All Products
Search

This Product

    DataWorks:Data masking

    Document Center

    DataWorks:Data masking

    Last Updated:Mar 26, 2026

    When sensitive fields—such as phone numbers, email addresses, or ID numbers—pass through a data pipeline, writing them to a target table without protection creates compliance and security risks. The Data Masking node lets you apply field-level masking rules inline as data flows from a source to a target table in a Single-Table Real-Time synchronization task.

    Prerequisites

    Before you begin, make sure you have:

    Data processing nodes, including the Data Masking node, can only be added to Single-Table Real-Time tasks, between the Source and Destination nodes. For a full list of supported data sources, see Supported data sources and synchronization solutions.

    How it works

    1. Enable data processing in your Single-Table Real-Time task.

    2. Add a Data Masking node and configure a masking rule for each sensitive field.

    3. Preview the node output to verify the masked results meet your requirements.

    4. Run the task. The masked data is written to the target table.

    Add a Data Masking node

    Step 1: Set up the task

    1. Create a data source. For more information, see Data source management.

    2. Create a Single-Table Real-Time synchronization task. For more information, see Configure a single-table real-time synchronization task.

    Step 2: Configure the Data Masking node

    1. In the task canvas, enable the Data Processing toggle.

    2. Click + Add Node and select Data Masking.

    3. Configure the node name and description.

    4. Click Add to add a row for a masking rule, then configure each row:

      • Upstream Field: Select the source field to mask.

      • Data Masking Rule: Select an existing masking rule, or click New Desensitization Rule to create one.

    Create a masking rule

    When you click New Desensitization Rule, a panel opens. Configure the following:

    1. Sensitive Data Type: Select Existing Data Type to use a predefined sensitive data category, or select New Type to define a custom one.

    2. Masking method: Choose one of the three methods below.

      1. Alias

        Replaces a value with a masked value that has similar characteristics. The data format is preserved after masking.

        Set the Security domain to an integer from 0 to 9. Different security domains apply different masking policies, so the same source value produces different masked results across domains.

        Source value Security domain Masked result
        john.doe@example.com 0 An email-format value with the same structure
        john.doe@example.com 1 A different email-format value
        Hashing

        Transforms source data into a fixed-length string. The result is deterministic: the same source value and security domain always produce the same hash.

        Set the Security domain to an integer from 0 to 9. Different domains use different hashing rules, so the same source value produces a different hash in each domain.

        Source value Security domain Masked result
        a123 0 ea9da0c87fb455df9013be83bdc20014
        a123 1 9738f2cce017c52099ea530fa34eb128
        Masking

        Replaces characters at specified positions with asterisks (*). Choose a preset or define a custom pattern.

        Preset options:

        Preset Source value Result
        Show only the first and last character 13812345678 1*********8
        Show only the first three and last two characters 13812345678 138******78
        Show only the first three and last four characters 13812345678 138****5678

        Custom:

        Define up to 10 segments. At least one segment must be set to Remaining Digits.

        • image

          Icon Description
          Select Digits or Remaining Digits
          Enter a value from 1 to 100
          Select Mask or Do Not Mask

          Examples:

          Configuration Result
          Mask the first three digits; do not mask the remaining digits ***12345678
          Mask the last three digits; do not mask the remaining digits 13812345***
          Preserve the first three and last three digits; mask all digits in the middle 138*****678

      2. Test the masking rule: Enter sample data and click Test. The output appears in the Data Masking Effect section. Verify the result looks correct before saving.

      3. Click Determine to save the masking rule.

    Step 3: Verify the output

    After configuring the Upstream Field and Data Masking Rule for each field, click Preview Data Output. Review the preview to confirm the masked results meet your requirements before running the task.