Skip to main content
Version: v4.11

Custom masking

Cyral's built-in masking functions, including mask, null_mask, and constant_mask, are well-suited for most use cases. However, there may be situations where a more specific masking logic is required to align with your dataset. Cyral's custom masking feature enables you to create tailored masking behaviors, ensuring precise data protection in accordance with your unique requirements. This documentation will guide you through the process of leveraging custom masking to achieve your desired data masking outcomes.

Custom masking is accomplished by integrating a user-defined function (UDF) as the masking engine in Cyral. During this process, the contents of the field to be masked are replaced with the value returned by the UDF, providing a more flexible and tailored approach to data masking. Details on crafting UDFs and how to install them are available at Cyral Masking Quickstart.

Add a custom masking rule in your policy

Similar to the built-in masking types, custom masks can be directly referenced in Global Policies. For instance, a database field mapped to the data label CCN can be associated with a custom masking type with the following policy example:

data:
- CCN
rules:
- reads:
- data:
- custom:mask_ccn(CCN)
rows: any
severity: low

Syntax detail:

  • custom:: prefix identifier for a custom masking rule.
  • mask_ccn: masking UDF name.
  • Arguments:

Once the above policy is included in the Management Console, and the required data mapping between the CCN label and the desirable database column is also created, user queries could be masked, protecting the contents of the original data.

Example

  • SQL database with the column bank_card in the table finance.customers.
  • Hypothetical implementation of the mask_ccn UDF, that replaces all the first 12 digits with *.

Before creating the policy and enabling data masking in the Management Console, user queries should return all unmasked data:

# select bank_card from customers;
bank_card
---------------------
4444-3333-2222-1111
4484-6000-0000-0004
4035-5010-0000-0008

Once the policy is in place and data masking is enabled, users should receive masked data for the same query:

# select bank_card from customers;
bank_card
---------------------
****-****-****-1111
****-****-****-0004
****-****-****-0008

For more information on how to create UDFs for custom masking, how to install and import them into your policies, please refer to our public repository on GitHub: https://github.com/cyral-quickstart/quickstart-datarepo-masking.