# MySQL Data Masking — One Policy Across Every Edition and Fork > Role-based dynamic data masking for MySQL. No Enterprise license, no view inventory, no proxy — one policy across Community, Enterprise, Percona, MariaDB, RDS, and Aurora, with approval workflow and audit. Source: https://www.bytebase.com/databases/mysql/data-masking/ --- ## MySQL data masking is splintered across editions and forks. Bytebase replaces the patchwork with one policy in front of any MySQL — role-based masking for Community, Enterprise, Percona, MariaDB, RDS, and Aurora alike. No edition gate. No view inventory. The data at rest never changes; the result set does. Every native route covers only a slice — gated by edition, fork, or a proxy — and three of the four lean on views: ### 9.7 Enterprise DDM MySQL 9.7's MASKING POLICY object enforces server-side — but only on Enterprise Edition and OCI HeatWave. Community, Percona, and every managed flavor are out. ### Enterprise & Percona plugins Functions like mask_ssn() bound through views. One view per role × variation, and every schema change ripples through the set. Enterprise-licensed, or Percona Server only. ### MariaDB MaxScale Masking runs in the proxy, not the server — a BSL-licensed connection layer to deploy and lock down. Anyone reaching the port behind it reads cleartext. ### Community & managed MySQL Community ships nothing. RDS, Aurora, and managed forks ship none of the above. The most common production MySQL has no native masking at all. ## One policy in front of MySQL. Not five inside it. Masking runs in the result path, outside the database. Queries route through the SQL Editor; values transform on the way out based on who is asking. Nothing installs in MySQL, so one policy covers Community, Enterprise, Percona, MariaDB, and every managed flavor alike. Masking propagates — mask a column and every dependent view inherits the policy. The per-variation view inventory the native plugins require disappears. ### Global Masking Rule Workspace rules, first match wins. Conditions on environment, project, database, and classification pick the algorithm — full, partial, MD5, range, custom. One rule covers the Enterprise cluster, the Percona shard, and the Community staging instance. ### Column Masking Project-level override for a single column. ### Masking Exemption Time-bound Query or Export exemptions for named users. Every grant logged. Every access logged. ## Same query. Different result by role. Partial masking on customers.email and customers.ssn — the table untouched: ``` -- Run in Bytebase SQL Editor as an analyst SELECT id, email, ssn FROM customers LIMIT 2; +----+---------------------+-------------+ | id | email | ssn | +----+---------------------+-------------+ | 1 | a******@example.com | ***-**-4801 | | 2 | m******@example.com | ***-**-2210 | +----+---------------------+-------------+ ``` An exempted investigator runs the same query and sees cleartext. Both reads land in the audit log with per-column masking metadata. ## What this masks — and what it doesn't. Bytebase masks the through-Bytebase path: SQL Editor queries and approved exports. Your application's direct connection bypasses it, by design — the gateway governs human access. Pair it with just-in-time access so humans hold no standing credentials. To mask every connection on one cluster, use an in-database option — 9.7 Enterprise DDM, a plugin, or MaxScale — and the two compose. ## Common questions. ### Does MySQL have built-in dynamic data masking? Yes, but it's fragmented. MySQL 9.7 Enterprise adds a server-side MASKING POLICY object; before that, Enterprise and Percona expose masking functions you wire through views; MariaDB masks in the MaxScale proxy. MySQL Community has none, and managed flavors like RDS and Aurora ship none of them. A policy layer in front of the database like Bytebase covers them all with one rule. ### Does masking change the data stored in MySQL? No. Values transform in the query result, at read time. Data at rest is untouched. Destroying data for lower environments is static masking — a different tool. ### Which MySQL flavors are supported? Any MySQL or MariaDB Bytebase can connect to — Community, Enterprise, Percona, MariaDB, RDS, Aurora, Cloud SQL, managed forks. Masking runs outside the database, so there's no plugin, component, or edition requirement on the server. ### Does it mask my application's database connection? No. Bytebase masks the through-Bytebase path — SQL Editor queries and approved exports. Direct application connections are untouched; that path keeps its own credentials and controls. ### How does this compare to MySQL 9.7 Enterprise DDM? 9.7 DDM enforces inside the server on every read path — including mysqldump and direct sessions — on Enterprise and HeatWave only. Bytebase enforces across the whole fleet, every edition and fork, on the through-Bytebase path, with approval and audit. They compose: DDM for dumps and app traffic on a 9.7 cluster, Bytebase for human query traffic everywhere else. ## Get Started - [Contact us](https://www.bytebase.com/contact-us/) - [Start now (cloud)](https://console.bytebase.com)