Masking Audit
Every data masking operation is logged to an audit trail for compliance and monitoring purposes. The MaskingAuditService records which columns were masked, for which user, and what masking type was applied. Audit logs are queryable through the MaskingAuditController.
Audit Log Fields
Each masking audit entry records:
| Field | Description |
|---|---|
id | Unique audit log identifier |
tenantId | Tenant context |
userId | User whose results were masked |
executionId | Query execution identifier |
tableName | Table containing the masked column |
columnName | Column that was masked |
maskingType | Masking algorithm applied |
classificationId | Data classification that triggered masking |
rowsAffected | Number of rows with masked values |
wasExempt | Whether the user was exempt from masking |
exemptionReason | Reason for exemption (if applicable) |
timestamp | When the masking was applied |
Querying Audit Logs
The MaskingAuditController exposes endpoints for querying masking audit history:
| Method | Endpoint | Description |
|---|---|---|
| GET | /v1/masking/audit | List masking audit logs (paginated) |
| GET | /v1/masking/audit/:executionId | Get logs for a specific query |
| GET | /v1/masking/audit/summary | Get masking statistics |
Audit Log Storage
Masking audit logs are stored in the masking_audit_log table within the Query Engine's database. The entity is defined in MaskingAuditLog.java and managed by the MaskingAuditLogRepository.
MaskingAuditLog
- id: UUID (primary key)
- tenantId: UUID
- userId: UUID
- executionId: UUID
- tableName: String
- columnName: String
- maskingType: String
- classificationId: UUID
- rowsAffected: Long
- wasExempt: Boolean
- exemptionReason: String
- createdAt: InstantCompliance Requirements
The masking audit trail supports the following compliance needs:
| Requirement | How It Is Met |
|---|---|
| Access tracking | Every masked column access is logged |
| Exemption justification | Exemptions are recorded with reasons |
| Data lineage | Audit links to query execution and classification |
| Retention | Audit logs follow tenant retention policies |
| Reporting | Summary statistics available for compliance reports |
Integration with Platform Audit
Masking audit events are forwarded to the centralized audit service via Kafka for platform-wide audit reporting. The event payload includes tenant ID, user ID, classification reference, and masking details.