Data Masker

JSON Masker Rules

This documentation is only suitable for Data Masker for SQL Server.

Replace sensitive data stored inside JSON data with values from a configured datasets. 


Given a table that contains JSON data, Data Masker can replace data within that JSON.

  • Create a rule with the wildcard key name FirstName and the dataset Names, First Names, Male + Female

432{ "FirstName": "Mark" }{ "FirstName": "Andrew" }
1765{ "FirstName": "Steve" }{ "FirstName": "Mary" }
2563{ "FirstName": "Laura" }{ "FirstName": "Hannah" }


Core Concepts

Matching keys

JSON keys can be matched in a number of ways. Note that all methods are case sensitive by default.

Wildcard key name

Matches a key by name at and point of the JSON data. This may match multiple keys.

For example, using the wild card FirstName against the following JSON would match the items in bold.

{ "FirstName": "Mark", "Manager": { "FirstName": "John"  } }


Matches a single key given the specification provided. By default, this uses SQL Server's JSON_MODIFY so is limited to the subset of JSONPath it supports.

For example, using $.Manager.FirstName against the following JSON would match the items in bold.

{ "FirstName": "Mark", "Manager": { "FirstName": "John"  } }

Allow complex JSONPath specification

Allow the full power of JSONPath to match multiple keys with the provided specification. This requires the JSON data to be passed back to Data Masker for replacement, so may run slower. 

For example, using $.[?(@.FirstName=='Steve')].Manager.FirstName against the following JSON would match the items in bold. Online JSONPath evaluators such as this one can be used to test your JSON path. Be aware that supported features of JSONPath can change between implementations and versions so you should always test your final JSONPath in Data Masker.

    { "FirstName": "Mark", "Manager" : { "FirstName" : "John"} },
    { "FirstName": "Steve", "Manager" : { "FirstName" : "Tom"} }


Each dataset provides a set of options that are specific to that dataset to allow for "fine-tuning" of the data used in substitutions. 

Data Masker's predefined datasets support a number of common concepts but it is possible to define your own dataset if you need something more specific.

By default, the datasets are located in a directory named Datasets immediately below the Data Masker installation directory and can be changed on the Misc. Setup Tab.

Advanced concepts

Matching multiple keys in a single piece of JSON data

If you use wildcard keys or a complex JSONPath, you may match multiple keys in a single piece of data. In this case the same replacement value will be used for all matched keys.

Replacing different keys with different data sets

JSON masker rules support a single dataset. To mask different keys with different data, you should create multiple JSON masker rules. Be sure to run these in serial to ensure all data is masked consistently.

JSON data can contain sensitive data you didn't expect

JSON data can have have keys you didn't account for when creating the masking set. It may be worth considering if additional keys may be added and including a catch all rule with a complex JSONPath – these can include a * index to match all keys on an object (e.g. $.person.[*]).

Didn't find what you were looking for?