Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.
4.3.3. Dynamic Data Masking
đź’ˇ First Principle: Dynamic Data Masking (DDM) obscures sensitive data in query results without modifying stored data. Users with UNMASK permission see original values; others see masked values.
Scenario: Customer support representatives need to access customer records but shouldn't see full credit card numbers.
Masking Functions
| Function | Use Case | Example Output |
|---|---|---|
| default() | Full masking | "xxxx", 0, 01-01-1900 |
| email() | Email addresses | "aXXX@XXXX.com" |
| random(start, end) | Numeric obfuscation | Random number |
| partial(prefix, padding, suffix) | Partial reveal | "XXXX-XXXX-XXXX-1234" |
Implementing Masking
-- Add mask to credit card column
ALTER TABLE Customers
ALTER COLUMN CreditCard ADD MASKED WITH (FUNCTION = 'partial(0,"XXXX-XXXX-XXXX-",4)');
-- Grant unmask permission
GRANT UNMASK TO [FinanceTeam];
⚠️ Exam Trap: Using default() for credit card masking. Default masking hides all digits, making verification impossible. Use partial(0,"XXXX-XXXX-XXXX-",4) to show the last 4 digits—the industry standard.
Written byAlvin Varughese
Founder•15 professional certifications