Skip to content

Update masking policy permissions documentation #990

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mintlify wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Update masking policy permissions documentation #990

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
121ed7d
Update docs/security/data-masking/access-unmasked-data.mdx
mintlify[bot] Jan 16, 2026
38e3856
Update docs/security/data-masking/global-masking-rule.mdx
mintlify[bot] Jan 16, 2026
fae67ae
Update docs/administration/roles.mdx
mintlify[bot] Jan 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions docs/administration/roles.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,10 @@ Bytebase provides two types of roles:

Organizations can create custom roles with specific permission sets tailored to their needs. Custom roles are defined at the workspace level and can be granted at both workspace and project levels.

<Tip>
**Granular Permissions:** Bytebase provides granular permissions for sensitive operations like masking policies. For example, instead of generic `bb.policies.create/update/delete` permissions, you can grant specific permissions like `bb.policies.createMaskingExemptionPolicy` or `bb.policies.updateMaskingRulePolicy` to control access to masking exemptions and global masking rules separately.
</Tip>

### Granting Roles

Roles are granted through IAM policies at two levels:
Expand Down
2 changes: 1 addition & 1 deletion docs/security/data-masking/access-unmasked-data.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ Masking precedence: [Masking Exemption](/security/data-masking/access-unmasked-d
Certain roles can grant masking exemption to the users to access the unmasked data:

- Built-in roles: `Workspace Admin`, `DBA`, `Project Owner`.
- [Custom roles](/administration/roles): `bb.policies.create`, `bb.policies.update`, `bb.policies.delete`.
- [Custom roles](/administration/roles): `bb.policies.createMaskingExemptionPolicy`, `bb.policies.updateMaskingExemptionPolicy`, `bb.policies.deleteMaskingExemptionPolicy`.

To grant masking exemption:

Expand Down
5 changes: 4 additions & 1 deletion docs/security/data-masking/global-masking-rule.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,10 @@ Admins may want to batch apply masking settings globally. e.g.
Global masking rule along with [Semantic Types](/security/data-masking/semantic-types) allows you to do this. It's similar to the iptables where you configure an ordered
rule list. The first matching rule will be applied. If no rule matches, no `Semantic Type` will be applied.

`Workspace Admin` and `DBA` can set global masking rules to mask the data.
Certain roles can set global masking rules to mask the data:

- Built-in roles: `Workspace Admin`, `DBA`.
- [Custom roles](/administration/roles): `bb.policies.createMaskingRulePolicy`, `bb.policies.updateMaskingRulePolicy`, `bb.policies.deleteMaskingRulePolicy`.

1. Go to **Data Access**>**Global Masking**.
1. Click **Add**. Click **+Add condition** or **+Add condition group**, set **Semantic Type** and then click **Confirm**.
Expand Down