Dynamic data masking (DDM) refers to the ability of the system to obfuscate or mask sensitive data dynamically from unauthorized users. For example, if an HR role has DDM privileges over the Salary field, only the HR personnel assigned to that role can view employee salaries. Everyone else sees a masked version of the salary.

DDM configuration uses Role-Based Access Control (RBAC) to control the privileges granted to users for data unmasking. A DDM administrator can configure a mask over the table fields that hides the sensitive data in the result set of a query as well as create and assign new authorization tags to the user-defined roles. After mapping the roles and authorization tags together, they can map these authorization tags to the table fields.

For more information on the available mask configuration types and authorization tags, see Dynamic data mask configurations and Authorization tags.

Currently, you use the methods available through the IDataAdminService interface to create mask configurations and authorization tags.

For more information on the IDataAdminService methods that you can utilize to set or unset (reset) the mask configurations and manage authorization tags, see IDataAdminService interface.

The DDM administrator also controls the access privileges of users to view the unmasked values of specific fields.

For more information about RBAC, see Access control to support OpenEdge dynamic data masking.

The underlying data is stored in its original, unmasked state within the database. If you do not have permission to unmask a field, the data in the field is masked when it is:
  • Sent outside of the SQL engine.
  • Utilized in inner queries, where the potential for indirect access to sensitive data exists.
Depending on your privileges, DDM affects the behavior of various SQL commands, clauses, and other database objects such as triggers, user-defined functions, stored procedures, and so on.

To learn more about how DDM affects SQL constructs, see Impact of Dynamic Data Masking on SQL constructs.

Note: The SQL engine always uses the unmasked values of a DDM-configured field for query processing, regardless of the user privileges and the mask configuration applied to the field.
If the tables are in the PUB schema, the mask configurations apply to all fields of those tables, regardless of whether they are created with the ABL virtual machine (AVM) or SQL interfaces. However, for tables created using SQL interfaces, you can apply mask configurations to only those fields that have a corresponding ABL datatype, as shown in the following table:
Table 1. ABL and corresponding SQL data type
ABL data type SQL data type
CHARACTER VARCHAR
DATE DATE
DECIMAL DECIMAL or NUMERIC
INTEGER INTEGER
INT64 BIGINT
LOGICAL BIT
RAW VARBINARY
RECID INTEGER
DATE-TIME TIMESTAMP
Furthermore, tables created using SQL interfaces, which are not part of the PUB schema, are not visible to AVM. Therefore, creating mask configuration for fields of such tables is not possible. Similarly, you cannot mask the fields in the schema tables.
Note: DDM is supported only for tables in the PUB schema.

Data masking applies to all data types except character large objects (CLOB) and binary large objects (BLOB). Masking also applies to the change data capture (CDC) tables. By default, any CDC table inherits the mask configurations from its parent table at the time of creation. The DDM administrator can change the mask configuration for the CDC table afterwards. Data retrieved by querying the SQL engine from a CDC change table is masked if you do not have unmasking privileges over the data.

You need to enable and activate the DDM feature before configuring and using it. The following PROUTIL utilites manage DDM in the OpenEdge database:
  • PROUTIL ENABLEDDM
  • PROUTIL ACTIVATEDDM
  • PROUTIL DEACTIVATEDDM
  • PROUTIL DISABLEDDM

To know more about each of these utilities, see Database utilities for administering dynamic data masking.

For more information on how to configure DDM and how to get started, see Introduction to Dynamic Data Masking in the Learn about Security and Auditing.