Data Masking in SQL Server - How to Hide Data in a Specific Column

28. 1. 2024
Ing. Jan Zedníček - Data Engineer & Controlling
SQL Administration
0

Table of contents

2. Masking and Unmasking a Column – MASKED WITH

3. Assigning and Revoking UNMASK Permissions – GRANT/REVOKE UNMASK

Data masking is a feature that allows you to completely or partially mask selected data in a database. Access to unmask the data can also be granted or revoked for individual users. Data masking and anonymization have become increasingly important topics, especially with the introduction of GDPR regulations by the European Commission, which require greater attention to the protection of personal data.

This feature is available in SQL Server versions 2016 and newer and now I’ll provide a more detailed overview of this feature.

How Does Data Masking Work?

Masking in SQL Server is relatively straightforward. Unlike row-level security, which controls access permissions at the individual row level in a table, data masking focuses on entire columns. To mask a specific column, you use a masking function, and you can also allow unmasking of data for specific users. The basic process involves:

Identifying the columns in various tables that you want to mask
Applying masking to those columns. You have four masking options to choose from:
- default – the attribute value is displayed as “XXX”
- email – email addresses are displayed as GXXXXX@XXX.com
- partial – you specify the number and position of characters to be masked
- random – used to mask numeric values by selecting a random numeric value within a specified range
If you need to unmask data for certain users, you grant UNMASK permissions

Privileged users (sysadmins, db_owners) always see unmasked data. Masked data can be used for all operations as before, including filtering, etc.

Masking and Unmasking a Column – MASKED WITH

To mask a specific attribute, you can use the following SQL script. Data in the specified column will then be displayed as “XXX”.

ALTER TABLE Employees
ALTER COLUMN Last_Name VARCHAR(255) MASKED WITH (FUNCTION = ‘default()’);

To unmask a column, you can use the following SQL script:

ALTER TABLE Employees
ALTER COLUMN Last_Name VARCHAR(255) DROP MASKED;

Assigning and Revoking UNMASK Permissions – GRANT/REVOKE UNMASK

To allow a user or role to see unmasked data, you can use the following command:

GRANT UNMASK TO <user>;

To revoke these permissions, you can use the following command:

REVOKE UNMASK TO <user>;

Permissions are granted or revoked at the database level. You cannot choose specific objects or columns for which you want to control permissions. Therefore, data is either masked or unmasked for a specific user for all objects in the database.
If you need to handle data visibility at the individual column level, you must use traditional access control, specifically Column level permissions – for more details, refer to this link.

Rate this post

Ing. Jan Zedníček - Data Engineer & Controlling

My name is Jan Zedníček and I have been working as a freelancer for many companies for more than 10 years. I used to work as a financial controller, analyst and manager at many different companies in field of banking and manufacturing. When I am not at work, I like playing volleyball, chess, doing a workout in the gym.

🔥 If you found this article helpful, please share it or mention me on your website

Leave a Reply Cancel reply

ETL | Mage.ai – Charts, Analysis, Testing, Overview, Cleansing
In this guide, we will take a look at the features that Mage.ai offers for data analysis. While this tool is primarily used for ETL pipelines, it […]
ETL | Mage.ai – Database configuration in io_config.yaml and secrets (passwords)
In this guide, we will take a look at how to configure the io_config.yaml file in Mage.ai. We will also explore how to hide and encrypt access […]
Mage.ai | Error UnicodeDecodeError: ‘charmap’ codec – Windows
This article will be related to troubleshooting. Today, I managed somehow to write a comment that caused the entire Mage.ai instance to crash due to […]
ETL | Mage.ai – Dbt Installation (pip/conda) and project initialization
In the previous article – ETL | Mage.ai – Solid Alternative to Airflow – Intro and Installation we introduced the ETL tool Mage.ai […]
ETL | Mage.ai Pipeline – data flow – Python, SQL Server
In a recent article dedicated to introducing Mage.ai – a tool for creating and managing ETL processes, I promised at the end that we would try […]
Bulk Copy Program (BCP) Utility – Fast Bulk Import and Export in SQL Server
BCP is a utility that is installed by default with SQL Server editions and is used for bulk import or export of a large volume of data in […]
SQL Server Table and Index Compression (Data Compression), Pros/Cons
Table and index compression is a functionality that has been available in various SQL Server editions for a while. It has been available in all […]
SSRS – Handling multiple value parameter/filters in reporting services
In the past, I have written several tutorials on reporting services (you can find them in the reporting services – SSRS category). I have gone […]
Data Masking in SQL Server – How to Hide Data in a Specific Column
Data masking is a feature that allows you to completely or partially mask selected data in a database. Access to unmask the data can also be granted […]
SSRS | How to Create an Amortization Calculator in SQL Server – Including a Report with Parameters
Lately, I’ve been dedicating a lot of time to financial mathematics in Excel. I’ll try to leverage that and shift the focus from Excel to […]

Resources: Power BI News and Blogs a BI Blogs and Magazines – SQL Server, Excel, Reporting

Full vs. Incremental Loads – Data Engineering with Fabric
by John Miner on 17. 4. 2024 at 0:00
Learn how to perform full and incremental loads in Fabric with a little SparkSQL. The post Full vs. Incremental Loads – Data Engineering with […]
Get the most out of SQL Server Agent logs
by Additional Articles on 17. 4. 2024 at 0:00
If you haven’t migrated your workloads to a managed database platform yet, you’re probably still relying on SQL Server Agent for various […]
On-premises data gateway April 2024 release
on 16. 4. 2024 at 16:00
We are excited to announce the April 2024 release of the on-premises data gateway!
Copilot in Power BI: Soon available to more users in your organization
on 16. 4. 2024 at 8:00
We have some exciting announcements to share regarding Copilot in Microsoft Fabric. The information in this blog post has also been shared with […]
SQL Performance Tuning tips for newbies
by Esat Erkec on 15. 4. 2024 at 12:12
The purpose of this article is to give newbies some basic advice about SQL performance tuning that helps to improve their query tuning skills in SQL […]
Finding Sister Locations to Help Each Other: Answers & Discussion
by Additional Articles on 15. 4. 2024 at 0:00
This week’s query exercise asked you to find two kinds of locations in the Stack Overflow database. The post Finding Sister Locations to Help Each […]
Disaster Recovery and High Availability Solutions in SQL Server
by Smit Dagli on 15. 4. 2024 at 0:00
Learn about disaster recovery and high availability options in SQL Server with details on the tradeoffs you make when choosing from Availability […]