Dynamic Data Masking (DDM) in SQL Server is a feature that helps protect sensitive data by masking it from unauthorized users. While the actual data remains unchanged in the database, users without the necessary permissions see masked versions of the data when they query it. Here is my previous blog post on this topic. This blog post is a simplified version of the previous one.
Implementing Default Masking
Let’s walk through a simple example to demonstrate how to apply default masking to a column, insert data, retrieve the masked data, and then grant permission to view the unmasked data.
Create a Sample Table
First, create a table named Employees with columns for EmployeeID, FullName, and PhoneNumber. In this table, the PhoneNumber column will have a default masking function applied.
CREATE TABLE Employees (
EmployeeID INT IDENTITY(1,1) PRIMARY KEY,
FullName NVARCHAR(100),
PhoneNumber NVARCHAR(15) MASKED WITH (FUNCTION = 'default()')
);
Insert Sample Data
Next, insert some sample data into the Employees table:
INSERT INTO Employees (FullName, PhoneNumber)
VALUES
('Alice Johnson', '555-1234'),
('Bob Smith', '555-5678');
Retrieve Data as a Non-Privileged User
To see the effect of the masking, create a user without special permissions and grant them SELECT access to the Employees table:
CREATE USER TestUser WITHOUT LOGIN; GRANT SELECT ON Employees TO TestUser;
Now, execute a SELECT query as TestUser to retrieve the data:
EXECUTE AS USER = 'TestUser'; SELECT * FROM Employees; REVERT;
The output will display the PhoneNumber column with masked data, such as ‘XXXX’.
Grant UNMASK Permission
To allow TestUser to view the unmasked data, grant them the UNMASK permission:
GRANT UNMASK TO TestUser;
Now, when TestUser executes the SELECT query again, the actual phone numbers will be visible:
EXECUTE AS USER = 'TestUser'; SELECT * FROM Employees; REVERT;
Clean Up
Once you’ve tested the masking feature, remove the Employees table and TestUser to clean up the database:
DROP TABLE Employees; DROP USER TestUser;
This example demonstrates how Dynamic Data Masking can be used to protect sensitive information in SQL Server, allowing only authorized users to view the actual data.
You can connect with me on LinkedIn.
Reference: Pinal Dave (https://blog.sqlauthority.com)
First appeared on SQL SERVER – Dynamic Data Masking (DDM) Introduction