Scenario 4: Typical Dynamic Data Masking Configuration
Dynamic Data Masking Flowchart
With database encryption and access control, you can configure dynamic masking policies to mask plaintext data in database assets. Figure 1 shows the dynamic masking process.
- Add a data source.
Before using the data masking function, you need to add data assets to the system. For details, see Adding Data Assets.
- (Optional) Configure the industry template and sensitive data type.
The system has built-in sensitive data types and common industry templates that meet most requirements. If you have special requirements, you can also customize sensitive data types and industry templates. For details, see Adding an Industry Template and Adding a User-Defined Data Type.
- Perform sensitive data discovery.
A sensitive data discovery task automatically scans and identifies sensitive data in data assets. For details, see Scanning Sensitive Data in Assets.
- (Optional) View the task execution result.
You can view the matched sensitive data in task execution results. For details, see Viewing the Execution Result of a Scan Task.
- Create a data masking rule.
You can create an encryption task based on sensitive data information in the result of a sensitive data discovery task. For details, see Creating a Masking Rule in the Result.
You can also directly create masking rules in the dynamic masking module. For details, see Creating a Data Masking Rule.
- (Optional) Configure a masking allowlist.
After a masking rule is configured and enabled, when you access the plaintext data in the database, you can only view the masking results of data by default. Users in the allowlist can view plaintext data when accessing the database. For details, see Configuring a Data Masking Allowlist.
- After the configuration is complete, you can use a proxy to access the masking rule to verify the configuration effect.
Typical Dynamic Masking Configuration
Database encryption and access control support dynamic masking of sensitive plaintext data in the database. This example shows how to dynamically mask plaintext data in the database.
Step 1: Adding a Data Source
Add a database on the Assets Management page.
- Log in to the web console of the instance as user sysadmin.
- In the navigation pane, choose Assets Management > Data Source Management.
- Click Add Data Source in the upper right corner.
- In the Add Data Source dialog box, configure asset information.
Host information and log information are optional. The SSH service must be enabled on the database server.
Figure 2 Adding a data source - After the configuration is complete, click Test Database Connection to check whether the database can be connected.
- Click Test Account Permission to check whether the database account permission meets the encryption requirements.
- Click Save.
Step 2: Executing a Sensitive Data Discovery Task
- Log in to the web console of the instance as user sysadmin.
- In the navigation tree on the left, choose Sensitive Data Discovery > Sensitive Data Scanning.
- Find the target data asset and click Task Configuration.
- In the Task Configuration dialog box, set a sensitive data discovery task.
Figure 3 Configuring a sensitive data discovery task
- Click Save.
- Find the target data asset and click
to execute the sensitive data discovery task.
After the execution starts, the system automatically scans and identifies sensitive data. The scan duration depends on the amount of data to be scanned. The larger the amount of data, the longer the scan duration. You can view the scan progress on the page.
Step 3: Creating a Masking Rule in the Discovery Result
- Log in to the web console of the instance as user sysadmin.
- In the navigation tree on the left, choose Sensitive Data Discovery > Sensitive Data Scanning.
- On the scan task list page, locate the target data asset and click View.
- On the scan result page, locate the target database table and click Add Masking Rule.
- In the Add Masking Rule dialog box, configure the masking information.
Figure 4 Adding a masking rule
- Configure the rule name and select the masking algorithm corresponding to the data type from the masking list.
- Click Save.
The masking rule is automatically enabled after being saved. If plaintext data is queried during database access, the masking results of the data will be retrieved. In this case, you can configure a masking allowlist. If data matching the allowlist will not be masked.
Step 4: Configuring the Masking Allowlist
- Log in to the web console of the instance as user sysadmin.
- In the navigation pane on the left, choose Dynamic Data Mask > Data Masking Policy.
- In the data source list, click a data source.
- Locate the masking rule list of the target data source and click Allowlist Rule.
- On the allowlist page, click Add Allowlist.
- In the Add Allowlist dialog box, set the allowlist range and click Save.
Figure 5 Adding an allowlist
The allowlist parameters include the database username, IP address range, start time, and end time. The relationship between the parameters is AND. If multiple parameters are configured, the allowlist takes effect only when all the parameters are matched.
Step 5: Connecting to the Database Through a Proxy

The DBeaver tool is used as an example. In practice, you need to modify the information about the connection between the application system and the database.
This section uses the DBeaver tool as an example to describe how to connect to the database through a proxy.

- Click
.
- In the Select your database dialog box, select MySQL.
- Click Next.
- In the Connection Settings dialog box, configure the connection information.
The connection information is described as follows:
- Address: IP address of database encryption and access control Example: 192.xx.xx.54
- Port: Use the proxy port, that is, the proxy port (14099) set during asset creation.
- Click Test Connection to check whether the database can be connected.
- After the test is passed, click Next and perform operations as prompted.
Step 6: Verifying the Masking Result
Connect to the database by referring to Step 5 (Connecting to the Database Through a Proxy) and check whether the masking rule and masking allowlist are successfully configured.
- If the IP address of a user is 172.16.215.108 (not in the masking allowlist) and the user accesses the database through a proxy, only the masking results of data will be displayed.
Figure 7 Masked data
- If the IP address of a user is 172.16.215.107 (in the masking allowlist) and the user accesses the database through a proxy, the plaintext data will be displayed.
Figure 8 Plaintext data
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot