Skip to main content
Version: v4.15

Custom masking

Cyral's built-in masking functions: format-preserving, null, and constant, are well-suited for most use cases. However, there may be situations where a more specific masking logic is required to align with your dataset. Cyral's custom masking feature enables you to create tailored masking behaviors, ensuring precise data protection in accordance with your unique requirements. This documentation will guide you through the process of leveraging custom masking to achieve your desired data masking outcomes.

Custom masking is accomplished by integrating a user-defined function (UDF) as the masking function in Cyral. During this process, the contents of the field to be masked are replaced with the value returned by the UDF, providing a more flexible and tailored approach to data masking. Details on crafting UDFs and how to install them are available at Cyral Masking Quickstart.

note

Custom masking is currently NOT supported for MongoDB repositories.

Add a custom masking rule in your policy

Similar to the built-in masking types, custom masks can be directly referenced in Global Policies. For instance, the masking constraint {"function": "custom:mask_ccn"} can be used to mask the fields governed by the policy using the custom mask function.

Please refer to the Global Policies documentation for more details on the policy syntax.

Example

  • SQL database with the column bank_card in the table finance.customers.
  • Hypothetical implementation of the mask_ccn UDF, that replaces all the first 12 digits with *.

Before creating the policy and enabling data masking in the Management Console, user queries should return all unmasked data:

# select bank_card from customers;
      bank_card
---------------------
 4444-3333-2222-1111
 4484-6000-0000-0004
 4035-5010-0000-0008

Once the policy is in place and data masking is enabled, users should receive masked data for the same query:

# select bank_card from customers;
      bank_card
---------------------
 ****-****-****-1111
 ****-****-****-0004
 ****-****-****-0008

For more information on how to create UDFs for custom masking, how to install and import them into your policies, please refer to our public repository on GitHub: https://github.com/cyral-quickstart/quickstart-datarepo-masking.