All Products
Search
Document Center

DataWorks:Create a data masking rule

Last Updated:Jun 20, 2026

DataWorks supports various data masking scenarios. You can create data masking rules for the scenarios that you require. This topic describes how to create these rules and run masked queries in DataWorks.

Background information

DataWorks provides two types of data masking: static data masking and dynamic data masking.

  • Dynamic data masking: This includes scenarios such as Data Development and Data Map display masking, DataAnalysis display masking, MaxCompute engine-layer masking, and Hologres engine-layer masking.

  • Static data masking: This refers to the data integration static masking scenario.

By default, data masking rules are disabled after they are created. You must manually enable the rules to automatically mask data in the relevant scenarios.

Note

Prerequisites

  • (Optional, for dynamic data masking only) You can configure sensitive data detection rules as needed. This lets you associate fields that require masking when you create data masking rules. For more information, see Sensitive data detection rules.

  • (Optional, for dynamic data masking only) You can use a whitelist to allow specific users to bypass data masking rules during a specified period. To do this, add the users to a user group to allow them to view raw data. For more information, see Configure a user group.

  • (Optional, for MaxCompute engine layer masking only) This scenario masks sensitive data when you query data from entry points other than DataWorks, such as the MaxCompute command line client (odpscmd) or Logview. To use this scenario, you must request to add an IP address to the MaxCompute network whitelist. This lets you call the masking functions. For more information, see Example: Use underlying data masking in E-MapReduce.

Access control

  • Configure data masking rules (create, edit, and delete):

    • Tenant Administrator and tenant security administrators can perform these operations for all data masking scenarios.

    • Workspace Administrator and workspace security administrators can perform these operations only for the data masking scenarios for which they have permissions.

  • Configure a data masking whitelist (create, edit, and delete):

    • Tenant administrators and tenant security administrators can configure whitelists for all data masking scenarios.

    • Workspace Administrator and workspace security administrators can configure whitelists only for the data masking scenarios for which they have permissions.

To perform these operations, you must be granted the required role permissions. For more information about authorization, see Workspace-level module permissions and Global module permissions.

Entry point for data masking rule configuration

  1. Log on to the DataWorks console. In the target region, click Data Governance > Security Center in the left-side navigation pane. On the page that appears, click Go to Security Center.

  2. In the left-side navigation pane, click Data Security > Sensitive Data Management and then click Try Now to access Data Security Guard.

    Note
    • If your Alibaba Cloud account is already authorized, you are directed to the Data Security Guard homepage.

    • If your Alibaba Cloud account is not authorized, you are redirected to the Data Security Guard authorization page. To use Data Security Guard features for the first time, go to Data Security > Sensitive Data Management, select Data Security Guard in the pop-up dialog, and then complete the authorization.

  1. In the navigation pane on the left, choose Rule Setting > Data Masking Management to go to the Data Masking Management page.

  2. In the left-side pane, select a data masking scenario. Then, click Masking Rule on the right to create a rule for the scenario.

Create a dynamic data masking rule: Data Development/Data Map display masking scenario

  1. Select a data masking scenario.

    On the Data Masking Management page, set Data Masking Scenario to Data Development/Data Map display masking > Default Scenario. Then, click Masking Rule on the right.

  2. Create a data masking rule.

    1. In the Create Masking Rule dialog box, configure the parameters for the rule.

      1. Select a sensitive field and specify a rule name.

        Parameter

        Description

        Sensitive field type

        Select the type of field to which this data masking rule applies.

        • You can select a built-in sensitive field type or a custom sensitive field type that you created in Sensitive Data Detection. For more information about how to add a sensitive field, see Sensitive data detection rules.

        • If you have created a data masking rule for the same scenario, DataWorks filters out the sensitive field types that are already used to prevent inconsistent masking rules for the same sensitive field in the same scenario.

        Masking Rule Name

        By default, this parameter is the same as Sensitive field type. You can also specify a custom name. The rule name must be unique.

      2. Configure data masking scenarios.

        Select the scenarios to which the data masking rule applies. By default, the scenario that you selected in Step 1 is used. You can change the scenario or add more scenarios as needed.

      3. Configure a data masking method.

        DataWorks provides data transformation methods such as Format-preserving encryption, Mask, HASH encryption, String Replacement, Range transformation, Round, and Set to null. You can select a method based on your requirements.

        Format-preserving encryption (formerly pseudonymization algorithm)

        Format-preserving encryption replaces a value with a masked value that has the same characteristics. The format of the data remains the same after masking. The following table describes the parameters for this data masking rule.

        Parameter

        Description

        (Optional) Data watermark

        A data watermark provides data traceability. If a data breach occurs, the watermark can help you locate the potential source of the breach. You can enable or disable Data watermark as needed.

        Note

        The data watermark feature is available only in DataWorks Enterprise Edition.

        Desensitization characteristic value

        Different masking feature values correspond to different masking policy rules. This means that for the same source data, different masking feature values produce different masked results. If the masking feature value is the same, the same source data will produce the same masked data.

        For example, if the raw data is a123:

        • If you set the masking feature value to 0, the data is masked as b124.

        • If you set the masking feature value to 1, the data is masked as c234.

        The default value is 5. The value can range from 0 to 9.

        Replace Character Set

        If the detection rule for the selected Sensitive field type is not a built-in rule, you must configure Replace Character Set. After you configure a replacement character set, any character in the set will be replaced with another character of the same type.

        For example, if the sensitive data before masking consists of digits from 0 to 3 and letters from a to d, the masked data will also consist of digits and letters within that range.

        Note

        Characters in the character set are replaced with characters from the same range. The replacement character set supports uppercase letters, lowercase letters, and digits. Separate multiple characters with commas (,). Chinese characters are not supported. If the data to be masked does not conform to the character set range, it will not be masked.

        Mask

        The mask method conceals part of the information by replacing characters at specific positions with asterisks (*). When you use this method, you must select a masking mode. DataWorks provides several built-in masking modes and supports custom modes.

        Parameter (select one)

        Description

        Recommended Methods

        Select a recommended masking method from the drop-down list. The available masking methods vary depending on the field to be masked.

        DataWorks has three built-in masking methods. They include showing only the first and last characters, showing only the first three and last two characters, and showing only the first three and last four characters. Select an option from the drop-down list as needed.

        Custom

        This provides a more flexible way to configure masking. You must configure whether to mask each segment from left to right and specify the number of characters to mask (or not to mask). You can add up to 10 segments. At least one segment is required, and there must be exactly one segment set to Remaining Characters.

        For example, mask the first 3 characters and do not mask the remaining characters.

        HASH encryption

        When you use HASH encryption for data masking, you must configure the parameters described in the following table.

        Parameter

        Description

        Data watermark

        A data watermark provides data traceability. If a data breach occurs, the watermark can help you locate the potential source of the breach. You can enable or disable Data watermark as needed.

        Note

        The data watermark feature is available only in DataWorks Enterprise Edition.

        Encryption Algorithm

        The options include MD5, SHA256, SHA512, and SM3.

        Salt value

        Set the salt value for each encryption algorithm. The default value is 5. The value can range from 0 to 9.

        Note

        A salt is a specific string that is inserted. In cryptography, salting is the process of inserting a specific string at a fixed position in a password. This makes the hashed result different from the result of hashing the original password.

        Character replacement

        The String Replacement method replaces characters at a specified position with characters that you choose. The following table describes the parameters for this data masking rule.

        Parameter

        Description

        (Required) Replacement position

        From the drop-down list, you can select Replace all, Replace first 3 characters, or Replace last 4 characters. You can also select Custom to define the replacement position.

        If you set Replacement position to Custom, you can define custom segments. You must define the segments from left to right and configure the number of characters to replace and the replacement method for each segment. You can add up to 10 segments. At least one segment is required, and there must be exactly one segment set to Remaining Characters.

        (Required) Replacement Method

        The options include Random replacement, Sample value replacement, and Fixed value substitution.

        • Random replacement: Randomly replaces characters at the corresponding positions. The number of characters remains the same after replacement.

        • Sample value replacement: You must select a sample library. The values from the selected sample library are used to replace the characters at the corresponding positions.

        • Fixed value substitution: In the Replacement value text box, enter the replacement characters (any characters, 1 to 100 characters in length, cannot contain null characters). The entered value is used to replace the characters at the corresponding positions.

        Range transformation

        The Range transformation method applies only to numeric data. It masks data within a specified numeric range to a fixed value. You can add a minimum of 1 and a maximum of 10 ranges.

        Parameter

        Description

        Original numeric range [m,n)

        The numeric range of the data before masking. The value must be greater than or equal to 0 and can have up to two decimal places.

        Masked numeric value

        The value after masking. The value must be greater than or equal to 0 and can have up to two decimal places.

        Round

        The Round method applies only to numeric data.

        Parameter

        Description

        Raw data type

        Only numeric types are supported.

        Keep the number of decimal places

        You can keep 0 to 5 decimal places. The remaining part is rounded. For example, if the original value is 3.1415 and you choose to keep 2 decimal places, the masked value is 3.14.

        Set to null

        When you use the Set to null method, the corresponding sensitive field is set to an empty string.

    2. Verify the masking result.

      In the Sample Data text box, enter sample data to be masked. The data can be 0 to 100 characters in length. Then, click Validation. The masked data is returned in the Masking Effect field.

    3. Click Save or Save to create the data masking rule.

After you create the data masking rule:

Create a static data masking rule: Data integration static masking scenario

  1. On the Data Masking Management page, set Data Masking Scenario to Data integration static masking > Default Scenario. Then, click + Data Masking Rule on the right.

  2. Create a data masking rule.

    1. In the Create Masking Rule dialog box, configure the parameters for the rule.

      At the bottom of the dialog box, you can verify the masking result. Enter sample data in the Sample data field and click Verify Masking. The masked result is displayed in the Masking effect area.

      1. Select a sensitive data type and specify a rule name.

        Parameter

        Description

        Sensitive Data Type

        • Select Existing: Select an existing sensitive data type (either built-in or custom) as needed.

        • Add Type: Enter a name for the sensitive data type. The name must be unique and cannot be the same as an existing type.

        Note

        Built-in sensitive data types include the following: Mobile phone number, ID card number, Bank card number, Email_Built-in, IP, License plate number, Postal code, Landline number, MAC address, Address, Name, Company name, Ethnicity, Zodiac sign, Gender, and Nationality.

        Masking Rule Name

        By default, this parameter is the same as Sensitive Data Type. You can also specify a custom name. The data masking rule name must be unique.

      2. Configure a data masking method.

        DataWorks supports three data masking methods: Pseudonym, Hash, and Mask. You can select the method that best suits your needs.

        Alias

        Pseudonymization replaces a value with a masked value that has the same characteristics. The format of the data remains the same after masking. Only some existing fields support pseudonymization.

        • If the selected Sensitive Data Type is a built-in type, such as Mobile phone number, ID card number, Bank card number, Email_Built-in, IP, License plate number, Postal code, Landline number, MAC address, Address, Name, or Company name, you must configure the Security domain.

          Security domain: The value is an integer from 0 to 9. Each security domain uses a different set of masking policy rules. As a result, the same source data is masked differently depending on the security domain used. For example, if the raw data is a123, setting the security domain to 0 masks the data as b124, while setting it to 1 masks the data as c234. If the security domain is the same, the same source data always produces the same masked result.

        • If the selected Sensitive Data Type is not a built-in type, you must configure the Replace Character Set.

          Replace Character Set: Replaces characters with other characters of the same type. The replacement character set can contain uppercase letters, lowercase letters, and digits. Use a comma (,) to separate multiple characters. Chinese characters are not supported. Data that does not match the specified character types is not masked. For example, if the original sensitive data consists of digits from 0 to 3 and letters from a to d, the masked data will also consist of digits and letters from that same range.

        Hashing

        This method encrypts raw data into fixed-length data. The Hashing method requires you to select a Security domain.

        Security domain: The value can range from 0 to 9. Each security domain has a different set of masking policy rules. Therefore, applying different security domains to the same source data produces different masked results. Conversely, applying the same security domain to the same source data always produces the same masked result.

        For example, if the raw data is a123:

        • If you set the security domain to 0, the data is masked as b124.

        • If you set the security domain to 1, the data is masked as c234.

        Mask

        The Mask method conceals part of the information by replacing characters at specific positions with asterisks (*). When you use this method, you must select a masking mode. DataWorks provides several built-in masking modes and supports custom modes.

        • Recommended Methods: For some fields, you can select a recommended masking method from the drop-down list. The available masking methods vary depending on the field. DataWorks provides three built-in masking methods. These methods show only the first and last characters, the first three and last two characters, or the first three and last four characters. You can select one as needed. For some existing fields, you can only select the default method.

        • Custom: Provides a flexible way to configure masking. You can configure each segment from left to right, specifying whether to mask it and the number of characters to mask or retain. You can add up to 10 segments. At least one segment is required, and exactly one segment must be set to Remaining Characters.

          • Example 1: Mask the first three characters and do not mask the remaining characters.

          • Example 2: The last 3 digits are masked, and the remaining digits are unmasked.

    2. Verify the masking result.

      In the Sample Data text box, enter sample data to be masked. The data can be 0 to 100 characters in length. Then, click Verify Masking. The masked data is returned in the Masking Effect field.

    3. Click Confirm to create the data masking rule.

After you create the data masking rule:

  • By default, data masking rules are disabled after they are created. You must manually enable the rules for them to take effect in the relevant scenarios. For more information about how to change the status of a rule, see Enable or disable a data masking rule.

  • After you create a data integration masking rule, you can use the rule when you create a real-time synchronization task for a single table. For more information, see Configure data masking.

Configure a whitelist for a data masking rule (for dynamic data masking only)

For dynamic data masking scenarios, you can configure a whitelist of users for a data masking rule. After the rule is enabled, whitelisted users are not affected by the rule and can view raw data during a specified period.

Note

Before you create a whitelist, you must add the users that you want to add to the whitelist to a user group. For more information about how to configure a user group, see Configure a user group.

To add a whitelist, perform the following steps:

  1. On the Data Masking Management page, click Whitelist Configuration.

  2. In the upper-right corner, click Allowlist.

  3. In the Create Whitelist dialog box, configure the parameters.

    Note
    • You cannot configure whitelists for Hologres engine layer masking or Data integration static masking scenarios.

    • After you set the effective period for a whitelist, sensitive data that meets the whitelist conditions is not masked during the specified period.

    The following table describes the parameters.

    Parameter

    Description

    Sensitive field type

    You can only select sensitive field types that are enabled for the current data masking scenario.

    User group scope

    Select a configured user group. You can select up to 50 user groups. After a user group is added to the whitelist, the accounts in the user group can retrieve the raw data before masking. For more information about how to configure a user group, see Configure a user group.

    Effective Time

    Set the effective period for the whitelist as needed. You can choose a short-term or permanent period. Short-term options include 30 days, 90 days, 180 days, and 365 days. You can also set a custom period, which can start on the current day or a future date.

    If a user queries sensitive information outside the effective period of the whitelist, the data will continue to be masked.

    Note

    If you select a short-term period, the data will not be masked from the current time until the specified number of days has passed.

  4. Click Save to complete the whitelist configuration.

Enable or disable a data masking rule

On the Data Masking Rule tab, click the Status switch for a data masking rule to set its status to Effective or Failure.

After the status is set, you can edit, delete, or view the details of the rule.

Note
  • You cannot Delete or Edit an active desensitization rule. You must first set the rule to Failure. Before you do, you must check whether any related tasks use the rule and contact a security administrator to confirm.

  • In the Failure state, you can edit or delete the rule, but you cannot modify the Sensitive Data Type or Masking Rule Name.

  • After you make changes, you can set the status to Effective. Tasks that use this rule can then continue to perform data masking.

Examples of data masking rule applications