Dynamic Data Mask Enforcement Rules
Explains how data masks are enforced.
Dynamic data masks are enforced on all JSON table columns
that have a data mask set. Data returned to the user has the masks applied unless the user has
unmaskedreadperm
permission for the table, either at a resource level or
security-policy level. For users with unmaskedreadperm
permission, data is
returned in clear text and not masked.
If the unmaskedreadperm
permission is set at multiple locations – for
example, both at the resource level and in a security policy – the ACE evaluation is the AND
of all the unmaskedreadperm
permissions. Since the
unmaskedreadperm
permission is a special case of the more general read
permission, read permission for that column must be allowed for the user before evaluating for
the unmaskedreadperm
permission.
Additional Enforcement Considerations
- Certain dynamic data masks are applicable to only a subset of available JSON data
types. For example, the pre-defined
mrddm_last4
dynamic data mask applies only toString
andArray
data types. The concept of a “column” or “field” in a JSON table is fluid, and it is possible that a certain column may sometimes contain aString
data type and sometimes contain other data types, e.g. Boolean. All attempts to enforce DDM rules on invalid data types will be logged and the data will not be masked. It is the application’s responsibility to ensure that the DB columns contain the correct data types when dynamic data masks are applied. - All dynamic data mask configurations are enforced on users with
readperm
access permission for that DB column family but notunmaskedreadperm
permission. For users with bothreadperm
andunmaskedreadperm
permission for that DB column family, data is returned in cleartext as-is. Both thereadperm
andunmaskedreadperm
permissions are required to return data in masked format. - If a column is tagged with a custom data mask that no longer exists when the data is accessed, the data will be returned in cleartext as-is and the event audited. It is your responsibility to ensure that all dynamic data masks that are set on JSON table columns are not deleted.