DDM refers to the ability of the system to mask sensitive data from unauthorized users. For example, only someone in an HR role should be able to see the salaries of employees; all others see a masked value of the Employee.salary column.

A mask is the format string representation, which is setup against the columns of a table. A masking rule allows you to establish how to hide the data from unauthorized users.

The value of a masked column remains masked even when it is:
  • Assigned to a program variable or a temp-table column
  • Exported to a file
  • Referenced in a conditional statement
  • Passed as a parameter
  • Displayed on the screen as a query result set

The underlying data is stored in its original, unmasked format in the database. If a query of any type, such as a SQL query or an ABL FIND, FOR EACH, and so on, uses the masked or DDM-configured column as part of the query processing, the query engine can always see the unmasked value. However, when the data is retrieved as a query result set, unauthorized users see the masked version of the data.

DDM configuration uses Role-Based Access Control (RBAC) to manage the privileges granted to users for data unmasking. A DDM administrator can configure a mask over the table fields that hides the sensitive data in the result set of a query as well as create and assign new authorization tags to the user-defined roles. After mapping the roles and authorization tags together, they can map these authorization tags to the table fields.

For more information on the available mask configuration types and authorization tags, see Dynamic data mask configurations and Authorization tags.

Currently, you use the methods available through the IDataAdminService interface to create mask configurations and authorization tags.

For more information on the IDataAdminService methods that you can utilize to set or unset (reset) the mask configurations and manage authorization tags, see IDataAdminService interface.

When DDM is set up for a column in a database, it affects only the database clients, such as the ABL client, the PASOE agent, or the SQL Server client. DDM does not affect any of the existing OpenEdge database utilities, such as binary dump or load, auditing, Table move, or Index activation.

Data masking applies to all data types except character large objects (CLOB) and binary large objects (BLOB). Masking also applies to the change data capture (CDC) tables. By default, any CDC change table inherits the mask configurations from its parent table at the time of creation. The DDM administrator can change the mask configuration for the CDC table afterwards. Data retrieved by querying a CDC change table is masked for unauthorized users.