> ## Documentation Index
> Fetch the complete documentation index at: https://docs.peaka.com/llms.txt
> Use this file to discover all available pages before exploring further.

# How to mask sensitive columns with tags

> Learn how to protect PII and other sensitive data in Peaka by tagging columns and applying masking rules per user group.

Column masking lets you hide or transform sensitive values — emails, phone numbers, national IDs, salaries — without changing the underlying data or writing a separate query for every audience. You classify columns with **tags**, and each tag carries **mask rules** that decide what each user group sees. Masking is enforced at query time by Peaka's query engine, so it applies everywhere the data is consumed: the Peaka Studio, the Query API, BI tools, and embedded apps.

## How it works

Three building blocks work together:

* **Tags** classify your data (for example `PII`, `Financial`, `Confidential`). Tags are defined once at the organization level and can be attached to any number of columns across your projects and catalogs.
* **Masks** define *how* a value is transformed. You can use Peaka's predefined masks or create your own with a SQL expression.
* **Mask rules** connect the two: for a given tag, a rule says which **group** of users sees the data through *which* mask.

When a query touches a tagged column, Peaka checks the querying user's groups. If one of the tag's rules targets a group the user belongs to, the column is rewritten through that mask on the fly. If no rule matches — or the tag is inactive — the column is returned **unmasked**.

<Warning>
  There is no implicit "everyone" rule: a user who is in none of the tag's rule groups sees raw values. To mask data by default, create a group that contains all regular members and give it a rule. Avoid putting the same user in multiple rule groups of one tag — only a single rule is applied.
</Warning>

## 1. Open the Tags page

Tags are managed at the organization level. In Peaka Studio's home screen, find the **ORGANIZATION** section in the left sidebar and open **Tags**. This brings you to the *Tag List* page.

Mask rules target user groups, which are managed on the same organization sidebar under **General → Groups** (Organization Settings). Create your groups — for example `support-team` — and add members before setting up rules.

## 2. Pick a mask (or create a custom one)

Peaka ships with predefined masks that cover the most common cases:

| Mask                         | What it does                                                 | Example (`jane.doe99@acme.com`)  |
| ---------------------------- | ------------------------------------------------------------ | -------------------------------- |
| Redact                       | Replaces letters with `X`/`x` and digits with `0`            | `xxxx.xxx00@xxxx.xxx`            |
| Partial Mask Show Last Four  | Masks everything except the last four characters             | `XXXXXXXXXXXXXXX.com`            |
| Partial Mask Show First Four | Masks everything except the first four characters            | `janeXXXXXXXXXXXXXXX`            |
| Nullify                      | Replaces the value with `NULL`                               | `NULL`                           |
| Unmasked                     | No masking — useful for exempting a group from a tag's rules | `jane.doe99@acme.com`            |
| Date Show Only Year          | Truncates a date to its year                                 | `2024-01-01` (from `2024-08-15`) |

If none of these fit, create a **custom mask** with a SQL expression — either from the **Manage Custom Masks** button on the Tag List page, or directly from the *Mask Type* dropdown's **+ Custom Mask** option while editing a rule. A custom mask has a *Name*, *Description*, and *Expression*. Use the `{col}` placeholder for the column and `{type}` for its data type — Peaka substitutes them at query time. For example, a mask that keeps only the email domain:

```sql theme={null}
cast(concat('***@', split_part({col}, '@', 2)) as {type})
```

## 3. Create a tag with mask rules

On the Tag List page click **New Tag**, give it a *Name* (for example `PII`) and optionally a *Description*, and add rules with **+ New Rule**. Each rule pairs a **Mask Type** with a **Group**. A typical setup:

* **Group: support-team** → *Redact* — support agents work with masked values.
* **Group: contractors** → *Nullify* — external contractors see nothing.
* Users in neither group — say, your data team — keep seeing raw values, since no rule targets them.

Keep the tag's **Status** toggle on — deactivating a tag switches off all of its masking at once, which is useful for testing.

## 4. Assign the tag to columns

Tags are attached to columns inside your project. Open the table in the **Data Model** view and click **Manage Column Tags** in the table toolbar. Add a mapping with **+ New Column Rule**, pick the *Column* and the *Tag*, and **Save** — for example the `email` and `phone` columns of your CRM catalog. A column can carry one tag; the same tag can be reused across any number of tables and catalogs.

## 5. Verify the masking

Run a query on the tagged table as different users:

```sql theme={null}
SELECT id, full_name, email, phone FROM crm.public.customers LIMIT 5
```

A member of the *support-team* group sees the masked version, while users outside the rule groups see raw values:

| id | full\_name | email                                             | phone        |
| -- | ---------- | ------------------------------------------------- | ------------ |
| 1  | Xxxx Xxx   | [xxxx.xxx00@xxxx.xxx](mailto:xxxx.xxx00@xxxx.xxx) | 000-000-0000 |

The change takes effect immediately — the next query against the tagged column is masked, with no refresh or restart needed.

## Things to keep in mind

* Masking is applied by the query engine, so it also covers downstream access paths — the Query API, BI tool connections, and embedded Peaka.
* Rules are group-based. If none of the querying user's groups has a rule for the tag, the column comes back unmasked — design your groups so that everyone who should see masked data is covered by a rule.
* Custom mask expressions run inside the query, so any Peaka SQL function is available in them.
* Masks transform values but do not remove rows. To control *which rows* a user can see, combine masking with [row-level security](/how-to-guides/how-to-implement-row-level-security).
