How to implement dynamic data masking in Fabric Data Warehouse
Applies to: ✅ SQL analytics endpoint and Warehouse in Microsoft Fabric
Dynamic data masking is a cutting-edge data protection technology that helps organizations safeguard sensitive information within their databases. It allows you to define masking rules for specific columns, ensuring that only authorized users see the original data while concealing it for others. Dynamic data masking provides an additional layer of security by dynamically altering the data presented to users, based on their access permissions.
For more information, see Dynamic data masking in Fabric data warehousing.
Prerequisites
Before you begin, make sure you have the following:
- A Microsoft Fabric workspace with an active capacity or trial capacity.
- A Warehouse.
- Dynamic data masking works on SQL analytics endpoint. You can add masks to existing columns using
ALTER TABLE ... ALTER COLUMN
as demonstrated later in this article. - This exercise uses a Warehouse.
- Dynamic data masking works on SQL analytics endpoint. You can add masks to existing columns using
- To administer, a user with the Administrator, Member, or Contributor rights on the workspace, or elevated permissions on the Warehouse.
- In this tutorial, the "admin account".
- To test, a user without the Administrator, Member, or Contributor rights on the workspace, and without elevated permissions on the Warehouse.
- In this tutorial, the "test user".
1. Connect
- Open the Fabric workspace and navigate to the Warehouse you want to apply dynamic data masking to.
- Sign in using an account with elevated access on the Warehouse, either Admin/Member/Contributor role on the workspace or Control Permissions on the Warehouse.
2. Configure dynamic data masking
Sign into the Fabric portal with your admin account.
In the Fabric workspace, navigate to your Warehouse.
Select the New SQL query option, and under Blank, select New SQL query.
In your SQL script, define dynamic data masking rules using the
MASKED WITH FUNCTION
clause. For example:CREATE TABLE dbo.EmployeeData ( EmployeeID INT ,FirstName VARCHAR(50) MASKED WITH (FUNCTION = 'partial(1,"-",2)') NULL ,LastName VARCHAR(50) MASKED WITH (FUNCTION = 'default()') NULL ,SSN CHAR(11) MASKED WITH (FUNCTION = 'partial(0,"XXX-XX-",4)') NULL ,email VARCHAR(256) NULL ); GO INSERT INTO dbo.EmployeeData VALUES (1, 'TestFirstName', 'TestLastName', '123-45-6789','email@youremail.com'); GO INSERT INTO dbo.EmployeeData VALUES (2, 'First_Name', 'Last_Name', '000-00-0000','email2@youremail2.com'); GO
- The
FirstName
column shows only the first and last two characters of the string, with-
in the middle. - The
LastName
column showsXXXX
. - The
SSN
column showsXXX-XX-
followed by the last four characters of the string.
- The
Select the Run button to execute the script.
Confirm the execution of the script.
The script will apply the specified dynamic data masking rules to the designated columns in your table.
3. Test dynamic data masking
Once the dynamic data masking rules are applied, you can test the masking by querying the table with a test user who does not have the Administrator, Member, or Contributor rights on the workspace, or elevated permissions on the Warehouse.
- Sign in to a tool like Azure Data Studio or SQL Server Management Studio as the test user, for example TestUser@contoso.com.
- As the test user, run a query against the table. The masked data is displayed according to the rules you defined.
SELECT * FROM dbo.EmployeeData;
- With your admin account, grant the
UNMASK
permission from the test user.GRANT UNMASK ON dbo.EmployeeData TO [TestUser@contoso.com];
- As the test user, verify that a user signed in as TestUser@contoso.com can see unmasked data.
SELECT * FROM dbo.EmployeeData;
- With your admin account, revoke the
UNMASK
permission from the test user.REVOKE UNMASK ON dbo.EmployeeData TO [TestUser];
- Verify that the test user cannot see unmasked data, only the masked data.
SELECT * FROM dbo.EmployeeData;
- With your admin account, you can grant and revoke the
UNMASK
permission to a roleGRANT UNMASK ON dbo.EmployeeData TO [TestRole]; REVOKE UNMASK ON dbo.EmployeeData TO [TestRole];
4. Manage and modify dynamic data masking rules
To manage or modify existing dynamic data masking rules, create a new SQL script.
You can add a mask to an existing column, using the
MASKED WITH FUNCTION
clause:ALTER TABLE dbo.EmployeeData ALTER COLUMN [email] ADD MASKED WITH (FUNCTION = 'email()'); GO
ALTER TABLE dbo.EmployeeData ALTER COLUMN [email] DROP MASKED;
5. Cleanup
- To clean up this testing table:
DROP TABLE dbo.EmployeeData;