Create or edit column masks
In Data Access, a column mask is a type of access control that masks data in specific columns for everyone except its beneficiaries. The beneficiaries see unmasked data in those columns, provided that they have access on the tables.
You can create a new column mask to securely hide sensitive data by defining which columns to mask and who can bypass the mask. You can add identities or groups as beneficiaries to bypass the mask, which creates a global exception. You can also add a role as a beneficiary, which creates a local exception. With a local exception, the beneficiaries of that role can see unmasked data in only those columns that belong to the tables on which the role grants access. Any columns that are outside the scope of the role remain masked for the beneficiaries of the role.
You can also edit a column mask that was imported into Data Access. Editing an imported access control internalizes it, which changes the value in the Managed in field in the Details sidebar from Data source to Collibra. As a result, Data Access overwrites any further changes made to the access control in the data source.
Prerequisites
- You own the tables or table views whose columns you want to mask.
- To create a column mask: You have a global role with the Data Access > Create Access Controls global permission, or you own a data object.
- To edit a column mask: You have a global role with the Data Access > Create Access Controls global permission, or you own the column mask or all its data objects.
Steps
- On the Data Access landing page, click ACCESS CONTROLS > Column masks.
- Do one of the following:
- To create a column mask: Click Create column mask. On the Create column mask page, enter the information, and then click Create.
- To edit a column mask: Click the name of the column mask, and then click Edit. Edit the information, and then click Save or Internalize & Save (shown when you edit an imported column mask).
Result
- You become the owner of the column mask that you created. You can add more owners by using
in the Owners field in the Details sidebar. - Data Access automatically triggers a synchronization to push the column mask to the underlying data source. Until the column mask is created or updated in the data source, the Sync status field in the Details sidebar shows Not connected (for a new column mask) or Out of sync (for an edited column mask). After the synchronization finishes, the synchronization status changes to Synced.
- If you selected a data object that you do not own, it is not added to the column mask immediately. Instead, an access request is generated and assigned to the data object's owner. If the owner approves the access request, the data object is added to the column mask. When this happens, the synchronization status of the column mask changes to Out of sync briefly while Data Access pushes the changes to the data source. After the synchronization finishes, the synchronization status returns to Synced.
Field reference
Use this section to guide you when you create or edit a column mask.
General
In the General section, specify the basic properties of the column mask.
| Field | Description |
|---|---|
| Name |
A unique display name for the column mask, for example, Mask PII. Tip The technical name of an access control is used to generate the name of the corresponding access control in the underlying data source. By default, the technical name matches the display name. To specify a different technical name, use the Advanced option. This option applies only to data sources that use named entities to represent access controls. If you change the name in the Name field after generating a technical name, the corresponding access control in the underlying data source is renamed during the next synchronization.
|
| Description |
A brief explanation of the column mask's purpose, for example, Mask PII for everyone except Finance. |
Masking rule
Specify the columns that you want to mask. If the column mask was already created, on the column mask page, click Edit, and then complete the following steps.
- In the Masking rule section, click Add.
- In the Add access on dialog box, select one of the following options, and then click Continue.
Option Description Data objects Allows you to mask the columns that you specify.
Dynamic rule Allows you to mask the columns that meet the conditions that you specify.
- If you selected Data objects:
- In the Select the tables you want to mask dialog box, select the tables or table views to which the columns belong, and then click Continue.
- In the Add access on dialog box, select the columns, and then click Add.
- In the Select the tables you want to mask dialog box, select the tables or table views to which the columns belong, and then click Continue.
- To change the masking method for the columns:
- In the Where does the access apply section, double-click the current value in the Masking method column.
- In the Edit masking type dialog box, select the new masking method, and then click Apply.
- In the Where does the access apply section, double-click the current value in the Masking method column.
The column mask that you created or edited masks the data in the columns for everyone. If, however, you want specific identities to be able to see unmasked data in the columns, complete the Authorized identities section.
Authorized identities
Specify the identities who can see unmasked data in the columns. You can also specify groups and other roles. If the column mask was already created, on the column mask page, click Edit, and then complete the following steps.
- In the Authorized identities section, click Add.
- In the Add access to dialog box, select one of the following options, and then click Continue.
Option Description Identities Grants a global exception. Shows unmasked data in the columns to the identities that you specify, across all tables associated with the column mask, provided that those identities have access on the tables to which the columns belong.
Groups Grants a global exception. Shows unmasked data in the columns to all the identities within the groups that you specify, across all tables associated with the column mask, provided that those identities have access on the tables to which the columns belong.
Roles Grants a local exception. Shows unmasked data in the columns to the beneficiaries of the roles that you specify, provided that those roles grant access on the tables to which the columns belong.
- Select one or more identities, groups, or roles. If you previously selected Dynamic rule, in the Dynamic rule dialog box, enter the required information.
- Click Continue.
- In the Select an access type dialog box, select one of the following options, which are applicable only to identities, groups, and dynamic rule.
Option Description Granted Identities receive immediate access to see the unmasked data until the end date, which is set to Unlimited by default.
On request Identities must request access when they need it. Once requested, they receive access immediately, but only for the duration set in the Grant access for field, which is set to 14 days by default. They can request access multiple times until the end date, which is set to Unlimited by default. Each new request grants access for the specified duration (time does not accumulate). On the end date, the access is revoked and the identity can no longer request it.
- Click Add.
- To change the end date (which indicates when access is revoked) for the identities, groups, or roles that you selected:
- In the Who has access section, double-click the current value in the Expires at column.
- In the Edit end date on dialog box, select the new end date, and then click Apply.
- In the Who has access section, double-click the current value in the Expires at column.