All posts
August 25, 20222 min read

BigQuery Data Masking Workflow Approvals in Teams

Ensuring secure access to sensitive data is crucial in any organization. When working with BigQuery, implementing a data masking workflow becomes critical for protecting private information while also maintaining flexibility for collaborators. Adding approval workflows directly in Teams creates a streamlined and transparent process to manage sensitive data requests. This post explains how to enable data masking workflows in BigQuery while embedding simple, yet powerful approval flows within Team

Free White Paper

Data Masking (Dynamic / In-Transit) + Human-in-the-Loop Approvals: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

Ensuring secure access to sensitive data is crucial in any organization. When working with BigQuery, implementing a data masking workflow becomes critical for protecting private information while also maintaining flexibility for collaborators. Adding approval workflows directly in Teams creates a streamlined and transparent process to manage sensitive data requests. This post explains how to enable data masking workflows in BigQuery while embedding simple, yet powerful approval flows within Teams.

Why Data Masking in BigQuery Matters

BigQuery enables organizations to process and analyze huge datasets, but handling sensitive data like personally identifiable information (PII) or financial records requires extra caution. Data masking is a proven method to protect sensitive information by partially or fully obfuscating it. By masking data, engineers and analysts can work productively without compromising security or compliance requirements like GDPR or HIPAA.

However, when data access requests for unmasked data arise, there needs to be a well-defined approval process. Without one, risks like unauthorized access or policy violations can escalate quickly. Integrating workflow approvals in Teams ensures security policies are enforced and audit trails are maintained.

How to Set Up BigQuery Data Masking

1. Create Masked and Unmasked Views

You can define view-based masking in BigQuery to differentiate between sensitive and non-sensitive data. A masked view hides or transforms sensitive information, while an unmasked view retains the original values.

  • Create a Masked View: Define a SQL view that applies functions like SUBSTR or REPLACE to hide sensitive columns.
  • Create an Unmasked View: This unrestricted view is only made available upon approval to trusted collaborators.

For example, to mask an email:

CREATE OR REPLACE VIEW `your_project.dataset.masked_view` AS
SELECT 
 user_id,
 CONCAT(LEFT(email, 3), '***@gmail.com') AS email,
 signup_date
FROM `your_project.dataset.raw_table`;

2. Set Permissions

Use BigQuery IAM roles to control access. Grant users permission to view only the masked dataset unless explicitly granted access to the unmasked data.

Continue reading? Get the full guide.

Data Masking (Dynamic / In-Transit) + Human-in-the-Loop Approvals: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
  • Assign roles such as roles/bigquery.dataViewer to restrict unmasked view access.
  • For unmasked access, define custom permissions or workflows.

Embed Approval Workflows in Teams

By leveraging Teams as a hub for collaboration, you can manage unmasked data access requests using a smooth, interactive approval workflow. Here’s how to implement it:

1. Use Workflow Automation Tools

Integrate platforms like Power Automate, Zapier, or Hoop.dev** to create automated workflows. For Teams-specific integration, Power Automate offers direct connectors with Teams and BigQuery.

Setup Example:

  • Step 1: A user requests access to unmasked data via a Teams channel.
  • Step 2: The request triggers an approval workflow.
  • Step 3: Assigned reviewers approve or deny the access.
  • Step 4: Actions like changing user permissions in BigQuery are automated based on the decision.

2. Build Approval Steps in Teams

Use Teams’ Approvals app:

  • Define the approvers (e.g., data managers or project leads).
  • Include data request details like justification and duration.
  • Track activity logs for compliance audits.

For example:

  1. A request like, “Grant temporary access to the unmasked customer dataset for Fraud Analysis Team” is posted in Teams.
  2. Designated reviewers click “Approve” or “Deny” directly in the notification.
  3. If approved, access control changes are propagated via the automation flow.

3. Use Audit Logs

Teams automatically stores approvals and comments, ensuring an auditable trail of decisions—essential for compliance.

Key Benefits of Combining BigQuery and Teams for Approvals

  • Centralized Communication: No need for endless email threads. Teams keeps requests and decisions in one place.
  • Improved Collaboration: Direct integration reduces back-and-forth, helping decisions happen faster.
  • Policy Compliance: Embedded approvals maintain strict access control for sensitive datasets.
  • Scalable Automation: Approving dozens (or hundreds) of requests becomes manageable with consistent workflows.

Build Your Approval Workflow Today

BigQuery data masking with Teams-based approvals ensures sensitive information stays secure while maintaining productivity. Whether you're handling financial records, healthcare data, or customer information, this approach simplifies governance and keeps everything compliant.

With Hoop.dev, you can set up and see this workflow live in minutes. Use our platform to design automated workflows that incorporate approvals, access changes, and audit logging for cloud-based datasets. Take control of your data access processes—starting today.

Try Hoop.dev now

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts