Column masking for Column Level Security
Masking can be applied to a single-level hierarchy, multilevel hierarchy, parent-child hierarchy, attributes, base measures, calculated measures, and measures used in calculations. For column-level security, both unconditional and conditional masking can be applied. By implementing masking at the column level, you can effectively manage data accessibility and privacy, ensuring that users only access information necessary for their roles while protecting sensitive data from exposure.
Unconditional column masking: Applies masking to specific columns. It is supported for both Spark and No-Spark-based deployments
Conditional column masking: Applies masking only part of the data while masking based on specific conditions It is supported only for No-Spark-based deployments. Conditional masking can be applied on measure and attributes.
Important points to know
Common for unconditional and conditional column masking:
Column masking is not applied to Member Properties, Unknown and Calculated members, and Predefined time type hierarchy.
Currently, column masking does not support the SQL interface.
The masked value is displayed while browsing the semantic model on any BI tool with an MDX connection.
You can also create, delete, update, save, and assign column masking rules by using the Security Rest API's.
If multiple security rules are applied to a user/group involving column masking on the same column, then following rules will be applicable :
Between conditional and unconditional masking, the first priority will be given to unconditional masking.
Between rules of the same type of masking (conditional or unconditional), the first priority will be given to complete masking over partial masking.
If both the aspects of the rules are the same (conditional or unconditional) and (complete or partial), then anyone of the rule can be applied.
If multiple security rules are applied to a user/group involving column security of different types on the same column: one saying mask the column and the other saying restrict the column’s data (with or without metadata), then, in that case, a rule saying restrict the data would have higher priority than the one which is for masking the data.
Calculated measure/calculated member/Scope Calculations will be done on masked value if any column with masking is present in the calculation
For conditional column masking:
Measure masking is allowed only on base measures
Measure values can be masked either with blank or 0 only.
Measure Masking based on unrelated columns is not allowed.
Column masking on attribute and hierarchy levels is not supported
Data conditions are only allowed on dimensions (level or attribute). Conditions based on measures are not supported.
Distinct count measures will be masked with 0 even if you mask a condition with 'blank'
For unconditional column masking:
Partial masking on numerical dimension field is not supported.
The original column data is preserved while masking because numeric data is masked with a number, and a date is masked with a date. You can specify a fixed pattern or a Regex expression for any string data type.
If using Tilde (~) for column masking and want to apply a filter on the masked value from Kyvos UI, then you must change the value of the field value separator as the default value of the kyvos.filter.value.separator property is also Tilde (~). Hence, you must change the default value of this property so that column masking with the Tilde character can function.
To apply column masking to a pre-defined hierarchy, you must select the full name of the hierarchy.
Merging of measure values against fully masked only attribute or single level hierarchy is not supported
User can set column data masking on display field but not on key field.
Column masking will not be applied on Unknown and calculated members.
Unconditional column masking
In unconditional column masking, the entire column is masked uniformly. In this approach, any user who accesses the masked column will see only obfuscated or masked values rather than the actual data, regardless of their access permissions.
To apply unconditional column masking for Column Level Security (CLS), perform the following steps.
From the Toolbox, click Semantic Models.
Select the semantic model name from the list and click the Process tab if needed.
Click the Action menu (...) in the work area, then click Data Security.
If the option is not displayed, you must save the semantic model and try again.Click users or groups that this rule will apply to.
Click the plus sign in the Rules column.
Add a rule name and description.
From the Column Level area, click the Mask Data link, and then select the field on which you want to apply the column masking. By default, the Mask data is applied. This indicates unconditional data mask.
Click the value link, and the Mask with dialog box is displayed. You must enter the required value for unconditional column masking. The available choices vary depending on the data you are using.
For any string data type, choose one of the following:
Fixed: Use this option to specify a fixed value for column masking. Enter a value that you want to apply for column masking. The entered value is displayed in the Preview area.
NOTE: You can specify any character or special characters, such as #, *, @. If you keep the field blank, then while semantic model browsing, the field value is displayed as blank.
Regex: Use this option to specify a Regex expression for column masking.
Enter a Regex expression that you want to specify for the field value, and then provide a value that you want to use for column masking.
You can also select a Regex expression from the Choose from common expressions list.
To verify whether the Regex expression is successfully masked with the value, enter a relevant value in the Test Value field. The result is displayed in the Preview field. If the expression is not masked successfully, you can modify the expression, as needed.
NOTE: In an expression, the Delimiter (/) and the flags (g,m,i,u,s,d) are not supported.
Click the plus sign to add additional fields, if required.
Click Add.
Unconditional column masking using the Fixed pattern
Conditional masking on measures and attributes
Conditional column masking allows for more granular control by masking data in a column based on certain conditions.
Support of conditional data masking has been added for No-Spark, ensuring sensitive data remains protected and only accessible to authorized users. You can add conditional masking on:
Measures
Masking can be applied to base measure only. The calculated measure values will be impacted according to the masked values of underlying base measures.
Attributes
Masking can only be applied to attribute fields.
Conditions can be applied to attribute and levels fields.
Key field will not be supported.
Note
Masked values can only be set to 0 or NULL. Any other values will be rejected by Kyvos validation.
Columns with a date data type must be masked using a valid date or left blank.
Columns with a number data type must be masked using a numeric value or left blank.
Masking rules support only the AND clause; the OR clause is not supported.
Masking a column multiple times is not allowed.
Conditional masking is not supported at the level of hierarchy; however, levels can be included in the condition criteria when creating the rule.
To apply conditional column masking for Column Level Security (CLS), perform the following steps.
From the Toolbox, click Semantic Models.
Select the semantic model name from the list and click the Process tab if needed.
Click the Actions menu (...) in the work area, then click Data Security.
If the option is not displayed, you must save the semantic model and try again.Key field will not be supported.Click users or groups that this rule will apply to.
Click the plus sign in the Rules column.
Add a rule name and description.
From the Column Level area, click Mask Data and select Conditionally mask data, and then select the field on which you want to apply the column masking.
Click the Conditional Mask Data link and click the field link.
For measures, a list of base measures will be displayed. Select the measure that you want to conditionally mask.
For attributes, only a list of attributes will be displayed; hierarchies will not be shown. Select the attribute that you want to conditionally mask.
Click the value link, and the conditional Mask with dialog box is displayed.
Enter the value for conditional masking as needed. The available choices vary depending on the data you are using.
Select the condition field and based on it apply masking on measure or attributes.
Click the plus sign to add additional fields, if required. After adding the required fields, click Add.
Click Save. The masking rule can now be assigned to the authorized user.
For measuresFor attributes
Conditional measure masking with value as '0'
Conditional attribute masking