JSON Masker Rules
Published 06 January 2020
This documentation is only suitable for Data Masker for SQL Server.
Replace sensitive data stored inside JSON data with values from a configured datasets.
Example
Given a table that contains JSON data, Data Masker can replace data within that JSON.
- Create a rule with the wildcard key name
FirstNameand the dataset Names, First Names, Male + Female
| BEFORE | AFTER | |
|---|---|---|
| Id | json_data | json_data |
| 432 | { "FirstName": "Mark" } | { "FirstName": "Andrew" } |
| 1765 | { "FirstName": "Steve" } | { "FirstName": "Mary" } |
| 2563 | { "FirstName": "Laura" } | { "FirstName": "Hannah" } |
Core Concepts
Matching keys
JSON keys can be matched in a number of ways. Note that all methods are case sensitive by default.
Wildcard key name
Matches a key by name at and point of the JSON data. This may match multiple keys.
For example, using the wild card FirstName against the following JSON would match the items in bold.
{ "FirstName": "Mark", "Manager": { "FirstName": "John" } }
JSONPath
Matches a single key given the specification provided. By default, this uses SQL Server's JSON_MODIFY so is limited to the subset of JSONPath it supports.
For example, using $.Manager.FirstName against the following JSON would match the items in bold.
{ "FirstName": "Mark", "Manager": { "FirstName": "John" } }
Allow complex JSONPath specification
Allow the full power of JSONPath to match multiple keys with the provided specification. This requires the JSON data to be passed back to Data Masker for replacement, so may run slower.
For example, using $.[?(@.FirstName=='Steve')].Manager.FirstName against the following JSON would match the items in bold. Online JSONPath evaluators such as this one can be used to test your JSON path. Be aware that supported features of JSONPath can change between implementations and versions so you should always test your final JSONPath in Data Masker.
[ { "FirstName": "Mark", "Manager" : { "FirstName" : "John"} }, { "FirstName": "Steve", "Manager" : { "FirstName" : "Tom"} }]
Datasets
Each dataset provides a set of options that are specific to that dataset to allow for "fine-tuning" of the data used in substitutions.
Data Masker's predefined datasets support a number of common concepts but it is possible to define your own dataset if you need something more specific.
By default, the datasets are located in a directory named Datasets immediately below the Data Masker installation directory and can be changed on the Misc. Setup Tab.
Advanced concepts
Matching multiple keys in a single piece of JSON data
If you use wildcard keys or a complex JSONPath, you may match multiple keys in a single piece of data. In this case the same replacement value will be used for all matched keys.
Replacing different keys with different data sets
JSON masker rules support a single dataset. To mask different keys with different data, you should create multiple JSON masker rules. Be sure to run these in serial to ensure all data is masked consistently.
JSON data can contain sensitive data you didn't expect
JSON data can have have keys you didn't account for when creating the masking set. It may be worth considering if additional keys may be added and including a catch all rule with a complex JSONPath – these can include a * index to match all keys on an object (e.g. $.person.[*]).
