Generate Masking Rules

The security label syntax has many advantages but with hundreds of columns, writing and maintainig a policy becomes harder.

The idea here is to introduce a simplified JSON format to describe the masking policy.

{
    "tables": [
        {
            "public.users": {
                "where": "user_id > 500",
                "comment": "users below 500 are not masked !"
                "columns": [
                    {
                        "user_id": {
                            "value": "NULL"
                            "comment": "This data is removed"
                        },
                        "surname": {
                            "function": "anon.dummy_last_name()"
                        }
                    }
                ]
            }
        },
        {
            "foo.bar": {
                "tablesample": "SYSTEM(0)"
            }
        }
    ],
    "parameters": {
        "url": "https://wikipedia.it",
        "city": "Roma",
        "postcode": "OOO42"
    }
}

That json config file would be used to generate a SQL file containing all the rules

anon generate config.json > masking_policy.sql

Edited Sep 10, 2025 by damien clochard