Column Masking
Inject SQL-level column masking based on sensitivity and user role. Masks are applied at query time — base tables remain unmasked for admin access.
Role Hierarchy
Default Access
| Role |
Can See |
| viewer |
internal only |
| editor |
internal, restricted |
| admin |
internal, restricted, sensitive, pii |
Masking Strategies
| Sensitivity |
Columns |
Strategy |
| pii |
email |
regexp_replace(col, '(.).*@(.*)', '\1***@\2') |
| pii |
phone |
regexp_replace(col, '(\d{3})\d{4}(\d{2})', '\1****\2') |
| pii |
default |
concat(left(col, 2), '****') |
| sensitive |
credit_card |
concat('****-****-****-', right(col, 4)) |
| sensitive |
default |
'[REDACTED - SENSITIVE]' |
| restricted |
default |
'[REDACTED - RESTRICTED]' |
CLI Usage
# Preview masking for a role
KelpMesh security mask --table users --columns email,phone,ssn --role viewer