# Dynamic Data Masking
## Create Masks

In [91]:
SELECT c.name, tbl.name as table_name, c.is_masked, c.masking_function  
FROM sys.masked_columns AS c  
JOIN sys.tables AS tbl   
    ON c.[object_id] = tbl.[object_id]  
WHERE is_masked = 1;

In [92]:
--ALTER TABLE [HR].Employees
--ALTER COLUMN DOB ADD MASKED WITH (FUNCTION = 'default()');

In [93]:
ALTER TABLE [HR].Employees
ALTER COLUMN PayRate ADD MASKED WITH (FUNCTION = 'default()');

In [94]:
ALTER TABLE [HR].Employees  
ALTER COLUMN Age ADD MASKED WITH (FUNCTION = 'random(18, 65)');

In [95]:
ALTER TABLE [SalesLT].[Customer]
ALTER COLUMN EmailAddress ADD MASKED WITH (FUNCTION = 'email()');

In [96]:
ALTER TABLE [HR].Employees
ALTER COLUMN [SocialSecurityNumber] ADD MASKED WITH (FUNCTION = 'partial(0,"XXX-XX-",4)')

In [97]:
--ALTER TABLE [SalesLT].[Customer]
--ALTER COLUMN [CreditCard] ADD MASKED WITH (FUNCTION = 'partial(0,"XXXX-XXXX-XXXX-",4)')

In [98]:
SELECT c.name, tbl.name as table_name, c.is_masked, c.masking_function  
FROM sys.masked_columns AS c  
JOIN sys.tables AS tbl   
    ON c.[object_id] = tbl.[object_id]  
WHERE is_masked = 1;

## Create User and Query Tables

In [99]:
CREATE USER TestUser WITHOUT LOGIN;  
GRANT SELECT ON [HR].Employees TO TestUser;
GRANT SELECT ON [SalesLT].[Customer] TO TestUser; 

In [100]:
EXECUTE AS USER = 'TestUser';  

SELECT  TOP 10 
        EmployeeNumber
        , EmployeeName
        , DOB
        , Age
        , PayRate
        , SocialSecurityNumber
FROM [HR].Employees;  

SELECT  TOP 10
        CustomerID
        , FirstName
        , LastName
        , EmailAddress
        , CreditCard
FROM    [SalesLT].[Customer]

REVERT;

## Grant User Unmask Permission and Query again

In [101]:
GRANT UNMASK TO TestUser;

EXECUTE AS USER = 'TestUser';  

SELECT  TOP 10 
        EmployeeNumber
        , EmployeeName
        , DOB
        , Age
        , PayRate
        , SocialSecurityNumber
FROM [HR].Employees;  

SELECT  TOP 10
        CustomerID
        , FirstName
        , LastName
        , EmailAddress
        , CreditCard
FROM    [SalesLT].[Customer]

REVERT;

REVOKE UNMASK TO TestUser; 

## Cleanup

In [102]:
ALTER TABLE HR.Employees
ALTER COLUMN DOB DROP MASKED;
GO
ALTER TABLE HR.Employees
ALTER COLUMN Age DROP MASKED;
GO
ALTER TABLE HR.Employees
ALTER COLUMN PayRate DROP MASKED;
GO
ALTER TABLE HR.Employees
ALTER COLUMN SocialSecurityNumber DROP MASKED;
GO
ALTER TABLE [SalesLT].[Customer]
ALTER COLUMN EmailAddress DROP MASKED;
GO
ALTER TABLE [SalesLT].[Customer]
ALTER COLUMN CreditCard DROP MASKED;