Dynamic Data Masking in the execution plan

Arthur-Daniels, 2019-02-07

I think Dynamic Data Masking is pretty cool. The idea is basically to provide a mask for certain users when they might see protected data. The documentation on this feature is actually pretty deep, it’s worth a look.

I just want to show you how you can see the masking in an execution plan. Let’s mask some data in StackOverflow2010! (Also, there’s an interesting side note at the end)

First, what the administrator sees

SELECT Location
FROM Users as u
WHERE u.Reputation = 1001

And of course, the administrator’s execution plan!

Applying the data mask

ALTER TABLE Users 
ALTER COLUMN Location 
ADD MASKED WITH (FUNCTION = 'default()')

That’s pretty straightforward. As far as I can tell, you can’t define a custom mask. I was going to leave a joke as the mask but oh well!

What it looks like to a user (+the data mask execution plan)

Luckily there’s a test script on the information page for Dynamic Data Masking. That makes this part easier. Here’s my slight variation of it.

CREATE USER User1 WITHOUT LOGIN;  
GRANT SELECT ON Users TO User1;  
GRANT SHOWPLAN  TO User1;  
EXECUTE AS USER = 'User1';  
SELECT Location
FROM Users as u
WHERE u.Reputation = 1001;
REVERT;

This was actually trickier than I expected. Let’s take a look at the results.

And the main event, the new execution plan:

Reviewing the data mask execution plan

The only difference is that Compute Scalar operator. Let’s take a look at it.

Okay, cool it’s Expr1001. What is that in words we can understand?

[Expr1001] = Scalar Operator(
DataMask([StackOverflow2010].[dbo].[Users].[Location] 
as .[Location],0x07000000,(1),(0),(0),(0)))

Aha. That’s pretty cool, since this scalar function isn’t applied until the data is being retrieved, that saves it from doing extra work. This also explains why there’s warnings on the documentation about ad hoc queries.

If someone has ad hoc query access and you’re using Dynamic Data Masking, the predicates are still literally applied.

Bonus chapter: What about intermediate results storage, like temp tables?

Well, this should be interesting. Let’s load the results of the previous query into a temp table and then filter.

EXECUTE AS USER = 'User1';  
SELECT Location
into #temp
FROM Users as u
WHERE u.Reputation = 1001
SELECT * FROM #temp
WHERE Location = 'Switzerland'
DROP TABLE #temp;
REVERT;

Uh oh. I didn’t get any rows back:

Here’s the execution plan, highlighting where the filter was applied:

What if I run the same query as my normal admin account?

I get the same execution plan actually! Even including the Compute Scalar. But this time, my query returns one row.

Well, what do you think? To me, it looks like there could be some oddities when using temp tables with data masking.

Thanks for reading this abnormally long post. I might like execution plans a bit. Stay tuned!

Rate

Share

Share

Rate

Related content

Database Mirroring FAQ: Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup?

Question: Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup? This question was sent to me via email. My reply follows. Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup? Databases to be mirrored are currently running on 2005 SQL instances but will be upgraded to 2008 SQL in the near future.

Robert Davis

2009-02-23

1,567 reads

Networking – Part 4

You may want to read Part 1 , Part 2 , and Part 3 before continuing. This time around I’d like to talk about social networking. We’ll start with social networking. Facebook, MySpace, and Twitter are all good examples of using technology to let…

Andy Warren

2009-02-17

1,530 reads

Speaking at Community Events – More Thoughts

Last week I posted Speaking at Community Events – Time to Raise the Bar?, a first cut at talking about to what degree we should require experience for speakers at events like SQLSaturday as well as when it might be appropriate to add additional focus/limitations on the presentations that are accepted. I’ve got a few more thoughts on the topic this week, and I look forward to your comments.

Andy Warren

2009-02-13

360 reads