Governance & Security

Data Masking & Privacy

Apply dynamic data masking, tokenization, and anonymization to protect sensitive data.

6 min read · Updated April 2025

On this page

NATIS Data Masking applies column-level transformations at query time so that sensitive data is hidden from unauthorized users without modifying the underlying stored data. Masking rules are attached to columns in Unity Catalog and applied automatically for any query that touches that column.

Built-In Masking Functions

Function | Input Example | Output Example | Use Case — | — | — | — MASK_EMAIL | john.doe@company.com | j***@c******.com | Email addresses MASK_PHONE | +84 912 345 678 | +84 9** *** *** | Phone numbers MASK_CARD | 4111 1111 1111 1111 | **** **** **** 1111 | Credit card numbers MASK_ID | 0123456789 | 01*******9 | National ID / passport HASH_SHA256 | sensitiveValue | a1b2c3d4... | Irreversible anonymization TOKENIZE | Original value | tkn_8x7y... | Reversible tokenization (with key) NULLIFY | Any value | NULL | Full redaction

Applying a Masking Policy

Masking policies apply to all query surfaces: SQL Workspace, dashboards, notebooks, and external BI tools connected via JDBC/ODBC. Masking cannot be bypassed through any query method unless the user has the UNMASK privilege.

SQL 
-- Create a masking policy
CREATE MASKING POLICY mask_email_policy
AS (email STRING) RETURNS STRING ->
  CASE
    WHEN is_member('data_admins') THEN email  -- admins see full value
    WHEN is_member('analysts') THEN MASK_EMAIL(email)  -- analysts see masked
    ELSE '***REDACTED***'  -- everyone else sees redacted
  END;

-- Apply the policy to a column
ALTER TABLE production.silver.customers
  ALTER COLUMN email SET MASKING POLICY mask_email_policy;

-- Verify masking is applied
DESCRIBE DETAIL production.silver.customers;
-- Shows "email: mask_email_policy" in column details

Was this page helpful?

Thanks for your feedback!

Previous Unity Catalog & Access Control
Next Audit Logging