Hi @Sun Shine ,
Permissions for Dynamic Data masking;
You do not need any special permission to create a table with a dynamic data mask, only the standard CREATE TABLE and ALTER on schema permissions.
Adding, replacing, or removing the mask of a column, requires the ALTER ANY MASK permission and ALTER permission on the table. It is appropriate to grant ALTER ANY MASK to a security officer.
Users with SELECT permission on a table can view the table data. Columns that are defined as masked, will display the masked data. Grant the UNMASK permission to a user to enable them to retrieve unmasked data from the columns for which masking is defined.
The CONTROL permission on the database includes both the ALTER ANY MASK and UNMASK permission.
Refer to MS document Dynamic Data Masking.
>how doing data masking for the users who are not as windows & sql server users ???
If the users are not be added to SQL server(SQL logins or database users), users can not connect to SQL server databases, they all can’t access to dynamic data masking database. If users want to access Dynamic data masking databases, you need to add them to SQL server and give them the permissions that i mentioned above.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".