All Products
Search

This Product

    DataWorks:Data masking

    Document Center

    DataWorks:Data masking

    Last Updated:Nov 17, 2025

    DataWorks Data Integration lets you add a data masking component to single-table real-time tasks. Add the component between the source and destination to mask data in specified source fields. The masked data is then written to the target table.

    Step 1: Configure a single-table real-time task

    1. Create a data source. For more information, see Data Source Management.

    2. Create a data integration task. For more information, see Configure a real-time sync task in Data Integration.

      Note

      If a data integration task uses the real-time single-table synchronization type, you can add data processing components between the source and destination components. For more information, see Supported data sources and synchronization solutions.

    Step 2: Add a data masking component

    1. On the DAG canvas of the real-time ETL task editing page, click the image button between the source and destination components and select the Data Masking component.image

    2. Configure masking rules.

      1. Create a masking rule. After you add the data masking component, click the component. In the component settings, configure the masking rules. Click Create Data Masking Rule to open the configuration panel.

        For more information, see the following instructions:

        1. Set Sensitive Data Type to Existing Data Type or New Data Type, and then select the masking method for the field. The following sections describe the available masking methods.

          Hashing

          This method encrypts raw data into a fixed-length hash. This method requires you to select a security domain. Masking rules vary by security domain. The same raw data produces different results in different security domains.

          Example: If the raw data is a123 and the security domain is set to 0, the masked result is b124. If the security domain is set to 1, the masked result is c234. For the same raw data, if the security domain is the same, the masked data is also the same.

          Alias

          This method replaces a value with an artificial pseudonym. The format of the masked data is the same as the raw data.

          • If you set Sensitive Data Type to Existing Data Type, you must configure the Security Domain.

            Note

            • Security Domain: The value can be an integer from 0 to 9. Masking rules vary by security domain. The same raw data produces different results in different security domains.

            • Example: If the raw data is a123 and the security domain is set to 0, the masked result is b124. If the security domain is set to 1, the masked result is c234. For the same raw data, if the security domain is the same, the masked data is also the same.

          • If you set Sensitive Data Type to New Data Type, you must configure the Character Set for Replacement.

            Note

            • Character Set for Replacement: If a character from the raw data is in the character set, it is replaced with another character of the same type.

            • Limits: Chinese characters are not supported. If a character in the data to be masked is not in the character set, it is not masked.

            • Example: If a data value contains only digits from 0 to 3 and letters from a to d, the masking result also contains only digits and letters from these ranges.

          Masking

          This method masks parts of the data by replacing characters at specific positions with an asterisk (*). You can choose one of the following two ways to mask data:

          • Recommended methods.

            • Only the previous and next items are displayed.

            • Show only the first three and last two characters.

            • Show only the first three and last four characters.

          • Custom: This method provides a more flexible configuration. You can set whether to mask the start, middle, and end segments, and specify the length of characters to mask. You can add up to 10 segments. At least one segment must be configured to show the original characters.

            • Configuration description:image

              Icon

              Description

              Select Digits or Remaining Digits.

              The value range is [1,100].

              Select Mask or Do Not Mask.

            • Examples:

              Configuration

              Illustration

              Mask the first three characters. Do not mask the remaining characters.

              image

              The last three digits are masked, while the remaining digits are unchanged.

              image

              Keep the first three and last three characters. Mask all characters in the middle.

              image

        2. Verify the data masking rule: In the sample data field, enter the data before masking. Click Test. The masked data is displayed in the Data Masking Effect field.

        3. After you complete the configuration, click OK to create the data masking rule.

      2. Add Condition: Click Add Condition to add a new row to configure a masking rule for a data field.

        • Field: Select the source data field to mask.

        • Data Masking Rule: Select a masking rule that you created.

      3. Output Fields: The name of the output field after the source data is masked. The name is the same as the input field name. However, the data type of the masked field is automatically converted to STRING.

    More operations

    After you configure the source, masking rules, and destination, click Perform Simulated Running in the upper-right corner. This runs a simulation of the data integration task. You can then check whether the output data meets your requirements.