Edit

Share via

Create and manage masking rules (preview)

  • Article

[This article is prerelease documentation and is subject to change.]

Data masking helps protect sensitive information during customer interactions and prevents data leaks. Data masking, also known as de-identification or obfuscation, replaces sensitive data with masked strings. The masked strings ensure that the original, unmasked values remain hidden. Only authorized users can read the unmasked values—one record at a time. In the context of customer interactions, frontline support users are prevented from exposing sensitive information like credit card numbers, social security numbers, or any personal data (PII).

Important

  • This is a preview feature.
  • Preview features aren't meant for production use and may have restricted functionality. These features are available before an official release so that customers can get early access and provide feedback.

How does masking work?

  • You can create masking rules to set how sensitive information should be masked.

  • These rules use regular expressions to identify specific patterns, for example a credit card number, social security number, and email address.

  • These patterns are detected and the sensitive fields are replaced with masked characters when the row is retrieved.

Create masking rules

You get a predefined set of masking rules, to start, or you can create your own.

  1. Create a solution: Create a solution in Power Apps.

  2. Create a new component: Create components in a solution.

  3. Select the Security menu option and choose Secured masking rule.

    Screenshot that shows the location of the Secured masking rule button in Power Apps.

    The New Masking Rule form appears.

  4. In this form, enter a rule Name in this format: prefix_name where prefix can be CLS_ or New_.

    Screenshot that shows the New masking rule form and some example field values.

  5. Enter a Display Name and Description.

  6. Enter a Regular Expression, chosen from the Regular Expression Language.

    For example, to mask the first five digits of a social security number, use: \d(?=\d{2}-\d{2}-\d{4}\|\d-\d{2}-\d{4}\|-\d{2}-\d{4}\|\d-\d{4}\|-\d{4})

    Note

    Your regular expression can have multiple masking rules separated by a pipe |.

    Example: \d(?=\d{2}-\d{2}-\d{4}|\d-\d{2}-\d{4}|-\d{2}-\d{4}|\d-\d{4}|-\d{4})| \S+@\S+\.\S+|[STFGM]\d{4}|(?:4[0-9]{12}(?:[0-9]{3})?|[25][1-7][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\d{3})\d{11})

  7. Enter a Masked Character, for example #.

  8. Enter an original value in the Enter Plain Text Test Data field, for example a social security number, email address, etc.

  9. Enter an original value in the Enter Rich Text Test Data field, for example a social security number, email address, etc. (for testing Text Data type with Rich text format columns).

    Note

    For Rich text field, the raw value of the field needs to be taken into account when defining the Regular Expression. You can view the raw value using a Web API to query the table/column with rich text. For example, https://<org url>/api/data/v9.2/maskingrules(<id>)?$select=richtestdata

    (result)

    "richtestdata": "<div class="ck-content" data-wrapper="true" dir="ltr" style="--ck-image-style-spacing: 1.5em; --ck-inline-image-style-spacing: calc(var(--ck-image-style-spacing) / 2); --ck-color-selector-caption-background: hsl(0, 0%, 97%); --ck-color-selector-caption-text: hsl(0, 0%, 20%); font-family: Segoe UI; font-size: 11pt;"><p style="margin: 0;">123-45-789<//p><//div>"

  1. Select Save.

    Now you see Masked Plain Text test data, and Masked Rich Text test data.

    Your masked values might be masked like this:

    Regular expression Original values Masked values
    \d(?=\d{2}-\d{2}-\d{4}\|\d-\d{2}-\d{4}\|-\d{2}-\d{4}\|\d-\d{4}\|-\d{4}) SSN 123-45-6789 SSN ###-##-6789
    [STFGM]\d{4} AccountNbr A1234567z AccountNbr #567z
    (?:4[0-9]{12}(?:[0-9]{3})?\|[25][1-7][0-9]{14}\|6(?:011\|5[0-9][0-9])[0-9]{12}\|3[47][0-9]{13}\|3(?:0[0-5]\|[68][0-9])[0-9]{11}\|(?:2131\|1800\|35\d{3})\d{11}) MasterCard 5678912345678912 MasterCard #
    (?:4[0-9]{12}(?:[0-9]{3})?\|[25][1-7][0-9]{14}\|6(?:011\|5[0-9][0-9])[0-9]{12}\|3[47][0-9]{13}\|3(?:0[0-5]\|[68][0-9])[0-9]{11}\|(?:2131\|1800\|35\d{3})\d{11}) Visa 4567891234567891 Visa #
    \S+@\S+\.\S+ Email name@sample.com Email #

    When a customer sends you an email with sensitive data and the email has this masking rule, you see the masked values only in the body of an email:

    Screensot showing the result of applying the masking rule in the body of the email.

Manage masking rules

Get the list of masking rules

  1. Go to the Power Apps portal.

  2. Select the environment where you want to see the list of masking rules.

  3. Select Tables and choose the All filter.

  4. Enter masking rule in the search bar.

  5. Select the line Table Masking Rule with Name maskingrule.

    A list of masking rules is displayed. You can expand the list by selecting the + more dropdown.

Add a masking rule to a secured column

  1. Go to the Power Apps portal.

  2. Select the environment where you want to add a masking rule to a column.

  3. Select Tables from the navigation menu and choose your preferred table with a secured column.

  4. Select Columns under the Schema section.

    Screenshot that shows the location of the Columns option under the Schema section.

  5. Select a column to open and edit it. You see the Edit column pane.

  6. Expand Advanced options.

    1. Check Enable column security if the box isn't checked.

    2. Select the Masking rule dropdown.

    3. Select a masking rule.

    Screenshot showing the components that need to be selected in the Edit column pane.

  7. Select Save.

Note

Data types that masking rule can be set:

  1. Text (single-line and multi-line).
  2. Number.

Grant permissions to a secured column with a masking rule

Permissions to read masked fields are granted using the Column security profiles.

Users or Teams groups can be granted access through column security:

Screenshot that shows the Edit column security panel where you can set permissions to users or Teams groups.

  • Read

    Allowed - Read secured column is allowed. Masked values are shown if masking rule is applied to the column.

  • Read unmasked

    Not Allowed - When Read is allowed and Read unmasked isn't allowed, masked values are shown.

    One Record – Users are allowed to read unmasked values. Unmasked values are only returned when you request one record at a time. These values should be allowed for users who manage and maintain secured columns.

    All records – Users are allowed to retrieve and read multiple records with unmasked values. This setting is highly privileged. Read unmasked should only be allowed for backend services that require unmasked values for backend processing.

  • Update

    Allowed - Users are allowed to update records.

  • Create

    Allowed - Users are allowed to create records.

Note

System and application users with Read and Read unmasked permissions will get masked values by default. To read unmasked values, see options for viewing masked fields.

View all columns that have a masking rule

You can get a list of all secured columns from all tables with masking rules.

  1. Go to the Power Apps portal.

  2. Select the environment where you want to view all the columns with masking rule.

  3. Select Tables and choose the All filter.

  4. Enter attributemaskingrule in the search bar.

  5. Select the AttributMaskingRule table.

    A list of columns with masking rules is displayed. You can expand the list by selecting the + more dropdown.

How are masked fields displayed?

If you have permission to Read unmasked fields, you see masked values by default here:

Field type Masked columns returned with masked values?
Grid Always
Form Always
Copilot Always
Excel report Always

Note

Audit log shows unmasked values in the before-and-after update events. Grant reading audit logs to only authorized users.

Options for viewing masked fields

Note

These options are available during preview.

Permission to read unmasked values is required. You can read unmasked values in a record.

In these examples, replace <url>, <table collection name>, and <recordid> with your own values.

  • Example for all masked columns in a record:

    https://<url>/api/data/v9.1/<table collection name>(<recordid>)?UnMaskedData=true

  • Example for individual masked columns:

    Replace <column_name> with your secured column name.

    https://<url>/api/data/v9.1/<table collection name>(<recordid>)?$select=<column_name>&UnMaskedData=true

Known limitations

  • Reading unmasked values on the form

    Masked values are displayed on the detail/main form. In future releases, there should be a button to allow users who have the Read unmasked permission to read the unmasked values.

  • Creating and updating unmasked values on the form

    When you create a new record, you enter the sensitive field as unmasked values. After you save, the form automatically refreshes, and the sensitive field is immediately masked. You can update the field but make sure that you enter the unmasked values.

  • Audit log

    Unmasked values are displayed in the audit log. In future releases, these will be masked with option to read unmasked for users who have Read unmasked permission.