Applies to: Azure SQL Database Azure SQL Managed Instance Azure Synapse Analytics (dedicated SQL pools only) SQL database in Fabric
Azure SQL Database, SQL database in Microsoft Fabric, Azure SQL Managed Instance, and Azure Synapse Analytics support dynamic data masking (DDM). Dynamic data masking limits sensitive data exposure by masking it to nonprivileged users.
Dynamic data masking helps prevent unauthorized access to sensitive data by enabling customers to designate how much of the sensitive data to reveal with minimal effect on the application layer. It's a policy-based security feature that hides the sensitive data in the result set of a query over designated database fields, while the data in the database isn't changed.
For example, a service representative at a call center might identify a caller by confirming several characters of their email address, but the complete email address shouldn't be revealed to the service representative. A masking rule can be defined that masks all the email address in the result set of any query. As another example, an appropriate data mask can be defined to protect personal data, so that a developer can query production environments for troubleshooting purposes without violating compliance regulations.
Dynamic data masking basicsFor Azure SQL Database, you set up a dynamic data masking policy in the Azure portal by selecting the Dynamic Data Masking pane under Security in your SQL Database configuration pane.
This feature can't be set using the Azure portal for SQL Managed Instance or SQL database in Fabric. Instead, use T-SQL, as in the Dynamic Data Masking example in this article. For more information, see Dynamic Data Masking.
Dynamic data masking policy* Use XXXX (or fewer) if the size of the field is fewer than 4 characters for string data types (nchar, ntext, nvarchar).
1900-01-01 for date/time data types (date, datetime2, datetime, datetimeoffset, smalldatetime, time).
<masked /> is used.
XXXX-XXXX-XXXX-1234
aXX@XXXX.com
Custom text Masking method, which exposes the first and last characters and adds a custom padding string in the middle. If the original string is shorter than the exposed prefix and suffix, only the padding string is used.
prefix[padding]suffix
The DDM recommendations engine flags certain fields from your database as potentially sensitive fields, which might be good candidates for masking. In the Dynamic Data Masking pane in the portal, you see the recommended columns for your database. Select Add Mask for one or more columns, then select the appropriate masking function and select Save, to apply mask for these fields.
Manage dynamic data masking using T-SQLYou can use the REST API to programmatically manage data masking policy and rules. The published REST API supports the following operations:
Data masking policiesThese are the built-in roles to configure dynamic data masking is:
These are the required actions to use dynamic data masking:
Read/Write:
Microsoft.Sql/servers/databases/dataMaskingPolicies/*Read:
Microsoft.Sql/servers/databases/dataMaskingPolicies/readWrite:
Microsoft.Sql/servers/databases/dataMaskingPolicies/writeTo learn more about permissions when using dynamic data masking with T-SQL command, see Permissions.
Granular permission examplePrevent unauthorized access to sensitive data and gain control by masking it to an unauthorized user at different levels of the database. You can grant or revoke UNMASK permissions at the database-level, schema-level, table-level or at the column-level to any database user or role. Combined with Microsoft Entra authentication, UNMASK permissions can be managed for users, groups, and applications maintained within your Azure environment. The UNMASK permission provides a granular way to control and limit unauthorized access to data stored in the database and improve data security management.
Create schema to contain user tables:
CREATE SCHEMA Data;
GO
Create table with masked columns:
CREATE TABLE Data.Membership (
MemberID INT IDENTITY(1, 1) NOT NULL,
FirstName VARCHAR(100) MASKED WITH (FUNCTION = 'partial(1, "xxxxx", 1)') NULL,
LastName VARCHAR(100) NOT NULL,
Phone VARCHAR(12) MASKED WITH (FUNCTION = 'default()') NULL,
Email VARCHAR(100) MASKED WITH (FUNCTION = 'email()') NOT NULL,
DiscountCode SMALLINT MASKED WITH (FUNCTION = 'random(1, 100)') NULL,
BirthDay DATETIME MASKED WITH (FUNCTION = 'default()') NULL
);
Insert sample data:
INSERT INTO Data.Membership (FirstName, LastName, Phone, Email, DiscountCode, BirthDay)
VALUES
('Roberto', 'Tamburello', '555.123.4567', 'RTamburello@contoso.com', 10, '1985-01-25 03:25:05'),
('Janice', 'Galvin', '555.123.4568', 'JGalvin@contoso.com.co', 5, '1990-05-14 11:30:00'),
('Shakti', 'Menon', '555.123.4570', 'SMenon@contoso.net', 50, '2004-02-29 14:20:10'),
('Zheng', 'Mu', '555.123.4569', 'ZMu@contoso.net', 40, '1990-03-01 06:00:00');
Create schema to contain service tables:
CREATE SCHEMA Service;
GO
Create service table with masked columns:
CREATE TABLE Service.Feedback (
MemberID INT IDENTITY(1, 1) NOT NULL,
Feedback VARCHAR(100) MASKED WITH (FUNCTION = 'default()') NULL,
Rating INT MASKED WITH (FUNCTION = 'default()'),
Received_On DATETIME
);
Insert sample data:
INSERT INTO Service.Feedback (Feedback, Rating, Received_On)
VALUES
('Good', 4, '2022-01-25 11:25:05'),
('Excellent', 5, '2021-12-22 08:10:07'),
('Average', 3, '2021-09-15 09:00:00');
Create different users in the database:
CREATE USER ServiceAttendant WITHOUT LOGIN;
GO
CREATE USER ServiceLead WITHOUT LOGIN;
GO
CREATE USER ServiceManager WITHOUT LOGIN;
GO
CREATE USER ServiceHead WITHOUT LOGIN;
GO
Grant read permissions to the users in the database:
ALTER ROLE db_datareader ADD MEMBER ServiceAttendant;
ALTER ROLE db_datareader ADD MEMBER ServiceLead;
ALTER ROLE db_datareader ADD MEMBER ServiceManager;
ALTER ROLE db_datareader ADD MEMBER ServiceHead;
Grant different UNMASK permissions to users:
--Grant column level UNMASK permission to ServiceAttendant
GRANT UNMASK ON Data.Membership(FirstName) TO ServiceAttendant;
-- Grant table level UNMASK permission to ServiceLead
GRANT UNMASK ON Data.Membership TO ServiceLead;
-- Grant schema level UNMASK permission to ServiceManager
GRANT UNMASK ON SCHEMA::Data TO ServiceManager;
GRANT UNMASK ON SCHEMA::Service TO ServiceManager;
--Grant database level UNMASK permission to ServiceHead;
GRANT UNMASK TO ServiceHead;
Query the data under the context of user ServiceAttendant:
EXECUTE AS USER = 'ServiceAttendant';
SELECT MemberID, FirstName, LastName, Phone, Email, BirthDay
FROM Data.Membership;
SELECT MemberID, Feedback, Rating
FROM Service.Feedback;
REVERT;
Query the data under the context of user ServiceLead:
EXECUTE AS USER = 'ServiceLead';
SELECT MemberID, FirstName, LastName, Phone, Email, BirthDay
FROM Data.Membership;
SELECT MemberID, Feedback, Rating
FROM Service.Feedback;
REVERT;
Query the data under the context of user ServiceManager:
EXECUTE AS USER = 'ServiceManager';
SELECT MemberID, FirstName, LastName, Phone, Email, BirthDay
FROM Data.Membership;
SELECT MemberID, Feedback, Rating
FROM Service.Feedback;
REVERT;
Query the data under the context of user ServiceHead
EXECUTE AS USER = 'ServiceHead';
SELECT MemberID, FirstName, LastName, Phone, Email, BirthDay
FROM Data.Membership;
SELECT MemberID, Feedback, Rating
FROM Service.Feedback;
REVERT;
To revoke UNMASK permissions, use the following T-SQL statements:
REVOKE UNMASK ON Data.Membership(FirstName) FROM ServiceAttendant;
REVOKE UNMASK ON Data.Membership FROM ServiceLead;
REVOKE UNMASK ON SCHEMA::Data FROM ServiceManager;
REVOKE UNMASK ON SCHEMA::Service FROM ServiceManager;
REVOKE UNMASK FROM ServiceHead;
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4