Custom masking
Custom masking is a feature that extends the data protection capabilities of Protect. Protect offers a set of out-of-the-box masking levels. Custom masking allows you to define your own data protection methods.
You can manage custom masking via API. For more information, go to the Collibra Protect API documentation.
- Custom masking functions are available only in Databricks and Snowflake. If you try to apply custom masking to a column in AWS Lake Formation or BigQuery, the out-of-the-box default masking is automatically applied to the column instead.
- You cannot delete a custom masking function that is used in a data protection standard or a data access rule.
Example
The following is an example of a POST request for custom masking in Snowflake.
{
"name": "My custom masking",
"mappings": [
{
"provider": "Snowflake",
"mappings": [
{
"dataType": "string",
"functionName": "hash_my_string"
},
{
"dataType": "number",
"functionName": "hash_my_number"
}
]
}
]
}
If you apply My custom masking to a Snowflake column containing the value Collibra, the value is replaced by the result of the following Snowflake function: hash_my_string(Collibra)
. However, if you apply this custom masking to a date column, the default masking is automatically applied instead. This is because the POST request does not include any mapping for the date data type.
Important The functionName specified in the mapping cannot contain spaces and cannot exceed 255 characters. Ensure that the masking functions exist on your data source provider. If a function does not exist, synchronization fails.
The following is an example of the syntax for a custom masking function in Databricks.
create or replace function mydb.myschema.mystring_function(value STRING)
RETURNS STRING
RETURN concat("---", sha2(value, 0) , "+++");
The following is an example of the syntax for a custom masking function in Snowflake.
create or replace function mydb.myschema.mystring_function(value VARCHAR)
RETURNS VARCHAR
AS
$$
concat('---', sha2(value) , '+++')
$$;
Compatibility between Protect and Edge capability
Protect and Edge capabilities use different delivery mechanisms, which can result in compatibility differences. For example, you might have a version of Protect that supports custom masking, and a version of the Edge capability does not support it. If you use custom masking in a standard or rule, and your installed Edge capability does not support custom masking, synchronization is not triggered.