Configuring Policy with Conditional Masking#
Conditional masking is a masking of a column based on the condition applied on a different column. For example, a condition is applied on column A to mask column B.
Conditional masking is supported for the following systems:
- Hive with EMR
- Hive with Databricks
- Presto SQL with EMR
- Trino
To configure a conditional masking in a policy, do the following:
-
Add the database, table, and column.
-
In the Select Masking Option of Masking Conditions, select Custom. A text appears where you can enter your conditional expression.
Examples#
-
Conditional Masking using Single Column
When the column name has Tamara, then the column email will be masked.
Conditional Expression:
CASE WHEN (name=='Tamara') THEN mask(email) ELSE email END
-
Conditional Masking using Multiple Columns
Conditional Expression:
CASE WHEN (name=='Tamara' OR address like '%Robin%') THEN mask(email) ELSE email END
-
Conditional Masking in PrestoSQL
The examples above are applicable for data sources supporting SQL syntax expressions. For PrestoSQL, the syntax changes.
You need to create an access policy in the privacera_presto service which gives access to the following Presto functions for the respective users:
- to_hex
- sha256
- to_utf8
After creating the access policy, you can use the functions in defining the following conditional expression:
Conditional Expression:
if(name='Richard', to_hex(sha256(to_utf8("address"))), "address")
-
Conditional Masking in Trino
For conditional masking in Trino, you need to cast/convert the masked column to its appropriate datatype.
You need to create an access policy in the privacera_trino service which gives access to the following Trino functions for the respective users:
- CAST
- to_hex
- sha256
- to_utf8
After creating the access policy, you can use the functions in defining the following conditional expression:
Conditional Expression:
CASE WHEN person_name='Pearlene' THEN (CAST(to_hex(sha256(to_utf8(email_address))) as varchar(100))) ELSE email_address END