8.1.4 Masking Format

Masking format is a combination of change method and displayed characters when the masking condition is met. Masking format varies depending on the masking type. The following describes the masking format.

Full masking

With full masking, all characters are changed to values as determined by the database. Changed characters can be referenced in the pgx_confidential_values table. Also, replacement characters can be changed using the pgx_update_confidential_values system management function.

See

Refer to "8.3 Data Types for Masking" for information on the data types for which data masking can be performed.

Partial masking

With partial masking, data is changed according to the content in the function_parameters parameter. The method of specifying function_parameters varies depending on the data type.

Category	Method of specifying function_parameters
Numeric type	'replacementCharacter, startPosition, endPosition' replacementCharacter: Specify the number to display. Specify a value from 0 to 9. startPosition: Specify the start position of masking. Specify a positive integer. endPosition: Specify the end position of masking. Specify a positive integer that is greater than startPosition. Example Specify as below to change the values from the 1st to 5th digits to 9. function_parameters := '9, 1, 5' In this example, if the original data is "123456789", it will be changed to "999996789".
Character type	'inputFormat, outputFormat, replacementCharacter, startPosition, endPosition' inputFormat: Specify the current format of the data. Specify "V" for characters that will potentially be masked, and specify "F" for values such as spaces or hyphens that will not be masked. outputFormat: Define the method to format the displayed data. Specify "V" for characters that will potentially be masked. Any character to be output can be specified for each character "F" in inputFormat. If you want to output a single quotation mark, specify two of them consecutively. replacementCharacter: Specify any single character. If you want to output a single quotation mark, specify two of them consecutively. startPosition: Specify the position of "V" as the start position of masking. For example, to specify the position of the 4th "V" from the left, specify 4. Specify a positive integer. endPosition: Specify the position of "V" as an end position of masking. When working out the end position, do not include positions of "F". For example, to specify the position of the 11th "V" from the left, specify 11. Specify a positive integer that is greater than startPosition. Example Specify as below to mask a telephone number other than the first three digits using . function_parameters := 'VVVFVVVVFVVVV, VVV-VVVV-VVVV, , 4, 11' In this example, if the original data is "012-3156-7890", it will be changed to "012-**-**".
Date/timestamp type	'MDYHMS' M: Masks month. To mask month, enter the month from 1 to 12 after a lowercase letter m. Specify an uppercase letter M to not mask month. D: Masks date. To mask date, enter the date from 1 to 31 after a lowercase letter d. If a value bigger than the last day of the month is entered, the last day of the month will be displayed. Specify an uppercase letter D to not mask date. Y: Masks year. To mask year, enter the year from 1 to 9999 after a lowercase letter y. Specify an uppercase letter Y to not mask year. H: Masks hour. To mask hour, enter the hour from 0 to 23 after a lowercase letter h. Specify an uppercase letter H to not mask hour. M: Masks minute. To mask minute, enter the minute from 0 to 59 after a lowercase letter m. Specify an uppercase letter M to not mask minute. S: Masks second. To mask second, enter the second from 0 to 59 after a lowercase letter s. Specify an uppercase letter S to not mask second. Example Specify as below to mask hour, minute, and second and display 00:00:00. function_parameters := 'MDYh0m0s0' In this example, if the original data is "2022-02-10 10:10:10", it will be changed to "2022-02-10 00:00:00".

Category

Method of specifying function_parameters

Numeric type

'replacementCharacter, startPosition, endPosition'

replacementCharacter: Specify the number to display. Specify a value from 0 to 9.
startPosition: Specify the start position of masking. Specify a positive integer.
endPosition: Specify the end position of masking. Specify a positive integer that is greater than startPosition.

Example

Specify as below to change the values from the 1st to 5th digits to 9.

function_parameters := '9, 1, 5'

In this example, if the original data is "123456789", it will be changed to "999996789".

Character type

'inputFormat, outputFormat, replacementCharacter, startPosition, endPosition'

inputFormat: Specify the current format of the data. Specify "V" for characters that will potentially be masked, and specify "F" for values such as spaces or hyphens that will not be masked.
outputFormat: Define the method to format the displayed data. Specify "V" for characters that will potentially be masked. Any character to be output can be specified for each character "F" in inputFormat. If you want to output a single quotation mark, specify two of them consecutively.
replacementCharacter: Specify any single character. If you want to output a single quotation mark, specify two of them consecutively.
startPosition: Specify the position of "V" as the start position of masking. For example, to specify the position of the 4th "V" from the left, specify 4. Specify a positive integer.
endPosition: Specify the position of "V" as an end position of masking. When working out the end position, do not include positions of "F". For example, to specify the position of the 11th "V" from the left, specify 11. Specify a positive integer that is greater than startPosition.

Example

Specify as below to mask a telephone number other than the first three digits using *.

function_parameters := 'VVVFVVVVFVVVV, VVV-VVVV-VVVV, *, 4, 11'

In this example, if the original data is "012-3156-7890", it will be changed to "012-****-****".

Date/timestamp type

'MDYHMS'

M: Masks month. To mask month, enter the month from 1 to 12 after a lowercase letter m. Specify an uppercase letter M to not mask month.
D: Masks date. To mask date, enter the date from 1 to 31 after a lowercase letter d. If a value bigger than the last day of the month is entered, the last day of the month will be displayed. Specify an uppercase letter D to not mask date.
Y: Masks year. To mask year, enter the year from 1 to 9999 after a lowercase letter y. Specify an uppercase letter Y to not mask year.
H: Masks hour. To mask hour, enter the hour from 0 to 23 after a lowercase letter h. Specify an uppercase letter H to not mask hour.
M: Masks minute. To mask minute, enter the minute from 0 to 59 after a lowercase letter m. Specify an uppercase letter M to not mask minute.
S: Masks second. To mask second, enter the second from 0 to 59 after a lowercase letter s. Specify an uppercase letter S to not mask second.

Example

Specify as below to mask hour, minute, and second and display 00:00:00.

function_parameters := 'MDYh0m0s0'

In this example, if the original data is "2022-02-10 10:10:10", it will be changed to "2022-02-10 00:00:00".

See

Refer to "B.4.2 pgx_create_confidential_policy" for information on function_parameters.
Refer to "8.3 Data Types for Masking" for information on the data types for which masking can be performed.

Regular expression masking

With regular expression masking, data is changed according to the content of the regexp_pattern, regexp_replacement and regexp_flags parameters. For regexp_pattern, specify the search pattern using a regular expression. For regexp_replacement, specify the replacement character to use when data matches the search pattern. For regexp_flags, specify the regular expression flags.

Example

Specify as below to change all three characters starting from b to X.

regexp_pattern := 'b..'

regexp_replacement:= 'X'

regexp_flags := 'g'

In this example, if the original data is "foobarbaz", it will be changed to "fooXX".

See

Refer to "POSIX Regular Expressions" in the PostgreSQL Documentation and check pattern, replacement, and flags for information on the values that can be specified for regexp_pattern, regexp_replacement, and regexp_flags.
Refer to "8.3 Data Types for Masking" for information on the data types for which masking can be performed.

Note

When column data type is character(n) or char(n) and if the string length after change exceeds n, the extra characters will be truncated and only characters up to the nth character will be displayed.
When column data type is character varying(n) or varchar(n) and if the string length after change exceeds the length before the change, the extra characters will be truncated and only characters up to the length before change will be displayed.