Dynamic Data Masking Best Practices

Here are some best practices for implementing dynamic data masking in Data Cloud.

• Identify sensitive data: Before you apply masking, identify which data fields are considered sensitive and need protection. For example, protect PII, financial records, and medical data.
• Role-based masking: Use role-based access controls to determine who sees what data. For example, senior managers can have access to full data, while other users see redacted or partially masked fields.
• Balance usability and security: Ensure that masking protects sensitive data while still allowing users to perform their tasks effectively. Aim for a balance between data protection and usability.
• Avoid masking key fields used in joins and queries: Masking fields that are used as join keys or in query filters can result in incorrect or incomplete result sets. To maintain query accuracy, avoid applying masking to fields that are critical for data relationships or filtering. A row-level security (RLS) with joins policy on masked key values doesn't return any results. Similarly, related lists based on masked fields don't show any data.