Applies to: 
Kyvos Enterprise Kyvos Cloud (SaaS on AWS) Kyvos AWS Marketplace
...
Kyvos also allows unconditional column data masking, which is another form of security. It enables you to protect sensitive data by masking columns instead of restricting them. This feature allows for easy masking of any column data, such as SSNs, mobile numbers, credit card numbers, and email IDs, while browsing the semantic model on any BI tool.
See the section Column masking for column-level security for more details.
Setting semantic model data security
...
Setting up row-level security
| Anchor | ||||
|---|---|---|---|---|
|
| Panel | ||||||
|---|---|---|---|---|---|---|
| ||||||
Note From Kyvos 2024.10 onwards, for Row-Level Security (RLS), applied on a column will respect on its metadata as well. This ensures that a filter listing query for one column will respect security filters on other columns within the same dimension when metadata is available. Ensure that If RLS is applied to a particular dimension, it must be uniformly applied to all levels and attributes within that dimension. This metadata-based filtering is supported in SQL, MDX, and third-party BI tools. For example, if RLS is applied on hierarchy Category such that, ‘Category is in the list Electronics’ then metadata of all the fields should be filtered as per Category. |
To set up row-level security (RLS), perform the following steps.
...
| Panel | ||||||
|---|---|---|---|---|---|---|
| ||||||
Note
|
...
...
Column masking for Column Level Security
...
| Anchor | ||||
|---|---|---|---|---|
|
Masking can be applied to a single-level hierarchy, multilevel hierarchy, Parent Child Hierarchy, attributeparent-child hierarchy, attributes, base measuremeasures, calculated measuremeasures, and measure measures used in the calculation.
...
| panelIconId | atlassian-note |
|---|---|
| panelIcon | :note: |
| bgColor | #DEEBFF |
...
calculations. For column-level security, both unconditional and conditional masking can be applied. By implementing masking at the column level, you can effectively manage data accessibility and privacy, ensuring that users only access information necessary for their roles while protecting sensitive data from exposure.
Unconditional column masking: Applies masking to specific columns. It is supported for both Spark and No-Spark-based deployments
Conditional column masking (Beta): Applies masking only part of the data while masking based on specific conditions It is supported only for No-Spark-based deployments.
Important points to know
Common for unconditional and conditional column masking:
Column masking is not applied to Member Properties, Unknown and Calculated members, and Predefined time type hierarchy.
Caching not supported for masking.
Column masking not supported on PCH and advanced hierarchies.
Currently, column masking does not support the SQL interface.
Partial masking on numerical dimension field is not supported.
The original column data is preserved while masking because numeric data is masked with a number, and a date is masked with a date. You can specify a fixed pattern or a Regex expression for any string data type.
The masked value is displayed while browsing the semantic model on any BI tool with an MDX connection.
If using Tilde (~) for column masking and want to apply a filter on the masked value from Kyvos UI, then you must change the value of the field value separator as the default value of the kyvos.filter.value.separator property is also Tilde (~). Hence, you must change the default value of this property so that column masking with the Tilde character can function.
To apply column masking to a pre-defined hierarchy, you
...
must select the full name of the hierarchy.
You can also create, delete, update, save, and assign column
...
masking
...
rules by using the Security Rest API's
...
.
For conditional column masking:
The masking condition created using OR not supported.
Measure masking is not supported for the BI tools.
Measure masking condition on the field where display field also present is not supported.
Data conditions are only allowed on dimensions (level or attribute).
Conditional masking on date field is not supported.
Merging of measure values against fully masked only attribute or single level hierarchy is not supported.
Some of the filter condition on the dimension is not supported
Unconditional column masking
| Anchor | ||||
|---|---|---|---|---|
|
In unconditional column masking, the entire column is masked uniformly. In this approach, any user who accesses the masked column will see only obfuscated or masked values rather than the actual data, regardless of their access permissions.
To apply unconditional column masking for Column Level Security (CLS), perform the following steps.
From the Toolbox, click Semantic Models.
Select the semantic model name from the list and click the Process tab if needed.
Click the Action menu (...) in the work area, then click Data Security.
If the option is not displayed, you must save the semantic model and try again.Click users or groups that this rule will apply to.
Click the plus sign in the Rules column.
Add a rule name and description.
From the Column Level area, click the Mask Data link, and then select the field on which you want to apply the column masking. By default, the Mask data is applied. This indicates unconditional data mask.
Click the value link, and the Mask with dialog box is displayed. You must enter the required value for unconditional column masking. The available choices vary depending on the data you are using.
For any string data type, choose one of the following:
Fixed: Use this option to specify a fixed value for column masking. Enter a value that you want to apply for column masking. The entered value is displayed in the Preview area.
NOTE: You can specify any character or special characters, such as #, *, @. If you keep the field blank, then while semantic model browsing, the field value is displayed as blank.
Regex: Use this option to specify a Regex expression for column masking.
Enter a Regex expression that you want to specify for the field value, and then provide a value that you want to use for column masking.
You can also select a Regex expression from the Choose from common expressions list.
To verify whether the Regex expression is successfully masked with the value, enter a relevant value in the Test Value field. The result is displayed in the Preview field. If the expression is not masked successfully, you can modify the expression, as needed.
NOTE: In an expression, the Delimiter (/) and the flags (g,m,i,u,s,d) are not supported.
Click the plus sign to add additional fields, if required.
Click Add.
Unconditional column masking using the Fixed pattern
...
Conditional masking (Beta)
| Anchor | ||||
|---|---|---|---|---|
|
Conditional column masking allows for more granular control by masking data in a column based on certain conditions.
To apply conditional column masking for Column Level Security (CLS), perform the following steps.
From the Toolbox, click Semantic Models.
Select the semantic model name from the list and click the Process tab if needed.
Click the Action menu (...) in the work area, then click Data Security.
If the option is not displayed, you must save the semantic model and try again.Click users or groups that this rule will apply to.
Click the plus sign in the Rules column.
Add a rule name and description.
From the Column Level area, click Mask Data and select Conditionally mask data, and then select the field on which you want to apply the column masking.
Click the Conditional Mask Data link and click the field link. The field list is displayed. Select the field that you want to conditionally mask.
Click the value link, and the Conditional Mask with dialog box is displayed. You must enter the required value for unconditional conditional column masking. The available choices vary depending on the data you are using.
For any string data type, choose one of the following:
Fixed: Use this option to specify a fixed value for column masking.
Enter a value that you want to apply for column masking. The entered value is displayed in the Preview area.
NOTE: You can specify any character or special characters, such as #, *, @. If you keep the field blank, then while semantic model browsing, the field value is displayed as blank.
Regex: Use this option to specify a Regex expression for column masking.
Enter a Regex expression that you want to specify for the field value, and then provide a value that you want to use for column masking.
You can also select a Regex expression from the Choose from common expressions list.
To verify whether the Regex expression is successfully masked with the value, enter a relevant value in the Test Value field. The result is displayed in the Preview field. If the expression is not masked successfully, you can modify the expression, as needed.
NOTE: In an expression, the Delimiter (/) and the flags (g,m,i,u,s,d) are not supported.
Select the field through which you want to set a condition for conditional column masking.
Click the plus sign to add additional fields, if required.
Click Add.
Conditional column masking using the Regex pattern
...
Examples of rule criteria
...