All Products
Search

This Product

    PolarDB:Manage data masking rules

    Document Center

    PolarDB:Manage data masking rules

    Last Updated:Mar 28, 2026

    Dynamic data masking lets you control which database accounts can see sensitive column values without modifying the underlying data. This document explains how to create, enable, disable, modify, and delete data masking rules in the PolarDB console.

    Prerequisites

    Before you begin, ensure that you have:

    • A PolarDB proxy version of 2.4.12 or later. To check and upgrade your proxy version, see Minor version update.

    Limitations

    LimitationDetails
    Endpoint scopeDynamic data masking applies only to cluster endpoints, including default cluster endpoints and customized cluster endpoints. Queries through a primary endpoint are not masked. To view or apply for a cluster endpoint, see View the endpoint and port number.
    Row size limitIf a query returns masked data and a single row in the result exceeds 16 MB, the query session is closed. For example, if a rule masks the name column in the Person table and the description column contains rows larger than 16 MB, running SELECT name, description FROM person closes the session.
    Function parametersIf a masked column is used as a function argument, masking is not applied. For example, if a rule masks the name column, SELECT CONCAT(name, '') FROM person still returns the actual value.
    UNION operatorIf a masked column appears in a UNION query, masking is not applied. For example, if a rule masks the name column, SELECT hobby FROM person UNION SELECT name FROM person still returns the actual value.

    Create a data masking rule

    1. Log on to the PolarDB console.

    2. In the upper-left corner, select the region where your cluster is deployed.

    3. Find the cluster and click its ID.

    4. In the left-side navigation pane, choose Settings and Management > Security.

    5. On the Dynamic Data Masking/Encryption tab, click Add in the upper-left corner.

    6. In the Create Rule dialog box, configure the following parameters.

      ParameterRequiredDescription
      Rule NameYesName of the masking rule. Maximum length: 30 characters.
      DescriptionNoDescription of the rule. Maximum length: 64 characters.
      Enable/DisableN/AWhether the rule is active. The switch is turned on by default when you create a rule.
      EndpointYesThe cluster endpoint to which the rule applies.
      Database Account NameNoThe database accounts the rule applies to. Options: All Accounts (leave the text box blank), Include (specify accounts), or Exclude (exclude specified accounts). Separate multiple account names with commas (,). Account names support the following formats: user, user@10.1.1.1, user@10.1.1.%, user@%.1.1.1, user@1.%.1, or user@10.1.1.0/255.255.255.0.
      Database NameNoThe databases the rule applies to. Options: All Databases (leave the text box blank) or Include (specify databases). Separate multiple database names with commas (,).
      Table NameNoThe tables the rule applies to. Options: All tables (leave the text box blank) or Include (specify tables). Separate multiple table names with commas (,).
      Column NameYesThe columns to mask. Separate multiple column names with commas (,).

    7. Click OK.

    Enable or disable a data masking rule

    1. Log on to the PolarDB console.

    2. In the upper-left corner, select the region where your cluster is deployed.

    3. Find the cluster and click its ID.

    4. In the left-side navigation pane, choose Settings and Management > Security.

    5. On the Dynamic Data Masking/Encryption tab, find the rule and turn the Enable/Disable switch on or off.

      To enable or disable multiple rules at once, select them in the list and click Enable or Disable at the bottom of the list. Disabled rules are not deleted and can be re-enabled at any time.

    6. In the message that appears, click OK.

    Modify a data masking rule

    1. Log on to the PolarDB console.

    2. In the upper-left corner, select the region where your cluster is deployed.

    3. Find the cluster and click its ID.

    4. In the left-side navigation pane, choose Settings and Management > Security.

    5. On the Dynamic Data Masking/Encryption tab, find the rule and click Modify in the Actions column.

      You can modify the Description and all parameters in the Configurations section. The Rule Name cannot be changed after the rule is created. For more information about the parameters, see Configure data masking rule parameters.

    6. Update the parameters, then click OK.

    Delete a data masking rule

    1. Log on to the PolarDB console.

    2. In the upper-left corner, select the region where your cluster is deployed.

    3. Find the cluster and click its ID.

    4. In the left-side navigation pane, choose Settings and Management > Security.

    5. On the Dynamic Data Masking/Encryption tab, find the rule and click Delete in the Actions column.

      To delete multiple rules at once, select them in the list and click Delete at the bottom of the list.

    6. In the message that appears, click OK.

    API reference

    OperationDescription
    DescribeMaskingRulesQueries the data masking rules for a PolarDB cluster or the details of a specified rule.
    ModifyMaskingRulesModifies or adds a data masking rule.
    DeleteMaskingRulesDeletes a data masking rule.