Multiuser data masking
Recent DbDefence versions introduce the feature called "Multiuser data masking". It allows displaying different masks depending on the login name without any modification in your existing application (web or desktop). For example, a simple query
for an unprivileged login will return:
for a login with a bit more privileges:
for a special dedicated login (not necessarily a DBA or sa account) unmasked data will be returned:
Multiuser data masking can be set up in the masking rule file by adding a special rule "for:
Consider the following example:
my_table1 secure_field1 '***' my_table1 secure_field2 '***' for: login1 for: login2 my_table1 secure_field1 '***' + right (secure_field1,3) my_table1 secure_field1 '***' + right (secure_field2,3)
In this example, two first rules ( default rules ) are applied to all existing logins. It masks column secure_field1 and secure_field2 and displays '***' instead.
There are special rules for login1 and login2 (note "for:" ). Those rules show the last three chars of the columns secure_field1 and secure_field2.
Finally, if you need a login that will read unmasked values, specify it on the "Allowed logins" tab.
If you omit default masks (two first rules in our case), only login1 and login2 will be masked. All other logins will read unmasked values. For example, this short set of rules allows reading unmasked data to all existing logins except for login least_privileged. This login will see mask '***' for column secure_field1 in table my_table1:
for: least_privileged my_table1 secure_field1 '***'