Dynamic Data Masking is a new security feature introduced in SQL Server 2016 that limits the access of unauthorized users to sensitive data at the database layer.

动态数据屏蔽是SQL Server 2016中引入的新安全功能，可限制未经授权的用户访问数据库层的敏感数据。

As an example of the need for such a feature is allowing the applications developers to access production data for troubleshooting purposes and preventing them from accessing the sensitive data at the same time, without affecting their troubleshooting process. Another example is the call center employee who will access the customer’s information to help him in his request, but the critical financial data, such as the bank account number or the credit card full number, will be masked to that person.

对此功能的需求的一个示例是，允许应用程序开发人员访问生产数据以进行故障排除，并防止他们同时访问敏感数据，而又不影响其故障排除过程。 另一个示例是呼叫中心员工，他将访问客户的信息以帮助他的请求，但是关键的财务数据（例如银行帐号或信用卡全名）将被该人屏蔽。

Dynamic Data Masking, also known as DDM, is a very simple security feature that can be fully built using T-SQL commands which we are familiar with, easy to use and also flexible to design. This data protection method allows you to determine your “sensitive” data, by field in order to configure the suitable masking function to hide it from queries. This feature requires no coding effort from the application side or encrypting or applying any change to the real data stored in the disk.

动态数据屏蔽，也称为DDM，是一种非常简单的安全功能，可以使用我们熟悉，易于使用且设计灵活的T-SQL命令完全构建。 通过此数据保护方法，您可以按字段确定“敏感”数据，以便配置适当的屏蔽功能以使其对查询隐藏。 此功能不需要应用程序侧的编码工作，也无需对磁盘中存储的实际数据进行加密或应用任何更改。

Dynamic Data Masking masks the sensitive data “on the fly” to protect sensitive data from non-privileged users using built-in or customized masking functions, without preventing them from retrieving the unmasked data.

动态数据屏蔽可“动态”屏蔽敏感数据，以使用内置或自定义的屏蔽功能保护敏感数据免受非特权用户的侵害，而不会阻止他们检索未屏蔽的数据。

To implement DDM, first, you need to specify your sensitive data, the role to mask it and specify designated privileged users that have access to that sensitive data. The next step is to select and implement a masking function

要实施DDM，首先，您需要指定敏感数据，屏蔽数据的角色并指定有权访问该敏感数据的指定特权用户。 下一步是选择并实现屏蔽功能

遮罩功能 (Masking functions)

There are four main types of masking functions that can be configured in Dynamic Data Masking, which we will introduce briefly here and use in the demo later.

在动态数据屏蔽中可以配置四种主要类型的屏蔽功能，我们将在此处简要介绍这些功能，并在稍后的演示中使用。

The first type is the Default function that masks the data according to the field data type; if the field data type is binary, varbinary or image, a single byte of binary value 0 will be used to mask that field. For the date and time data types, the 01.01.1900 00:00:00.0000000 value will be used to mask that date field. If the data type of the masked field is one of the numeric data types, a zero value will be used to mask that field. For the string data types, XXXX value will be used to mask that field. If the field length is less than 4 characters, less number of Xs will be used to mask its value.

第一种是默认函数，它根据字段数据类型屏蔽数据。 如果字段数据类型是二进制，varbinary或image，则二进制值0的单个字节将用于屏蔽该字段。 对于日期和时间数据类型，将使用01.01.1900 00：00：00.0000000值屏蔽该日期字段。 如果被屏蔽字段的数据类型是数字数据类型之一，则将使用零值来屏蔽该字段。 对于字符串数据类型，XXXX值将用于屏蔽该字段。 如果字段长度小于4个字符，则将使用较少的Xs来掩盖其值。

The second masking method is the Email function that is used to mask the fields that store the email address. The Email function shows only the first character of the email address and mask the rest of the email, same as aXXX@XXXX.com.

第二种屏蔽方法是电子邮件功能，用于屏蔽存储电子邮件地址的字段。 电子邮件功能仅显示电子邮件地址的第一个字符，并掩盖其余电子邮件，与aXXX@XXXX.com相同。

The Random masking function is used to mask any numeric data type by replacing the original value with a random value within the range specified in that function.

随机掩码功能用于通过用函数中指定范围内的随机值替换原始值来掩码任何数字数据类型。

The last masking type is the Custom function, that allows you to define your own mask for the specified field by exposing the first and last letters defined by the prefix and suffix and add a padding that will be shown in the middle in the form of prefix, [padding value], suffix, taking into consideration that part of the prefix or the suffix will not be exposed if the field’s original value is too short to be masked.

最后一种遮罩类型是“ 自定义”函数，它允许您通过暴露由前缀和后缀定义的首字母和尾字母，并添加将以前缀形式显示在中间的填充来为指定字段定义自己的遮罩，[padding value]，后缀，并考虑到如果字段的原始值太短而无法掩盖，则不会暴露部分前缀或后缀。

Like any feature in SQL Server, there are number of limitations for the Dynamic Data Masking feature, where you can’t define the DDM on an encrypted column, a column with FILESTREAM, COLUMN_SET or Sparse Column that is part of the Column_Set, Computed column or a key column in a FULLTEXT index. Also, if the column to be masked is part of an index or any type of dependencies, we should drop that dependency, configure the DDM on that column then create the dependency again. Also, Dynamic Data Masking will not prevent privileged users from altering the masked column or modifying the masked data, though.

像SQL Server中的任何功能一样，动态数据屏蔽功能也有很多限制，您不能在加密列，包含FILESTREAM，COLUMN_SET或稀疏列的列（在Column_Set，Computed列中）中定义DDM。或FULLTEXT索引中的键列。 另外，如果要屏蔽的列是索引或任何类型的依赖项的一部分，我们应该删除该依赖项，在该列上配置DDM，然后再次创建依赖项。 同样，动态数据屏蔽也不会阻止特权用户更改被屏蔽的列或修改被屏蔽的数据。

这个怎么运作 (How it works)

Let’s start our demo to understand how to configure the Dynamic Data Masking feature practically and how it works. Assume that we need to mask the employees’ critical data in order to prevent the developer who is responsible for developing and troubleshooting that system from viewing that sensitive data. First, we will create the Employee_Financial table where we will store the critical data:

让我们开始演示，以了解如何实际配置动态数据屏蔽功能以及其工作方式。 假设我们需要掩盖员工的关键数据，以防止负责对该系统进行开发和故障排除的开发人员查看该敏感数据。 首先，我们将创建Employee_Financial表，在其中存储关键数据：

USE SQLShackDemo
GO
CREATE TABLE Employee_Financial (
Emp_ID INT IDENTITY(1, 1) PRIMARY KEY
,Emp_First_Name NVARCHAR(10) NOT NULL
,Emp_Last_Name NVARCHAR(10) NOT NULL
,Emp_Date_Of_Birth DATETIME NULL
,Emp_Salary INT NULL
,Emp_Email NVARCHAR(50) NULL
,Emp_Employment_Date DATETIME NULL
)

Once the table is created successfully, we will fill that table with 15 new records using the ApexSQL Generate – a SQL test data generator, where we customized the dates and salaries inserted fields to meet our requirements:

成功创建表后，我们将使用ApexSQL Generate – SQL测试数据生成器 ，用15条新记录填充该表，在其中我们定制了插入日期和工资的字段以满足我们的要求：

We will also create a test user that will have read only access on that table”

我们还将创建一个测试用户，该用户将对该表具有只读访问权限”

CREATE USER DDMUser WITHOUT LOGIN;
GRANT SELECT ON Employee_Financial TO DDMUser;    

If that user tries to retrieve all employees’ sensitive information from the Employee_Financial table:

如果该用户尝试从Employee_Financial表中检索所有员工的敏感信息：

USE SQLShackDemo
GO
EXECUTE AS USER = 'DDMUser';
SELECT * FROM Employee_Financial;
REVERT;

He will be able to see all critical information, which is a security disaster, as in the below result:

他将能够看到所有关键信息，这是安全灾难，如下所示：

To overcome this disaster, we will mask that critical information gradually and see how this user will see that data. We will mask the employees’ last name first using the Default masking function simply using ALTER TABLE … ALTER COLUMN T-SQL statement:

为克服此灾难，我们将逐渐掩盖该关键信息，并查看该用户将如何查看该数据。 我们将首先使用默认屏蔽功能首先使用ALTER TABLE…ALTER COLUMN T-SQL语句来屏蔽员工的姓氏：

ALTER TABLE Employee_Financial
ALTER COLUMN EMP_Last_Name varchar(10) MASKED WITH (FUNCTION = 'default()');   

And again request that user to retrieve the employee data:

再次请求该用户检索员工数据：

EXECUTE AS USER = 'DDMUser';
SELECT * FROM Employee_Financial;
REVERT; 

You will see that the employees’ last name will be masked for that user, where he will see only XXXX values as in the following result set:

您会看到该雇员的姓氏将被屏蔽，在该用户中，他只会看到XXXX值，如以下结果集中所示：

Just to remind you that nothing changed internally in the database itself, only the way this data represented for that user is changed, which is clear if I try to select the data using my admin user:

只是提醒您，数据库本身内部没有任何更改，只是更改了为该用户表示的数据的方式，如果我尝试使用管理员用户选择数据，这将很明显：

The user still can see other critical information, so we will mask the employees’ emails using the EMAIL masking function:

用户仍然可以看到其他关键信息，因此我们将使用EMAIL屏蔽功能来屏蔽员工的电子邮件：

ALTER TABLE Employee_Financial
ALTER COLUMN EMP_Email nvarchar(50) MASKED WITH (FUNCTION = 'Email()');  

And retrieve the data from the same table using the same user’s account:

并使用同一用户的帐户从同一表中检索数据：

EXECUTE AS USER = 'DDMUser';
SELECT * FROM Employee_Financial;
REVERT;

The user will see only the first letter of the employees’ email and the rest of XXXX@XXXX.COM values as clear in the below result set:

用户将只看到员工电子邮件的第一个字母，其余XXXX@XXXX.COM值在以下结果集中清晰可见：

The employees’ salaries information can be replaced with no meaning values using the Random masking function, which will replace each salary with a random value between 1 and 9 as specified in the ALTER statement below:

可以使用“随机屏蔽”功能将员工的薪水信息替换为无意义的值，该函数将使用以下ALTER语句中指定的1到9之间的随机值替换每个薪水：

ALTER TABLE Employee_Financial
ALTER COLUMN EMP_Salary int MASKED WITH (FUNCTION='random(1,9)');

If this curious user tried to view the employees’ salaries using his account:

如果这个好奇的用户尝试使用他的帐户查看员工的工资：

EXECUTE AS USER = 'DDMUser';
SELECT * FROM Employee_Financial;
REVERT;

Unfortunately for him and fortunately for the security personnel, he will see only random values with no meanings as in the following result set:

对于他来说是不幸的，对于安全人员来说是幸运的，他将只能看到没有意义的随机值，如以下结果集中所示：

Again, the employee first name can be masked using a customized masking function that will display the first three letters, mask the following 4 letters with XXXX value then view the last three letters, unless the employee first name is smaller than the 3 to view and 4 to mask, which will be fully masked with XXXX value:

同样，可以使用自定义的屏蔽功能屏蔽员工的名字，该功能将显示前三个字母，用XXXX值屏蔽后面的4个字母，然后查看后三个字母，除非员工的名字小于3以查看和4遮罩，将使用XXXX值完全遮罩：

ALTER TABLE Employee_Financial
ALTER COLUMN EMP_First_name nvarchar(10) MASKED WITH (FUNCTION= 'partial(3,"XXXX",3)');

Running the same select statement using the same user account:

使用相同的用户帐户运行相同的select语句：

EXECUTE AS USER = 'DDMUser';
SELECT * FROM Employee_Financial;
REVERT;

The employee first name will be masked, as described previously, which is clear in the below result set:

如前所述，员工的名字将被屏蔽，在以下结果集中很明显：

As mentioned before in this article, no physical change performed on the data stored in that table. The users can be able to see the masked data if they granted UNMASK access on that database, which can be revoked too easily. The following statement will show us how the user will be able to see the masked data when granting him UNMASK access and how he will be prevented from viewing the same data once the UNMASK access revoked:

如本文前面所述，对该表中存储的数据不进行任何物理更改。 如果用户授予了该数据库UNMASK访问权限，则用户可以看到被屏蔽的数据，而这很容易被撤销。 下面的语句将向我们展示在授予用户UNMASK访问权限时用户将如何查看被屏蔽的数据，以及在取消UNMASK访问权限后如何阻止他查看相同的数据：

GRANT UNMASK TO DDMUser
GO
EXECUTE AS USER = 'DDMUser';
SELECT * FROM Employee_Financial;
REVERT;
GO
REVOKE UNMASK TO DDMUser
EXECUTE AS USER = 'DDMUser';
SELECT * FROM Employee_Financial;
REVERT; 

And the below result sets talk to show us the different access levels:

下面的结果集说明了我们不同的访问级别：

A new system catalog view sys.masked_columns defined in SQL Server 2016, inherits sys.columns system view, can be used to retrieve information about the current Dynamic Data Masking configuration. Value 1 for the is_masked column indicates that this column is masked using a masking function identified in the masking_function column. The below T-SQL statement is used to retrieve the Dynamic Data Masking information by joining the sys.masked_columns view with the sys,tables view as follows:

SQL Server 2016中定义的新系统目录视图sys.masked_columns继承了sys.columns系统视图，可用于检索有关当前动态数据掩码配置的信息。 is_masked列的值1表示此列已使用masking_function列中标识的掩码函数进行了掩码。 下面的T-SQL语句用于通过将sys.masked_columns视图与sys，tables视图连接起来来检索动态数据屏蔽信息，如下所示：

SELECT TBLS.name as TableName,MC.NAME ColumnName, MC.is_masked IsMasked, MC.masking_function MaskFunction
FROM sys.masked_columns AS MC
JOIN sys.tables AS TBLS
ON MC.object_id = TBLS.object_id
WHERE is_masked = 1;   

The result in our case will be like:

在我们的案例中，结果将是：

We can easily drop the mask from the masked column using the same ALTER TABLE … ALTER COLUMN T-SQL statement as below:

我们可以使用以下相同的ALTER TABLE…ALTER COLUMN T-SQL语句轻松地从masked列中删除掩码：

ALTER TABLE Employee_Financial
ALTER COLUMN EMP_First_name DROP MASKED;

Now the user can view the employees’ first name using his account after dropping the defined mask:

现在，用户可以在删除定义的掩码后使用其帐户查看员工的名字：

EXECUTE AS USER = 'DDMUser';
SELECT * FROM Employee_Financial;
REVERT;

Enjoy it Mr. Curious:

尽情享受好奇先生：

Another advantage of Dynamic Data Masking is that, if the user tries to use SELECT INTO , INSERT INTO or SQL Server Import and Export wizard methods to copy the masked data to another table, he will be surprised that the result will be masked at the destination table.

动态数据屏蔽的另一个优点是，如果用户尝试使用SELECT INTO，INSERT INTO或SQL Server导入和导出向导方法将被屏蔽的数据复制到另一个表，他将惊讶地发现结果将在目标位置被屏蔽表。

Assume that there is an empty table called Curious with the same schema as the Employee_Financial table, and the DDMUser is granted SELECT, INSERT and UPDATE permissions on that table:

假设有一个名为Curious的空表，具有与Employee_Financial表相同的架构，并且DDMUser被授予对该表的SELECT，INSERT和UPDATE权限：

GRANT SELECT,INSERT, UPDATE ON Curious TO DDMUser

If he tries to copy the data from the Employee_Financial table to the Curious table and view it in the destination table:

如果他尝试将数据从Employee_Financial表复制到Curious表并在目标表中查看它：

EXECUTE AS USER = 'DDMUser';
INSERT INTO [dbo].[Curious]([Emp_First_Name],[Emp_Last_Name],[Emp_Date_Of_Birth],[Emp_Salary],[Emp_Email],[Emp_Employment_Date])
SELECT [Emp_First_Name],[Emp_Last_Name],[Emp_Date_Of_Birth],[Emp_Salary],[Emp_Email],[Emp_Employment_Date] FROM Employee_FinancialSELECT * FROM Curious

This user will certainly be surprised by the displayed result:

该用户一定会对显示的结果感到惊讶：

结论 (Conclusion)

Dynamic Data Masking is a new security feature introduced in SQL Server 2016 that is used to protect sensitive data from being viewed by unauthorized users by masking the data on the result set without performing any change to the data stored in the disk. There are four types of masking functions that you can use to mask your critical data using various masking methods; built-in methods and your own customized methods. The DDM process is transparent from the application, where no coding effort should be performed at the application layer. You can choose the most suitable masking function for each field storing sensitive data in your test environment and replicate it to the production environment if you find that everything is working fine.

动态数据屏蔽是SQL Server 2016中引入的新安全功能，用于通过屏蔽结果集上的数据而不对磁盘中存储的数据进行任何更改来保护敏感数据，防止未经授权的用户查看敏感数据。 您可以使用四种类型的屏蔽功能，使用各种屏蔽方法来屏蔽关键数据。 内置方法和您自己的自定义方法。 DDM流程对应用程序是透明的，在应用程序层无需执行任何编码工作。 您可以为测试环境中存储敏感数据的每个字段选择最合适的屏蔽功能，如果发现一切正常，则将其复制到生产环境中。

翻译自: https://www.sqlshack.com/using-dynamic-data-masking-in-sql-server-2016-to-protect-sensitive-data/