动态数据屏蔽Dynamic data masking

适用于: Azure SQL 数据库 Azure SQL 托管实例 Azure Synapse Analytics

Azure SQL 数据库、Azure SQL 托管实例和 Azure Synapse Analytics 支持动态数据掩码。Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics support dynamic data masking. 动态数据屏蔽通过对非特权用户屏蔽敏感数据来限制敏感数据的公开。Dynamic data masking limits sensitive data exposure by masking it to non-privileged users.

动态数据掩码允许客户指定在对应用层产生最小影响的前提下可以透露的敏感数据量,从而帮助防止未经授权的用户访问敏感数据。Dynamic data masking helps prevent unauthorized access to sensitive data by enabling customers to designate how much of the sensitive data to reveal with minimal impact on the application layer. 它是一种基于策略的安全功能,会在针对指定的数据库字段运行查询后返回的结果集中隐藏敏感数据,同时保持数据库中的数据不变。It's a policy-based security feature that hides the sensitive data in the result set of a query over designated database fields, while the data in the database is not changed.

例如,呼叫中心服务代表可以根据呼叫者的信用卡号的多个数字来识别其身份,但这些数据项不应完全透露给服务代表。For example, a service representative at a call center may identify callers by several digits of their credit card number, but those data items should not be fully exposed to the service representative. 可以定义掩码规则,对任意查询的结果集中任何信用卡号除最后四位数以外的其他所有数字进行掩码。A masking rule can be defined that masks all but the last four digits of any credit card number in the result set of any query. 另举一例:在需要进行故障排除时,开发人员可通过定义适当的数据掩码来保护个人数据,因此可在不违反符合性法规的情况下,对生产环境进行查询。As another example, an appropriate data mask can be defined to protect personal data, so that a developer can query production environments for troubleshooting purposes without violating compliance regulations.

动态数据掩码基础知识Dynamic data masking basics

通过在 SQL 数据库配置窗格中的“安全性”下选择“动态数据掩码”边栏选项卡,在 Azure 门户中设置动态数据掩码策略 。You set up a dynamic data masking policy in the Azure portal by selecting the Dynamic Data Masking blade under Security in your SQL Database configuration pane. 不能使用 SQL 托管实例的门户设置此功能(请使用 PowerShell 或 REST API)。This feature cannot be set using portal for SQL Managed Instance (use PowerShell or REST API). 有关详细信息,请参阅 Dynamic Data MaskingFor more information, see Dynamic Data Masking.

动态数据掩码权限Dynamic data masking permissions

Azure SQL 数据库管理员、服务器管理员或 SQL 安全管理员角色可以配置动态数据掩码。Dynamic data masking can be configured by the Azure SQL Database admin, server admin, or SQL Security Manager roles.

动态数据掩码策略Dynamic data masking policy

  • 不对其进行屏蔽的 SQL 用户 - 一组可在 SQL 查询结果中获取非掩码数据的 SQL 用户或 Azure AD 标识。SQL users excluded from masking - A set of SQL users or Azure AD identities that get unmasked data in the SQL query results. 始终不会对拥有管理员权限的用户进行掩码,这些用户可以看到没有任何掩码的原始数据。Users with administrator privileges are always excluded from masking, and see the original data without any mask.
  • 掩码规则 - 一组规则,定义要掩码的指定字段,以及使用的掩码函数。Masking rules - A set of rules that define the designated fields to be masked and the masking function that is used. 可以使用数据库架构名称、表名称和列名称定义指定的字段。The designated fields can be defined using a database schema name, table name, and column name.
  • 掩码函数 - 一组方法,用于控制不同情况下的数据透露。Masking functions - A set of methods that control the exposure of data for different scenarios.
掩码函数Masking function 掩码逻辑Masking logic
默认Default 根据指定字段的数据类型完全掩码Full masking according to the data types of the designated fields

对于字符串数据类型(nchar、ntext、nvarchar),使用 XXXX;如果字段大小小于 4 个字符,则使用更少的 X。• Use XXXX or fewer Xs if the size of the field is less than 4 characters for string data types (nchar, ntext, nvarchar).
• 对于数字数据类型(bigint、bit、decimal、int、money、numeric、smallint、smallmoney、tinyint、float、real),使用零值。• Use a zero value for numeric data types (bigint, bit, decimal, int, money, numeric, smallint, smallmoney, tinyint, float, real).
对于日期/时间数据类型(date、datetime2、datetime、datetimeoffset、smalldatetime、time),使用 1900-01-01。• Use 01-01-1900 for date/time data types (date, datetime2, datetime, datetimeoffset, smalldatetime, time).
• 对于 SQL 变量,使用当前类型的默认值。• For SQL variant, the default value of the current type is used.
• 对于 XML,使用文档 <masked/>。• For XML the document <masked/> is used.
• 对于特殊数据类型(timestamp、table、hierarchyid、GUID、binary、image、varbinary 空间类型),将使用空值。• Use an empty value for special data types (timestamp table, hierarchyid, GUID, binary, image, varbinary spatial types).
信用卡Credit card 此掩码方法公开指定字段的最后四位数,并添加一个信用卡格式的常量字符串作为前缀。Masking method, which exposes the last four digits of the designated fields and adds a constant string as a prefix in the form of a credit card.

XXXX-XXXX-XXXX-1234XXXX-XXXX-XXXX-1234
电子邮件Email 此掩码方法公开第一个字母并将域替换为 XXX.com,并使用一个电子邮件地址格式的常量字符串作为前缀。Masking method, which exposes the first letter and replaces the domain with XXX.com using a constant string prefix in the form of an email address.

aXX@XXXX.com
随机数Random number 此掩码方法根据选定边界和实际数据类型生成随机数Masking method, which generates a random number according to the selected boundaries and actual data types. 如果指定的边界相等,则掩码函数是常数。If the designated boundaries are equal, then the masking function is a constant number.

此屏幕截图显示了用于生成随机数的掩码方法。Screenshot that shows the masking method for generating a random number.
自定义文本Custom text 此掩码方法公开第一个和最后一个字符,并在中间添加一个自定义填充字符串。Masking method, which exposes the first and last characters and adds a custom padding string in the middle. 如果原始字符串短于公开的前缀和后缀,则只使用填充字符串。If the original string is shorter than the exposed prefix and suffix, only the padding string is used.
前缀 [填充] 后缀prefix[padding]suffix

导航窗格Navigation pane

DDM 建议引擎会将数据库中的某些字段标记为可能的敏感字段,可以考虑对这些字段进行掩码。The DDM recommendations engine, flags certain fields from your database as potentially sensitive fields, which may be good candidates for masking. 在门户的“动态数据掩码”边栏选项卡中,会看到针对数据库建议的列。In the Dynamic Data Masking blade in the portal, you will see the recommended columns for your database. 用户只需针对一个或多个列单击“添加掩码”,单击“保存”,即可对这些字段应用掩码。All you need to do is click Add Mask for one or more columns and then Save to apply a mask for these fields.

使用 PowerShell cmdlet 为数据库设置动态数据掩码Set up dynamic data masking for your database using PowerShell cmdlets

数据掩码策略Data masking policies

数据掩码规则Data masking rules

使用 REST API 为数据库设置动态数据掩码Set up dynamic data masking for your database using the REST API

你可以使用 REST API 以编程方式管理数据掩码策略和规则。You can use the REST API to programmatically manage data masking policy and rules. 已发布的 REST API 支持以下操作:The published REST API supports the following operations:

数据掩码策略Data masking policies

  • 创建或更新:创建或更新数据库的数据掩码策略。Create Or Update: Creates or updates a database data masking policy.
  • 获取:获取数据库的数据掩码策略。Get: Gets a database data masking policy.

数据掩码规则Data masking rules