You can translate the question and the replies:

Data Masking

Hi , Currently in Denodo if we mark a feild as Sensitive, it makes the value as NULL when a select is run on the view. Is there a way by which we can have a custom mask value instead of NULL. As NULL does not provide the correct picture, it does not help in knowing if the value was actaully NULL in source or has Denodo changed that.
user
05-04-2017 13:55:05 -0400
code

1 Answer

Hi, To apply a custom dynamic mask you need to create a derived field to mask the sensitive data. You can include CASE logic in the derived field that outputs an appropriate mask based on the roles assigned to the session user. This can be done using Denodo's out of the box VQL functions. For example, you could create a selection P_EMPLOYEE which includes a derived attribute SSN, from an EMPLOYEE that masks the EMPLOYEE.SSN dynamically as follows: The **getsession()** function retreives the roles for the session user and these can be tested and an appropriate mask applied. ``` CASE WHEN (instr(array_to_string(':', getsession('roles')), 'MANAGER_ROLE') < 0) THEN substr(EMPLOYEE.SSN, 1,3)||'XXXXXXX' ELSE EMPLOYEE.SSN END ``` When a user queries the P_EMPLOYEE view, if their roles includes the MANAGER_ROLE then the SSN field will be output without masking, whereas if the user does not have the MANAGER_ROLE, then only the first three characters of the SSN will be output padded with 'X's. Hope this helps!
Denodo Team
06-04-2017 04:32:21 -0400
code
You must sign in to add an answer. If you do not have an account, you can register here