You can create, modify, delete, enable, and disable data masking rules in the PolarDB console. This topic describes how to manage data masking rules.

Prerequisites

The version of the PolarDB proxy must be 2.4.12 or later. For more information about how to view and upgrade the version of PolarDB proxy, see Version Management.

Considerations

  • The dynamic data masking feature applies only to cluster endpoints, including default cluster endpoints and customized cluster endpoints. When you query data from a primary endpoint, the dynamic data masking feature is not applied. For more information about how to view and apply for a cluster endpoint, see View an endpoint.
  • If the query results contain data that needs to be masked and the size of a single row exceeds 16 MB, the query session is closed.

    For example, you want to query the name and description columns of the Person table in which the name column needs to be masked. However, the size of the data in a row of the description column exceeds 16 MB. In this case, the query session is closed when you execute the SELECT name, description FROM person statement.

  • If the data column you want to mask is used as a function parameter, data masking is not applied.

    For example, if a rule has been created to mask data in the name column, your application can still read the actual value of the name column when you execute the SELECT CONCAT(name, '') FROM person statement.

  • If the data column you want to mask is used in the UNION operator, data masking is not applied.

    For example, if a rule has been created to mask data in the name column, your application can still read the actual value of the name column when you execute the SELECT hobby FROM person UNION SELECT name FROM person statement.

Create a data masking rule

  1. Log on to the PolarDB console.
  2. In the upper-left corner of the console, select the region where the cluster that you want to manage is deployed.
  3. Find the cluster you want to manage and click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Rules.
  5. In the upper-left corner of the page, click Add. In the Create Data Masking Rule dialog box, set the following parameters.
    Table 1. Parameters for a data masking rule
    Parameter Required Description
    Basic Information Rule Name Yes The name of the data masking rule. The name can be up to 30 characters in length.
    Description No The description of the data masking rule. The description is up to 64 characters in length.
    Enable/Disable N/A The Enable/Disable switch.
    Note When you create a data masking rule, the Enable/Disable switch is turned on by default.
    Configurations Database Account Name No The name of the database account to which the rule is applied. The type of the account that is used to connect to the sandbox instance. Valid values:
    • All Accounts: indicates that the data masking rule applies to all database accounts in the cluster. The text box on the right must be left empty.
    • Include: indicates that the data masking rule applies only to specified database accounts. You must specify at least one database account name in the text box on the right. Separate multiple accounts with commas (,).
    • Exclude: indicates that the data masking rule applies only to database accounts that are not specified in this section. You must specify at least one database account name in the text box on the right. Separate multiple accounts with commas (,).
    Note The database account names can be in one of the following formats:
    • account name. Example: user
    • account name@full IP address. Example: user@1.1.1.1
    • account name@IP address with wildcard characters. Example: user@1.1.1.%, user@%.1.1.1, or user@1.%.1
    • account name@IP/subnet mask. Example: user@1.1.1.0/255.255.255.0
    Database Name No The name of the database to which the rule is applied. The type of the account that is used to connect to the sandbox instance. Valid values:
    • All Databases: indicates that the data masking rule applies to all the databases in the cluster. The text box on the right must be left empty.
    • Include: indicates that the data masking rule applies only to specified databases. You must specify at least one database name in the text box on the right. Separate multiple database names with commas (,).
    Table Name No The name of the table to which the rule is applied. The type of the account that is used to connect to the sandbox instance. Valid values:
    • All tables: indicates that the data masking rule applies to all the tables in the cluster. The text box on the right must be left empty.
    • Include: indicates that the data masking rule applies only to specified tables. You must specify at least one table name in the text box on the right. Separate multiple table names with commas (,).
    Column Name Yes The name of the field to which the rule is applied. You can specify more than one field name and separate multiple field names with commas (,).
  6. Click OK.

Enable or disable a data masking rule

  1. Log on to the PolarDB console.
  2. In the upper-left corner of the console, select the region where the cluster that you want to manage is deployed.
  3. Find the cluster you want to manage and click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Rules.
  5. Locate the rule that you want to manage and turn Enable/Disable on or off.
    2
    Note
    • You can select multiple rules in the rule list and then click Enable or Disable below the list to Enable or Disable the rules in batches.
    • Disable data masking rules will not be deleted. You can Enable the rules again based on your requirements.
  6. In the dialog box that appears, click OK.

Modify a data masking rule

  1. Log on to the PolarDB console.
  2. In the upper-left corner of the console, select the region where the cluster that you want to manage is deployed.
  3. Find the cluster you want to manage and click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Rules.
  5. Locate the rule that you want to modify and click Modify in the right-side Actions column. In the dialog box that appears, configure the parameters based on your requirements. For more information about parameter descriptions, see Table 1.
    1
    Note You can modify the parameters only in Description and Configurations. Parameters in Rule Name cannot be modified.
  6. Click OK.

Delete a data masking rule

  1. Log on to the PolarDB console.
  2. In the upper-left corner of the console, select the region where the cluster that you want to manage is deployed.
  3. Find the cluster you want to manage and click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Rules.
  5. Locate the rule that you want to delete and click Delete in the right-side Actions column.
    3
    Note You can select multiple rules in the rule list. Then, click Delete below the list to delete the rules in batches.
  6. In the dialog box that appears, click OK.

Related API operations

Operation Description
DescribeMaskingRules Queries the data masking rules that apply to a PolarDB cluster or the details of a specified masking rule.
ModifyMaskingRules Modifies or adds a data masking rule.
DeleteMaskingRules Deletes a specified data masking rule.