Skip to main content

Privacera Documentation

Table of Contents

Configure policy with conditional masking on Privacera Platform

Conditional masking is a masking of a column based on the condition applied on a different column. For example, a condition is applied on column A to mask column B.

Conditional masking is supported for the following systems:

  • Hive with EMR

  • Hive with Databricks

  • Presto SQL with EMR

  • Trino

To configure a conditional masking in a policy, do the following:

  1. Add Policy. For more details, see Create resource policies: general steps.

  2. Add the database, table, and column.

  3. In the Select Masking Option of Masking Conditions, select Custom. A text appears where you can enter your conditional expression.

    policymasking.jpg

Examples

  1. Conditional Masking using Single Column

    When the column name has Tamara, then the column email will be masked.

    Conditional Expression: CASE WHEN (name=='Tamara') THEN mask(email) ELSE email END

    conditional_masking1.png
  2. Conditional Masking using Multiple Columns

    Conditional Expression: CASE WHEN (name=='Tamara' OR address like '%Robin%') THEN mask(email) ELSE email END

    conditional_masking2.png
  3. Conditional Masking in PrestoSQL

    The examples above are applicable for data sources supporting SQL syntax expressions. For PrestoSQL, the syntax changes.

    You need to create an access policy in the privacera_presto service which gives access to the following Presto functions for the respective users:

    • to_hex

    • sha256

    • to_utf8

    conditional_masking_presto_function.png

    After creating the access policy, you can use the functions in defining the following conditional expression:

    Conditional Expression: if(name='Richard', to_hex(sha256(to_utf8("address"))), "address")

    conditional_masking3.png
  4. Conditional Masking in Trino

    For conditional masking in Trino, you need to cast/convert the masked column to its appropriate datatype.

    You need to create an access policy in the privacera_trino service which gives access to the following Trino functions for the respective users:

    • CAST

    • to_hex

    • sha256

    • to_utf8

    conditional_masking_trino_function.png

    After creating the access policy, you can use the functions in defining the following conditional expression:

    Conditional Expression: CASE WHEN person_name='Pearlene' THEN (CAST(to_hex(sha256(to_utf8(email_address))) as varchar(100))) ELSE email_address END

    conditional_masking4.png