| Author | Sander Stad (@sqlstad, sqlstad.nl) , Chrissy LeMaire (@cl, netnerds.net) |
| Availability | Windows, Linux, macOS |
Want to see the source code for this command? Check out New-DbaDbMaskingConfig on GitHub.
Want to see the Bill Of Health for this command? Check out New-DbaDbMaskingConfig.
Scans database tables to detect sensitive data and creates a JSON configuration file for data masking
Analyzes SQL Server database tables and columns to automatically detect potentially sensitive information (PII) and generates a JSON configuration file that defines how to mask each identified column. The function uses pattern matching against column names and data sampling to identify sensitive data like Social Security Numbers, email addresses, phone numbers, and other PII based on predefined patterns and known column naming conventions.
The generated configuration file is consumed by Invoke-DbaDbDataMasking to perform the actual data masking operations. This two-step process allows you to review and customize the masking strategy before applying changes to your data, making it safer for creating development and testing environments from production databases.
The function intelligently determines appropriate masking methods based on data type and detected PII category - for example, dates get randomized to past dates, monetary values use commerce pricing patterns, and strings get realistic fake data rather than simple scrambling. You can customize the detection process using your own pattern files and known name definitions to handle organization-specific sensitive data patterns.
Note that the following column and data types are not currently supported:
Identity
ForeignKey
Computed
Hierarchyid
Geography
Geometry
Xml
Read more here:
https://sachabarbs.wordpress.com/2018/06/11/bogus-simple-fake-data-tool/
https://github.com/bchavez/Bogus
New-DbaDbMaskingConfig
[[-SqlInstance] <DbaInstanceParameter[]>]
[[-SqlCredential] <PSCredential>]
[[-Database] <String[]>]
[[-Table] <String[]>]
[[-Column] <String[]>]
[-Path] <String>
[[-Locale] <String>]
[[-CharacterString] <String>]
[[-SampleCount] <Int32>]
[[-KnownNameFilePath] <String>]
[[-PatternFilePath] <String>]
[-ExcludeDefaultKnownName]
[-ExcludeDefaultPattern]
[-Force]
[[-InputObject] <Object[]>]
[-EnableException]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
PS C:\> New-DbaDbMaskingConfig -SqlInstance SQLDB1 -Database DB1 -Path C:\Temp\clone
Process all tables and columns for database DB1 on instance SQLDB1
PS C:\> New-DbaDbMaskingConfig -SqlInstance SQLDB1 -Database DB1 -Table Customer -Path C:\Temp\clone
Process only table Customer with all the columns
PS C:\> New-DbaDbMaskingConfig -SqlInstance SQLDB1 -Database DB1 -Table Customer -Column City -Path C:\Temp\clone
Process only table Customer and only the column named "City"
Path where to save the generated JSON files.
Th naming convention will be "servername.databasename.tables.json"
| Alias | |
| Required | True |
| Pipeline | false |
| Default Value |
The target SQL Server instance or instances.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported.
For MFA support, please use Connect-DbaInstance.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Databases to process through
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Tables to process. By default all the tables will be processed
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Columns to process. By default all the columns will be processed
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Set the local to enable certain settings in the masking
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | en |
The characters to use in string data. 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' by default
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 |
Amount of rows to sample to make an assessment. The default is 100
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | 100 |
Points to a file containing the custom known names
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Points to a file containing the custom patterns
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Excludes the default known names
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |
Excludes the default patterns
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |
Forcefully execute commands when needed
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |
Used for piping the values from Invoke-DbaDbPiiScan
| Alias | |
| Required | False |
| Pipeline | true (ByValue) |
| Default Value |
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |
Shows what would happen if the command were to run. No actions are actually performed.
| Alias | wi |
| Required | False |
| Pipeline | false |
| Default Value |
Prompts you for confirmation before executing any changing operations within the command.
| Alias | cf |
| Required | False |
| Pipeline | false |
| Default Value |