Date column masking and format change

Asharaf Ali 61 Reputation points
2022-06-16T22:06:07.707+00:00

Hello,

I have a datetime column with dynamic data masking applied on it using function ='default()'.

When apply some date format on this masked datetime column in SELECT , it always returns as xxxx, not in a date format. Is this the exact behavior?

eg. CONVERT(VARCHAR,P.DOB,23) -- xxxx

Thanks,
Ashru

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
14,352 questions
Transact-SQL
Transact-SQL
A Microsoft extension to the ANSI SQL language that includes procedural programming, local variables, and various support functions.
4,682 questions
{count} votes

Accepted answer
  1. Erland Sommarskog 115.9K Reputation points MVP
    2022-06-17T21:01:46.493+00:00

    I explored this a little more, and I think I understand what happens: the masking is applied after the conversion. Thus, since it is a string at this point, you get xxxx.

    I will also submit that this is what you want. Consider:

       CREATE USER stisse WITHOUT LOGIN  
       CREATE TABLE Orvar (d varchar(20) MASKED WITH (FUNCTION = 'default()'))  
         
       INSERT Orvar(d) VALUES('20220125')  
         
       GRANT SELECT ON Orvar TO stisse  
       go  
       EXECUTE AS USER = 'stisse'  
       go  
       SELECT d, convert(datetime, d, 23)  FROM Orvar  
       go  
       REVERT  
       go  
       DROP USER stisse  
       DROP TABLE Orvar  
    

    This is the output:

    ![![212622-image.png][1]][1]

    Now, imagine that masking had occurred at the source. In that case, the conversion to datetime would have failed, since xxxx cannot be converted to datetime.

    0 comments No comments

4 additional answers

Sort by: Most helpful
  1. Erland Sommarskog 115.9K Reputation points MVP
    2022-06-17T06:28:18.193+00:00

    For Li who did not understand the question, here is a demo:

       CREATE TABLE Orvar (d datetime MASKED WITH (FUNCTION = 'default()'))  
         
       INSERT Orvar(d) VALUES(sysdatetime())  
         
       GRANT SELECT ON Orvar TO public  
       go  
       EXECUTE AS USER = 'guest'  
       go  
       SELECT d, convert(varchar(23), d, 23)  FROM Orvar  
       go  
       REVERT  
    

    I have not dug into Dynamic Data Masking with that much detail, so the only answer I can give to Ashru's question is: Apparently.

    1 person found this answer helpful.
    0 comments No comments

  2. Tom Phillips 17,741 Reputation points
    2022-06-17T17:34:38.287+00:00

    That is because you are converting it to a string.

    For string data types, use XXXX or fewer Xs if the size of the field is fewer than 4 characters (char, nchar, varchar, nvarchar, text, ntext).

    See:
    https://learn.microsoft.com/en-us/sql/relational-databases/security/dynamic-data-masking?view=sql-server-ver16#defining-a-dynamic-data-mask

    1 person found this answer helpful.
    0 comments No comments

  3. Asharaf Ali 61 Reputation points
    2022-06-17T16:29:16.113+00:00

    ErlandSommarskog's comment exactly describes my case. But see below to understand what exactly it returns at my end.

    SELECT d, convert(varchar(23), d, 23) FROM Orvar -- Output: 1900-01-01, "xxxx" (Exactly 4 Xs)

    0 comments No comments

  4. Asharaf Ali 61 Reputation points
    2022-06-18T19:14:09.77+00:00

    Thank you ErlandSommarskog. Yes the masking applies after conversion.

    In my case the column datatype should be datetime of type. I tested the modifying it to datetime datatype, and when SELECT data I converted to date related datatypes, as below.

    SELECT convert(date, d2, 23) -- Used date datatype to remove time.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.