Dynamic Data Mask

Others 2019-10-30 15:22:06 views: null

Dynamic data mask (Dynamic Data Masking, DDM) can be prevented from exposing sensitive data to unauthorized users. DDM acting on the data table fields in the query results hide sensitive data column, use the DDM does not modify the data in the table, but the query results users against unauthorized shield, so that unauthorized users can see query results are shielded, for example, the second column is the column number, the first seven digits are masked:

Dynamic data masking in  SQL Server 2016 (13.x) and  Azure SQL Database provided using  Transact-SQL command is executed.

First, the rules define the dynamic data masking

For blocking rules define column data table, there are 4 types:

  • Default: for string types, the use of a mask do XXXX; For numeric types do value zero mask; for the type of date and time, use 01.01.1900 00: 00: 00.0000000 do mask; for binary type, use 0 to do mask.
  • Email: acting on the string type, the first character, @ .com and do masks, other characters are replaced by XXXX to do mask.
  • Random: role of the numeric type, to replace the original value using a random number as a mask
  • Custom String: acting on the string type, the character is replaced with the intermediate mask, both ends of the character is displayed. For the prefix and suffix characters in the middle, to expand the use of padding, if the original character is too short to mask, then the prefix and suffix characters in the middle is not exposed.

Shield rule syntax:

MASKED WITH (FUNCTION = 'default()')
MASKED WITH (FUNCTION = 'email()')
MASKED WITH (FUNCTION = 'random(start, end)')
MASKED WITH (FUNCTION = 'partial(prefix,[padding],suffix)')

Define the masking rule when you create the table:

Email varchar(100) MASKED WITH (FUNCTION = 'email()') NULL

Blocking rules add to an existing table:

ALTER COLUMN Email ADD MASKED WITH (FUNCTION = 'email()') NULL

Second, access control

Control permissions to create and modify the mask, a user only has UNMASK permission on the column, you can view data for that column.

1, create and modify permissions mask

When to create tables using dynamic data masking, without any special privileges, only you need to have CREATE TABLE permissions and ALTER permission on the schema.

When you need to add, replace or delete columns shield, you need ALTER ANY MASK permissions and ALTER permission on the table, you can ALTER ANY MASK privileges granted security official.

SELECT privilege table with the user can view the data table, column after being defined as "masking", the mask data is displayed. From the definition of the need for shielding the user retrieves column mask data, you may be granted permission UNMASK.

CONTROL permissions on the database include ALTER ANY MASK and UNMASK rights.

2, the update mask column permissions

Create a mask does not prevent the data on the column in an update, if the user has write permissions, the user is not even listed on the UNMASK permissions, you can modify the data in the column. You should be controlled to shield users from modifying the column through other privileges.

3, shielding copy

Use  SELECT INTO or INSERT INTO ,把数据从一个屏蔽列复制到另一个表中,这会使得屏蔽数据复制到新表中。

In the implementation of SQL Server Import and Export, will be copied to the new table shield.

4, shielded authorized to view the data

The UNMASK permissions granted to the user, the user can view the screen columns:

GRANT UNMASK TO TestUser;  
EXECUTE AS USER = 'TestUser';  
SELECT * FROM Membership;  
REVERT;   
  
-- Removing the UNMASK permission  
REVOKE UNMASK TO TestUser;

Third, the shielding column operations

You can be shielded column of the query, add, modify, and delete operations.

1, the query screen columns

View the database has been created shielded columns:

SELECT tbl.name AS table_name
    ,c.name AS column_name
    ,c.is_masked
    ,c.masking_function  
FROM sys.masked_columns AS c  
INNER JOIN sys.tables AS tbl   
    ON c.[object_id] = tbl.[object_id]  
WHERE is_masked = 1

2, increase the shielding column

Increase existing table columns shield

ALTER TABLE Membership  
ALTER COLUMN LastName ADD MASKED WITH (FUNCTION = 'partial(2,"XXX",0)');

3, modified columns shield

Modify existing shielding column

ALTER TABLE Membership  
ALTER COLUMN LastName varchar(100) MASKED WITH (FUNCTION = 'default()');

4, remove the shield row

The shield on the column delete

ALTER TABLE Membership   
ALTER COLUMN LastName DROP MASKED;

 

Reference documents:

Dynamic Data Masking

Guess you like

Origin www.cnblogs.com/ljhdo/p/11760799.html
Recommended
Linus is the most active in "eating dog food"!
Ranking
Share good programmer web front-end array and sorting, de-duplication and random roll call
Compilation error caused by cv_bridge and python version problems error: return-statement with no value, in function returning'void*' [-fpe
魔众帮助中心系统 v3.1.0 首页切换器,界面优化
Die beim Millimeterwellenradar-Integrationstest aufgetretene Grube (Multiprozessbindung an einen UDP-Port verursacht Probleme)
How to suppress the "requires transitive directive for an automatic module" warning properly?
LeetCode-1743. Restore the Array From Adjacent Pairs-Analysis and Code (Java)
Summer 2019 Summer soft essay 7 workers
Python中Assert断言的使用语法和例子
LeetCode one question per day (2021-2-3 sliding window median)
Fairchild, the ancestor of semiconductors, the legend of the first trillion-dollar start-up
Daily
More
2024-05-20(5)
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)

Code World

© 2018 codetd.com