Hi,
To apply a custom dynamic mask you need to create a derived field to mask the sensitive data.
You can include CASE logic in the derived field that outputs an appropriate mask based on the roles assigned to the session user. This can be done using Denodo's out of the box VQL functions.
For example, you could create a selection P_EMPLOYEE which includes a derived attribute SSN, from an EMPLOYEE that masks the EMPLOYEE.SSN dynamically as follows:
The **getsession()** function retreives the roles for the session user and these can be tested and an appropriate mask applied.
```
CASE WHEN (instr(array_to_string(':', getsession('roles')), 'MANAGER_ROLE') < 0) THEN substr(EMPLOYEE.SSN, 1,3)||'XXXXXXX' ELSE EMPLOYEE.SSN END
```
When a user queries the P_EMPLOYEE view, if their roles includes the MANAGER_ROLE then the SSN field will be output without masking, whereas if the user does not have the MANAGER_ROLE, then only the first three characters of the SSN will be output padded with 'X's.
Hope this helps!