Skip to content

Configuring Policy with Conditional Masking#

Conditional masking is a masking of a column based on the condition applied on a different column. For example, a condition is applied on column A to mask column B.

Conditional masking is supported for the following systems:

  • Hive with EMR
  • Hive with Databricks
  • Presto SQL with EMR
  • Trino

To configure a conditional masking in a policy, do the following:

  1. Add a policy.

  2. Add the database, table, and column.

  3. In the Select Masking Option of Masking Conditions, select Custom. A text appears where you can enter your conditional expression.

Examples#

  1. Conditional Masking using Single Column

    When the column name has Tamara, then the column email will be masked.

    Conditional Expression: CASE WHEN (name=='Tamara') THEN mask(email) ELSE email END

  2. Conditional Masking using Multiple Columns

    Conditional Expression: CASE WHEN (name=='Tamara' OR address like '%Robin%') THEN mask(email) ELSE email END

  3. Conditional Masking in PrestoSQL

    The examples above are applicable for data sources supporting SQL syntax expressions. For PrestoSQL, the syntax changes.

    You need to create an access policy in the privacera_presto service which gives access to the following Presto functions for the respective users:

    • to_hex
    • sha256
    • to_utf8

    After creating the access policy, you can use the functions in defining the following conditional expression:

    Conditional Expression: if(name='Richard', to_hex(sha256(to_utf8("address"))), "address")

  4. Conditional Masking in Trino

    For conditional masking in Trino, you need to cast/convert the masked column to its appropriate datatype.

    You need to create an access policy in the privacera_trino service which gives access to the following Trino functions for the respective users:

    • CAST
    • to_hex
    • sha256
    • to_utf8

    After creating the access policy, you can use the functions in defining the following conditional expression:

    Conditional Expression: CASE WHEN person_name='Pearlene' THEN (CAST(to_hex(sha256(to_utf8(email_address))) as varchar(100))) ELSE email_address END