Dynamic Column Masking¶
Dynamic Column Masking allows administrators to control the visibility of sensitive data at the column level. Instead of completely denying access, data can be partially or fully masked based on user roles, groups, or other contextual conditions. So when the same table is queried by different users, the results may differ based on the column masking.
Overview¶
- Applies only to SELECT operations.
- Enforced at the column level.
- Supports static, deterministic, random, and custom masking types.
- Dynamic expressions can be used to control when masking is applied.
Dynamic Column Masking is not supported for Object Storage (e.g., AWS S3).
Objects in S3, ADLS, GCS, or MinIO are accessed using Apache Spark (EMR, EKS, or Kubernetes), Jupyter Notebooks, CLI, or File Explorer tools, the entire object is read on the client side and there is no way to filter rows before the data is read. Privacera does not support dynamic column masking for these services.
Pre-requisites Reading
Please read the following before creating Dynamic Column Masking policies:
Supported Services¶
| Service | Support Level |
|---|---|
| Snowflake |  Yes |
| Databricks UC | Yes |
| Redshift | Yes |
| PostgreSQL | (via Secure Views) |
| AWS S3 |  No |
Components of a Masking Policy¶
| Field | Description |
|---|---|
| Resource | database → table → column |
| Masking Type | Masking strategy: nullify, custom, random, constant, etc. |
| Policy Scope | Users, groups, roles |
| Conditions | Optional macros (e.g., USER.clearance != 'high') |
| Audit Enabled | Recommended to track how and when masking is applied |
Creating a Masking Policy via Privacera Portal¶
- Go to Access Management > [Service Type].
- Switch to the Masking Policies tab.
- Click + Add Policy.
- Select the target resource (database, table, column).
- Choose the Masking Type.
- Add user, group, or role-based policy items.
- (Optional) Add masking conditions using macros.
- Save the policy.
Example: Mask SSN Column for Public Group¶
Use Case: Mask ssn column for all users unless their clearance is high.
| Component | Value |
|---|---|
| Service | Snowflake |
| Database | customer_db |
| Table | profiles |
| Column | ssn |
| Masking Type | MASKED |
| Group | public |
The public group in Apache Ranger and Privacera is a special built-in group that includes all users by default.
Limitations¶
- Masking applies only during SELECT access.
- Native masking may not be available in all services; Privacera will use Secure Views as fallback (e.g., PostgreSQL).
- Column Masking is generally implemented using UDFs or native functions and this can impact performance.
- Complex expressions should be validated in native query engine for correctness.
- Cannot be combined with Row Level Filters on the same column in some engines.
- Column Masking is not supported for Object Storage (e.g., AWS S3).
Column Masking is implemented using UDFs or native functions and this can impact performance.
Tips¶
- Choose
nullifyorcustomfor simple use cases; userandomfor data obfuscation. - Test masking logic using user impersonation or Preview.
- Avoid hardcoding sensitive logic in multiple policies—reuse macros or tags.
Related Topics¶
- Prev topic: Dynamic Row-Level Filtering
- Next topic: Resource Definitions