Different masking levels applied to the same column
Background
Masking levels are used to protect data in specific columns based on the Data Category or Data Classification assigned to the columns.
Protect offers the following levels of column masking, ordered from most masked to least masked.
| Masking level | Restrictiveness scale | Description |
|---|---|---|
| Custom masking | Most restrictive masking | Shows the data as you define. For more information, go to Custom masking. |
| Default masking | Highly restrictive masking | Shows the data as 0. |
| Hashing | Moderately restrictive masking | Shows the data as a set of different letters, numbers, and symbols. |
| Show last | Less restrictive masking | Shows the last few characters of the data. You can choose to show the last 1 through 20 characters of the data, with 4 being the most common choice. |
| No masking | Least restrictive masking | Shows the original data. This masking level is available only in data access rules. |
When does a masking conflict occur?
What happens when a masking conflict occurs?
When a masking conflict occurs within a single rule or standard, the rule or standard fails during synchronization.
When a masking conflict occurs between multiple rules, multiple standards, or a combination of both:
- If the sync status of one was already Active, then the other changes to Failed.
- If the sync status of both is Active or Pending, then both change to Failed.
Examples
The following examples describe what happens when you try to apply different masking levels to the same column. The examples focus on masking conflicts in rules. However, the described behaviors also extend to masking conflicts between multiple standards and also between a standard and a rule.
Scenario
This scenario considers a single rule that applies different masking levels to multiple Data Categories that share the same column.
- The rule grants access to the Marketing group for the following assets: Customer Data, Audit & Internal Controls.
- The rule masks columns that are categorized as Personal Information in the selected assets by hashing.
- The rule masks columns that are categorized as Personal and family details in the selected assets by showing the last 2 characters.
- Both Customer Data and Audit & Internal Controls assets contain a column that is categorized as both Personal Information and Personal and family details.
Behavior
The rule will fail upon synchronization because of a masking conflict. The conflict occurs because a column is categorized as both Personal Information and Personal and family details, and Protect can't apply two different masking levels (Hashing and Show last) to the same column for the same group (Marketing).
Tip To resolve the conflict, decide which masking level or Data Category should take precedence, and then remove one of the two masking levels or Data Categories.
Scenario
This scenario is similar to the previous scenario except that this scenario considers two rules instead of one, with both rules granting access to the same group.
- The first rule grants access to the Marketing group for the Customer Data asset.
- The first rule masks columns that are categorized as Personal Information in the Customer Data asset by hashing.
- The second rule grants access to the Marketing group for the Audit & Internal Controls asset.
- The second rule masks columns that are categorized as Personal and family details in the Audit & Internal Controls asset by showing the last 2 characters.
- Both Customer Data and Audit & Internal Controls assets contain a column that is categorized as both Personal Information and Personal and family details.
Behavior
Both the rules will fail upon synchronization because of a masking conflict. The conflict occurs because a column is categorized as both Personal Information and Personal and family details, and Protect can't apply two different masking levels (Hashing and Show last) to the same column for the same group (Marketing).