# Dynamic Data Masking

> Dynamic data masking transforms sensitive column values at query time based on the requester's role — full value for one user, hashed for another, last-four for a third. The data at rest never changes; only the result set does. Engine-native masking for Postgres, MySQL, SQL Server, Oracle, BigQuery, and Snowflake, plus a workflow gateway that applies one policy across every engine.

Source: https://www.bytebase.com/dynamic-data-masking/

---

## Sensitive columns, masked at query time.

Dynamic data masking transforms sensitive values as they're read — full value for one role, hashed for another, last-four for a third. The data at rest never changes; only the SELECT result does.

## Transformed at read. Unchanged at rest.

### Query-time transform

Masking rewrites the value in the result set as the query runs. Storage is untouched — there's no masked copy to maintain and no second source of truth. The same row returns different values to different callers.

### Role-based policy

What each caller sees is a policy decision, not a column property. Rules bind to role, environment, project, table, column, or classification — so one column can return cleartext, last-four, or a hash depending on who asks.

## Read in order.

### What query-time masking is

DDM as a practical primitive — what query-time masking transforms, where it differs from static masking, and the policy patterns that govern who sees what. /blog/what-is-dynamic-data-masking

### Static vs dynamic — when to use which

Static masking writes a masked copy; dynamic masking transforms at query time. Where each fits — non-prod datasets vs. live production reads — and why the choice isn't either/or. /blog/static-vs-dynamic-data-masking

### Implement it by access path

Five ways to implement DDM — engine-native, in-database, application, BI, and a workflow gateway — and which caller each one masks. /blog/how-to-implement-dynamic-data-masking

## Mask by engine.

### Postgres dynamic data masking

PG Anonymizer (extension-based) vs query-time masking — which approach fits which workflow. /blog/postgres-dynamic-data-masking

### MySQL dynamic data masking

MySQL Enterprise (paid) and Percona's plugin (OSS) compared with a workflow gateway. /blog/mysql-dynamic-data-masking

### SQL Server dynamic data masking

Native DDM (five mask types, 2022 granular UNMASK) compared with a workflow gateway. /blog/sql-server-dynamic-data-masking

### Oracle dynamic data masking

Oracle Data Redaction (Advanced Security option, DBMS_REDACT) compared with a workflow gateway. /blog/oracle-dynamic-data-masking

### BigQuery dynamic data masking

BigQuery's built-in masking rules driven by policy tags and data policies, compared with a workflow gateway. /blog/bigquery-dynamic-data-masking

### Snowflake dynamic data masking

Snowflake's native CREATE MASKING POLICY syntax and where it stops short. /blog/snowflake-dynamic-data-masking-and-alternatives

## Get Started

- [Contact us](https://www.bytebase.com/contact-us/)
- [Start now (cloud)](https://console.bytebase.com)