This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
We are using Transaction replication in our database. We need to mask a table which exists in both publisher and subscriber database.
When we are applying dynamic data masking on that table in both publisher and subscriber database, it get applied on publisher but on subscriber we can still see the unmasked data.
Could someone help me to conclude if Dynamic data masking is feasible in this scenario. Thanks
Hi @Murlidhar Patil , have you drop the UNMASK permission for the login on publisher and on subscriber? After you create Dynamic Data masking on publisher, the table script have been change or not on subscriber?
Thanks @CarrinWu-MSFT for reply -
Actually, we have existing table so we used alter table statement and applied it on both publisher and subscriber.
USE [PublisherDB]
--Customer table
ALTER TABLE [TableName]
ALTER COLUMN [Name] ADD MASKED WITH (FUNCTION = 'default()');
GO
USE [SubscriberDB]
--Customer table
ALTER TABLE [TableName]
ALTER COLUMN [Name] ADD MASKED WITH (FUNCTION = 'default()');
GO
We have unmask it for all other users using below query-
GRANT UNMASK TO ['UserNameToWhomWeWantToAllowUnmaskData']
and revoked unmask for the specific user.
REVOKE UNMASK TO ['UserNameToWhomWeWantToShowMaskedData']
This revoked user can see the data on subscriber database.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 3%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
I tested it on my local SQL server with both publication and subscription databases on it and it worked. I guess your publisher and subscriber are on the different servers. Make sure you run REVOKE UNMASK TO 'UserName' on both servers.
Thank you for reply..
Yes, my subscriber and publisher are on different servers. I have applied masking without unmasking for any of the user for testing.
For example, we have 2 databases A and B. Few tables are replicating from A to B and few from B to A.
Suppose we have Table1, Table2, Table3 on both the databases.
Table1 and Table2 are replicating from A to B and Table3 is replicating from B to A.
We have applied below queries to mask these 3 tables on both databases -
ALTER TABLE [Table1] ALTER COLUMN [Name] ADD MASKED WITH (FUNCTION = 'default()');
ALTER TABLE [Table2] ALTER COLUMN [Name] ADD MASKED WITH (FUNCTION = 'default()');
ALTER TABLE [Table3] ALTER COLUMN [Name] ADD MASKED WITH (FUNCTION = 'default()');
Now if I run select statement on A I can see Table1 and Table2 are masked and Table Table3 is unmasked.
At the same time if Run the select on B I can see Table3 is masked and Table1 and Table2 are unmasked.
Run this on the subscriber database:
EXECUTE AS USER = 'UserNameToWhomWeWantToShowMaskedData'
go
SELECT * FROM sys.user_token
go
REVERT
This will list all security tokens for this user on database level. If any of these tokens hold the UNMASK permission, the user will be able to see the data without masking.
Thank you for your reply.
I have checked this query and non of the user has unmask permission. Please see below example for details .
For example, we have 2 databases A and B. Few tables are replicating from A to B and few from B to A.
Suppose we have Table1, Table2, Table3 on both the databases.
Table1 and Table2 are replicating from A to B and Table3 is replicating from B to A.
We have applied below queries to mask these 3 tables on both databases -
ALTER TABLE [Table1] ALTER COLUMN [Name] ADD MASKED WITH (FUNCTION = 'default()');
ALTER TABLE [Table2] ALTER COLUMN [Name] ADD MASKED WITH (FUNCTION = 'default()');
ALTER TABLE [Table3] ALTER COLUMN [Name] ADD MASKED WITH (FUNCTION = 'default()');
Now if I run select statement on A I can see Table1 and Table2 are masked and Table Table3 is unmasked.
At the same time if Run the select on B I can see Table3 is masked and Table1 and Table2 are unmasked.
Hi @Murlidhar Patil ,
Welcome to Microsoft Q&A!
I made test for your question, and also get same result that can see the unmasked data on subscriber. In addition, if the Subscriber republishes data, the only supported schema changes are adding and dropping a column. These changes should be made on the Publisher using sp_repladdcolumn (Transact-SQL) and sp_repldropcolumn (Transact-SQL) rather than ALTER TABLE DDL syntax. Please refer to Transactional Replication.
Best regards,
Carrin
If the answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi CarrinWu-MSFT, Thank you for your reply.
So should we conclude that masking is not possible in this replication scenario.
Hi @Murlidhar Patil , according to the link I provide before, there have some limitation for replicating schema changes. So if you would like to use Dynamic Data masking in transaction replication, I think you should ALTER TABLE in both publisher and subscriber database. Or you could deselect columns to be included in your replication process.
If the answer is helpful, please click "Accept Answer" and upvote it.
Hi @CarrinWu-MSFT ,
I am executing the ALTER TABLE on both Publisher and Subscriber database. The issue still exists.
As far as deselecting the column from replication is concern we cannot deselect it because that data needs to be synced. Thanks
Hi CarrinWu-MSFT,
I am executing the ALTER TABLE in both publisher and Subscriber and still seeing the unmasked data on subscriber.
As far as deselect columns from replication is concern, we will not be able to do that because we need that data to be synced.
Thanks you.
Unfortunately, I don't have the time to test myself.
However, I like point that dynamic data masking is a feature that is applied at run-time. That is, the data is stored in the same way, no matter whether it is masked or now.
Thus, if you are seeing different results at different servers, I can think of two reasons:
Thanks for the reply.
So I did test finally. I created a database on SQL 2017, and in this I created a single Orders table:
CREATE TABLE [dbo].[Orders](
[OrderID] [int] NOT NULL,
[CustomerID] [nchar](5) NULL,
[EmployeeID] [int] NULL,
[OrderDate] [datetime] NULL,
[RequiredDate] [datetime] NULL,
[ShippedDate] [datetime] NULL,
[ShipVia] [int] NULL,
[Freight] [money] NULL,
[ShipName] [nvarchar](40) NULL,
[ShipAddress] [nvarchar](60) MASKED WITH (FUNCTION = 'default()') NULL,
[ShipCity] [nvarchar](15) NULL,
[ShipRegion] [nvarchar](15) NULL,
[ShipPostalCode] [nvarchar](10) NULL,
[ShipCountry] [nvarchar](15) NULL,
CONSTRAINT [PK_Orders] PRIMARY KEY CLUSTERED
(
[OrderID] ASC
)WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON) ON [PRIMARY]
) ON [PRIMARY]
GO
INSERT Orders SELECT * FROM Northwind..Orders
I verified that data was masked with a non-privileged user:
CREATE USER nonpriv WITHOUT LOGIN
go
GRANT SELECT ON Orders TO nonpriv
go
EXECUTE AS USER = 'nonpriv'
go
SELECT * FROM Orders
go
REVERT
I then created a publication for the database, including the table. I used plain simple Transactional Replication. I created a subscriber on SQL 2019. Once data had been replicated, I created my nonpriv user on the subscriber database. The data in the ShipAddress column was masked. If I view the table as myself, I the column is not masked as I am sysadmin.
Thanks for trying this.
Our scenario is we have existing tables which already has data and now we are masking it.
Could you please try below alter statement on both publisher and subscriber databases and then check the data for ShipName column on subscriber and publisher database.
USE [PublisherDB]
ALTER TABLE Orders
ALTER COLUMN [ShipName] ADD MASKED WITH (FUNCTION = 'default()');
GO
USE [SubscriberDB]
ALTER TABLE Orders
ALTER COLUMN [ShipName] ADD MASKED WITH (FUNCTION = 'default()');
GO
So on the publisher I ran:
ALTER TABLE Orders ALTER COLUMN ShipCity nvarchar(15) MASKED WITH (FUNCTION = 'default()') NULL
UPDATE Orders SET CustomerID = 'BERGS'
WHERE OrderID = 11000
`I verified that the user nonpriv now only saw xxxx in the ShipCity column.
I then moved over the to subscriber. Here nonpriv could still see the data in ShipCity. At the same time, the change in CustomerID for order 11000 was visible, so replication was clearly working, but apparently the DDL had not been replicated.
I then ran the ALTER TABLE statement on the subscriber, and the nonpriv user now only say the masked data.
As I don't use replication very often, I don't have knowledge of what the general rules are for ALTER TABLE changes and how they are replicated, so I cannot say if this is a general thing or a limitation specific to masking.