Dynamic data masking (DDM) refers to the ability of the system to obfuscate any sensitive data dynamically from unauthorized users. For example, if an HR role has DDM privileges over the salary column, only the HR personnel assigned to that role can view employee salaries. Everyone else sees a masked version of the salary.

The underlying data is stored in its original, unmasked state within the database. If a query of any type, such as a SQL query or an ABL FIND, FOR EACH, and so on, uses a DDM-configured column as part of the query processing, then the query engine can always see the unmasked value. However, when the data is retrieved as a query result set, unauthorized users see the masked version of the data.

A DDM administrator can configure a mask for the fields of a table that hides the sensitive data in the result set of a query. The DDM administrator also controls the access privileges of users to view the unmasked values of specific fields.

When DDM is set up for a field in a database, it affects the database clients, like the ABL client, the Progress Application Server (PAS) for OpenEdge agent, or the SQL Server client. DDM does not affect any of the OpenEdge database utilities, such as binary dump or load, auditing, Table move, or Index activation.

DDM is applicable on all data types except character large objects (CLOB) and binary large objects (BLOB). Masking also applies to the change data capture (CDC) tables. By default, any CDC change table inherits the mask configurations from its parent table at the time of creation and the DDM administrator can change these configurations later. Data retrieved by querying a client from a CDC change table is masked if you do not have unmasking privileges over the data.

You can also configure fields of user-defined multi-tenant tables for DDM. However, because the configuration occurs at the table level and is not tenancy-specific, the DDM settings apply to all tenants.

Depending on your privileges, DDM affects the behavior of various commands, clauses, and other database objects such as triggers, user-defined functions, stored procedures, and so on.

To learn more about how DDM affects SQL constructs, see Impact of Dynamic Data Masking on SQL constructs.