VOOZH about

URL: https://dev.to/michaelfv/dynamic-data-masking-in-gbase-8a-how-it-works-and-how-to-use-it-4mnj

⇱ Dynamic Data Masking in GBase 8a: How It Works and How to Use It - DEV Community

GBase 8a MPP Cluster implements dynamic data masking — the original data never changes on disk. Instead, the database applies masking rules in real time during queries, based on the user's permissions. This post explains the three‑part mechanism: column attributes, built‑in masking functions, and the UNMASK privilege.

How Dynamic Masking Works

1. Define Masked Columns

Use the MASKED WITH clause in DDL to attach a masking function to a column:

CREATE TABLE customer (
 id INT,
 name VARCHAR(100) MASKED WITH (FUNCTION = 'default()'),
 phone VARCHAR(20) MASKED WITH (FUNCTION = 'partial(\"***\", 3, 4)'),
 email VARCHAR(50) MASKED WITH (FUNCTION = 'keymask(\"@\", \"****\", 0)')
);

You can also add masking to an existing column with ALTER TABLE ... MODIFY COLUMN.

2. Five Built‑in Masking Functions

Function Data Type Example (Original → Masked)
default() Any 'Brad Stevens''XXXX'
random(start, end) Numeric 42 → random value in range
partial(prefix, padding, suffix) String 'Hello' (keeps first and last char, fills rest)
sha() String 'Hello' → SHA hash
keymask(substr, padding, pos) String 'gbase@gbase.cn''****@gbase.cn'

3. The UNMASK Privilege — Who Sees What

  • Without UNMASK: the user sees the masked result.
  • With UNMASK: the user sees the original value. 
GRANT UNMASK ON db_name.table_name TO user_name@'host';
REVOKE UNMASK ON db_name.table_name FROM user_name@'host';

Dynamic vs. Static Masking

Feature GBase 8a Dynamic Static Masking
Storage Original data untouched Data permanently replaced
When it happens Query time ETL / offline batch
Flexibility High — different views per user Low — same masked view for all
Primary use Production real‑time compliance Test / dev data provisioning
Built‑in support Yes, via DDL and privileges Requires external ETL tools

Because the underlying columnar storage never changes, dynamic masking in a gbase database keeps your analytical workloads fast while meeting security requirements. It's a native, low‑overhead way to protect sensitive data in GBASE's MPP platform.

If you're working with a gbase database in production, consider enabling dynamic masking on PII columns — your compliance team will thank you.