanently. For details, see Managing the Recycle Bin.

  • Viewing policy details: On the Dynamic Masking page, locate a policy and click its name to view its details. You can also filter policies by Sync Status.
    Figure 4 Viewing policy details

Reference: Dynamic Masking Rules

  • MRS Hive dynamic masking rules are provided by MRS Ranger. Table 2 lists the supported rules.

    The SM3, Custom/Show First x and Last y Characters, and Custom/Mask First x and Last y Characters masking rules for the MRS Hive data source are not provided by the MRS Ranger component. Instead, they are implemented by UDF-defined functions. Therefore, to use any of the three masking rules, you must upload the JAR package on which the algorithm depends to the MRS cluster, and grant the UDF creation permission to the account in the Ranger data connection and the UDF usage permission to all users in advance. For details, see Reference: Configuring UDF-related Permissions in the Ranger Component.

  • GaussDB(DWS) dynamic masking rules are provided by GaussDB(DWS). Table 3 lists the supported rules.
Table 2 MRS dynamic masking rules

Data Type

Masking Rule

Mask Letters and Digits

Show Only the Last Four Characters

Show Only the First Four Characters

Replace a Value with Its Hash Value

Mask the Month and Date

Replace a Value with Null

SM3

Custom/Show First x and Last y Characters

Custom/Mask First x and Last y Characters

TINYINT

The number of characters remains unchanged. All values are replaced with 1.

No change. The maximum value is 127.

No change. The minimum value is –128.

The value changes to null.

The number of characters remains unchanged. All values are replaced with 1.

The value changes to null.

Not supported

Not supported

Not supported

SMALLINT

The number of characters remains unchanged. All values are replaced with 1.

No change. The maximum value is 12767.

No change. The maximum value is –32768.

The value changes to null.

The number of characters remains unchanged. All values are replaced with 1.

The value changes to null.

Not supported

Not supported

Not supported

INT

The number of characters remains unchanged. All values are replaced with 1.

The last four characters are shown.

The first four characters are shown.

The value changes to null.

The number of characters remains unchanged. All values are replaced with 1.

The value changes to null.

Not supported

Not supported

Not supported

BIGINT

The number of characters remains unchanged. All values are replaced with 1.

The last four characters are shown.

The first four characters are shown.

The value changes to null.

The number of characters remains unchanged. All values are replaced with 1.

The value changes to null.

Not supported

Not supported

Not supported

BOOLEAN

The value changes to null.

The value changes to null.

The value changes to null.

The value changes to null.

The value changes to null.

The value changes to null.

Not supported

Not supported

Not supported

FLOAT

The value changes to null.

The value changes to null.

The value changes to null.

The value changes to null.

The value changes to null.

The value changes to null.

Not supported

Not supported

Not supported

DOUBLE

The value changes to null.

The value changes to null.

The value changes to null.

The value changes to null.

The value changes to null.

The value changes to null.

Not supported

Not supported

Not supported

STRING

Letters change to x, and digits change to n.

Chinese characters remain unchanged, and letters change to X.

Letters change to X.

The value changes to its hash value of 64 bytes.

Chinese characters remain unchanged with each character occupying one digit, and letters change to X.

The value changes to null.

Encryption using the SM3 algorithm

Shows the first x characters and the last y characters.

Hides the first x characters and the last y characters.

TIMESTAMP

The value changes to null.

The value changes to null.

The value changes to null.

The value changes to null.

The value changes to null.

The value changes to null.

Not supported

Not supported

Not supported

CHAR

Letters change to x, and digits change to n.

Letters and digits change to X, and the last four characters are retained (a fixed length with spaces).

Letters and digits change to X, and the first four characters are retained (a fixed length with spaces).

The value changes to its hash value of 64 bytes.

Chinese characters remain unchanged with each character occupying one digit, and letters change to X.

The value changes to null.

Encryption using the SM3 algorithm

Shows the first x characters and the last y characters.

Hides the first x characters and the last y characters.

VARCHAR

Letters change to x, and digits change to n.

The last four characters are retained (Chinese characters remain unchanged with each character occupying one digit), and letters change to X.

The first four characters are retained (Chinese characters remain unchanged with each character occupying one digit), and letters change to X.

The value changes to its hash value of 64 bytes.

Chinese characters remain unchanged with each character occupying one digit, and letters change to X.

The value changes to null.

Encryption using the SM3 algorithm

Shows the first x characters and the last y characters.

Hides the first x characters and the last y characters.

DATE

The date changes to 0001-01-01.

The date changes to 0001-01-01.

The date changes to 0001-01-01.

The value changes to null.

The year is retained, and other values change to 01.

The value changes to null.

Not supported

Not supported

Not supported
Table 3 GaussDB(DWS) dynamic masking rules

Data Type

Masking Rule

Replace All Characters with Asterisks (*)

Retain Last Four Characters and Replace Others with Asterisks (*)

Retain First Two Characters and Replace Others with Asterisks (*)

Custom

Character

bpchar, varchar, text, inet, macaddr, uuid, char, txt

All characters are replaced by null.

The last four characters are retained, and the other characters are replaced with asterisks (*).

The first two characters are retained, and the other characters are replaced with asterisks (*).

The start and end positions, as well as masking characters are customized.

Value

numeric, int2, int8, money, float8, float4, interval, decimal, double precision, real, integer, smallint, bigint

All characters are replaced by 0.

Not supported

Not supported

The start and end positions, as well as masking characters are customized.

Time

timestamp, time, timetz, timestamptz, date, time without time zone, timestamp without time zone, time without time zone, timestamp without time zone

All characters are replaced by a fixed value.

Not supported

Not supported

The year, month, or day can be masked as needed.

Other

All characters are replaced by a fixed value.

Not supported

Not supported

Not supported

Reference: Configuring UDF-related Permissions in the Ranger Component

If you choose the SM3, Custom/Show First x and Last y Characters, or Custom/Mask First x and Last y Characters masking rule when configuring a dynamic masking policy for MRS Hive data, you must upload the JAR package on which the algorithm depends to the MRS cluster, and grant the UDF creation permission to the account in the Ranger data connection and the UDF usage permission to all users in advance. The procedure is as follows:

  1. Log in to MRS Manager as user admin.
  2. On the Manager page, choose Cluster > Services > Ranger. On the Ranger overview page, click RangerAdmin to go to the Ranger WebUI.

    Figure 5 Accessing the Ranger WebUI

  3. Log out of the current account and use the Ranger administrator account to log in again. For a common cluster, the admin account for the Manager page can be used as the Ranger administrator account. For a security cluster, rangeradmin is the Ranger administrator account. For details about the default password of rangeradmin, see User Account List.

    Figure 6 Logging out of the current account

  4. On the home page, click the component plug-in name in the HADOOP SQL area, for example, Hive.
  5. On the Access tab page, click Add New Policy.

    Figure 7 Policy list

  6. On the Create Policy page, configure the policy parameters to grant the UDF creation permission to the account in the Ranger data connection and the UDF usage permission to all users.

    • Policy Name: Enter a policy name, for example, creat_udf_access.
    • database: Select default. The created UDF is stored in the default database by default.
    • udf: Select * to match all UDFs.
    • Permission 1 – UDF creation permission for the account in the Ranger data connection:
      • Select User: Select the account in the Ranger data connection.
      • Permissions: Select Create, which indicates the UDF creation permission.
    • Permission 2 – UDF usage permission for all users:
      • Select Group: Select public, which indicates all users.
      • Permissions: Select select, which indicates the UDF usage permission.
      Figure 8 Creating a policy

  7. Click add to finish configuring the permissions.
Parent topic: Dynamic Masking Tasks