DEV Community

Michael
Michael

Posted on • Originally published at gbase.cn

Dynamic Data Masking in GBase 8a: How It Works and How to Use It

#gbase #database #数据库 #datamasking

GBase 8a MPP Cluster implements dynamic data masking — the original data never changes on disk. Instead, the database applies masking rules in real time during queries, based on the user's permissions. This post explains the three‑part mechanism: column attributes, built‑in masking functions, and the UNMASK privilege.

How Dynamic Masking Works

1. Define Masked Columns

Use the MASKED WITH clause in DDL to attach a masking function to a column:

CREATE TABLE customer (
    id INT,
    name VARCHAR(100) MASKED WITH (FUNCTION = 'default()'),
    phone VARCHAR(20) MASKED WITH (FUNCTION = 'partial(\"***\", 3, 4)'),
    email VARCHAR(50) MASKED WITH (FUNCTION = 'keymask(\"@\", \"****\", 0)')
);
Enter fullscreen mode Exit fullscreen mode

You can also add masking to an existing column with ALTER TABLE ... MODIFY COLUMN.

2. Five Built‑in Masking Functions

Function Data Type Example (Original → Masked)
default() Any 'Brad Stevens''XXXX'
random(start, end) Numeric 42 → random value in range
partial(prefix, padding, suffix) String 'Hello' (keeps first and last char, fills rest)
sha() String 'Hello' → SHA hash
keymask(substr, padding, pos) String 'gbase@gbase.cn''****@gbase.cn'

3. The UNMASK Privilege — Who Sees What

  • Without UNMASK: the user sees the masked result.
  • With UNMASK: the user sees the original value. 
GRANT UNMASK ON db_name.table_name TO user_name@'host';
REVOKE UNMASK ON db_name.table_name FROM user_name@'host';
Enter fullscreen mode Exit fullscreen mode

Dynamic vs. Static Masking

Feature GBase 8a Dynamic Static Masking
Storage Original data untouched Data permanently replaced
When it happens Query time ETL / offline batch
Flexibility High — different views per user Low — same masked view for all
Primary use Production real‑time compliance Test / dev data provisioning
Built‑in support Yes, via DDL and privileges Requires external ETL tools

Because the underlying columnar storage never changes, dynamic masking in a gbase database keeps your analytical workloads fast while meeting security requirements. It's a native, low‑overhead way to protect sensitive data in GBASE's MPP platform.

If you're working with a gbase database in production, consider enabling dynamic masking on PII columns — your compliance team will thank you.

Top comments (0)