Merge pull request #18935 from WilliamDAssafMSFT/20210324-ddm-exttab

20210324 document DDM External table feature incompatibility

Author: PRMerger13

docs/relational-databases/security/dynamic-data-masking.md

@@ -1,13 +1,12 @@
 ---
-title: "Dynamic Data Masking | Microsoft Docs"
+title: "Dynamic Data Masking"
 description: Learn about dynamic data masking, which limits sensitive data exposure by masking it to non-privileged users. It can greatly simplify security in SQL Server.
-ms.date: "05/02/2019"
+ms.date: "03/24/2021"
 ms.prod: sql
 ms.prod_service: "database-engine, sql-database, synapse-analytics"
 ms.reviewer: ""
 ms.technology: security
 ms.topic: conceptual
-ms.assetid: a62f4ff9-2953-42ca-b7d8-1f8f527c4d66
 author: VanMSFT
 ms.author: vanto
 monikerRange: "=azuresqldb-current||=azure-sqldw-latest||>=sql-server-2016||>=sql-server-linux-2017||=azuresqldb-mi-current"
@@ -19,7 +18,7 @@ monikerRange: "=azuresqldb-current||=azure-sqldw-latest||>=sql-server-2016||>=sq
 
 Dynamic data masking (DDM) limits sensitive data exposure by masking it to non-privileged users. It can be used to greatly simplify the design and coding of security in your application.  
 
-Dynamic data masking helps prevent unauthorized access to sensitive data by enabling customers to specify how much sensitive data to reveal with minimal impact on the application layer. DDM can be configured on designated database fields to hide sensitive data in the result sets of queries. With DDM the data in the database is not changed. Dynamic data masking is easy to use with existing applications, since masking rules are applied in the query results. Many applications can mask sensitive data without modifying existing queries.
+Dynamic data masking helps prevent unauthorized access to sensitive data by enabling customers to specify how much sensitive data to reveal with minimal impact on the application layer. DDM can be configured on designated database fields to hide sensitive data in the result sets of queries. With DDM the data in the database is not changed. DDM is easy to use with existing applications, since masking rules are applied in the query results. Many applications can mask sensitive data without modifying existing queries.
 
 * A central data masking policy acts directly on sensitive fields in the database.
 * Designate privileged users or roles that do have access to the sensitive data.
@@ -80,6 +79,8 @@ WHERE is_masked = 1;
 -   A mask cannot be configured on a computed column, but if the computed column depends on a column with a MASK, then the computed column will return masked data.  
 
 -   A column with data masking cannot be a key for a FULLTEXT index.  
+
+-   A column in a PolyBase [external table](../../t-sql/statements/create-external-table-transact-sql.md).
 
  For users without the **UNMASK** permission, the deprecated **READTEXT**, **UPDATETEXT**, and **WRITETEXT** statements do not function properly on a column configured for Dynamic Data Masking. 
 
@@ -116,18 +117,18 @@ It is important to properly manage the permissions on the database, and to alway
 ```sql
 
 -- schema to contain user tables
-CREATE SCHEMA Data
+CREATE SCHEMA Data;
 GO
 
 -- table with masked columns
 CREATE TABLE Data.Membership(
-	MemberID		int IDENTITY(1,1) NOT NULL PRIMARY KEY CLUSTERED,
-	FirstName		varchar(100) MASKED WITH (FUNCTION = 'partial(1, "xxxxx", 1)') NULL,
-	LastName		varchar(100) NOT NULL,
-	Phone			varchar(12) MASKED WITH (FUNCTION = 'default()') NULL,
-	Email			varchar(100) MASKED WITH (FUNCTION = 'email()') NOT NULL,
-	DiscountCode	smallint MASKED WITH (FUNCTION = 'random(1, 100)') NULL
-	)
+    MemberID        int IDENTITY(1,1) NOT NULL PRIMARY KEY CLUSTERED,
+    FirstName        varchar(100) MASKED WITH (FUNCTION = 'partial(1, "xxxxx", 1)') NULL,
+    LastName        varchar(100) NOT NULL,
+    Phone            varchar(12) MASKED WITH (FUNCTION = 'default()') NULL,
+    Email            varchar(100) MASKED WITH (FUNCTION = 'email()') NOT NULL,
+    DiscountCode    smallint MASKED WITH (FUNCTION = 'random(1, 100)') NULL
+    );
 
 -- inserting sample data
 INSERT INTO Data.Membership (FirstName, LastName, Phone, Email, DiscountCode)

docs/t-sql/statements/create-external-table-transact-sql.md

@@ -100,7 +100,7 @@ The one to three-part name of the table to create. For an external table, SQL st
 > For best performance, if the external data source driver supports a three-part name, it is strongly recommended to provide the three-part name.  
 
 \<column_definition> [ ,...*n* ]
-CREATE EXTERNAL TABLE supports the ability to configure column name, data type, nullability and collation. You can't use the DEFAULT CONSTRAINT on external tables.
+CREATE EXTERNAL TABLE supports the ability to configure column name, data type, nullability, and collation. You can't use the DEFAULT CONSTRAINT on external tables.
 
 The column definitions, including the data types and number of columns, must match the data in the external files. If there's a mismatch, the file rows will be rejected when querying the actual data.
 
@@ -220,6 +220,7 @@ Constructs and operations not supported:
 
 - The DEFAULT constraint on external table columns
 - Data Manipulation Language (DML) operations of delete, insert, and update
+- [Dynamic Data Masking](../../relational-databases/security/dynamic-data-masking.md) on external table columns
 
 ### Query limitations
 
@@ -240,7 +241,7 @@ The following data types cannot be used in PolyBase external tables:
 - `text`
 - `nText`
 - `xml`
-- Any user defined type
+- Any user-defined type
 
 ## Locking
 
@@ -657,7 +658,7 @@ The one to three-part name of the table to create. For an external table, SQL st
 > For best performance, if the external data source driver supports a three-part name, it is strongly recommended to provide the three-part name.
 
 \<column_definition> [ ,...*n* ]
-CREATE EXTERNAL TABLE supports the ability to configure column name, data type, nullability and collation. You can't use the DEFAULT CONSTRAINT on external tables.
+CREATE EXTERNAL TABLE supports the ability to configure column name, data type, nullability, and collation. You can't use the DEFAULT CONSTRAINT on external tables.
 
 > [!NOTE]
 > `Text`, `nText` and `XML` are not supported data types for columns in external tables for Azure SQL Database.
@@ -712,8 +713,9 @@ Constructs and operations not supported:
 
 - The DEFAULT constraint on external table columns
 - Data Manipulation Language (DML) operations of delete, insert, and update
+- [Dynamic Data Masking](../../relational-databases/security/dynamic-data-masking.md) on external table columns
 
-Only literal predicates defined in a query can be pushed down to the external data source. This is unlike linked servers and accessing where predicates determined during query execution can be used, i.e. when used in conjunction with a nested loop in a query plan. This will often lead to the whole external table being copied locally and then joined to.
+Only literal predicates defined in a query can be pushed down to the external data source. This is unlike linked servers and accessing where predicates determined during query execution can be used, that is, when used in conjunction with a nested loop in a query plan. This will often lead to the whole external table being copied locally and then joined to.
 
 ```sql
   \\ Assuming External.Orders is an external table and Customer is a local table.
@@ -742,7 +744,7 @@ The following data types cannot be used in PolyBase external tables:
 - `text`
 - `nText`
 - `xml`
-- Any user defined type
+- Any user-defined type
 
 ## Locking
 
@@ -849,7 +851,7 @@ The one to three-part name of the table to create. For an external table, only t
 > For best performance, if the external data source driver supports a three-part name, it is strongly recommended to provide the three-part name.
 
 \<column_definition> [ ,...*n* ]
-CREATE EXTERNAL TABLE supports the ability to configure column name, data type, nullability and collation. You can't use the DEFAULT CONSTRAINT on external tables.
+CREATE EXTERNAL TABLE supports the ability to configure column name, data type, nullability, and collation. You can't use the DEFAULT CONSTRAINT on external tables.
 
 > [!NOTE]
 > `Text`, `nText` and `XML` are not supported data types for columns in external tables for Azure SQL Warehouse.
@@ -968,6 +970,7 @@ Constructs and operations not supported:
 
 - The DEFAULT constraint on external table columns
 - Data Manipulation Language (DML) operations of delete, insert, and update
+- [Dynamic Data Masking](../../relational-databases/security/dynamic-data-masking.md) on external table columns
 
 ### Query limitations
 
@@ -988,7 +991,7 @@ The following data types cannot be used in PolyBase external tables:
 - `text`
 - `nText`
 - `xml`
-- Any user defined type
+- Any user-defined type
 
 ## Locking
 
@@ -1114,7 +1117,7 @@ The one to three-part name of the table to create. For an external table, Analyt
 > For best performance, if the external data source driver supports a three-part name, it is strongly recommended to provide the three-part name.
 
 \<column_definition> [ ,...*n* ]
-CREATE EXTERNAL TABLE supports the ability to configure column name, data type, nullability and collation. You can't use the DEFAULT CONSTRAINT on external tables.
+CREATE EXTERNAL TABLE supports the ability to configure column name, data type, nullability, and collation. You can't use the DEFAULT CONSTRAINT on external tables.
 
 The column definitions, including the data types and number of columns, must match the data in the external files. If there's a mismatch, the file rows will be rejected when querying the actual data.
 
@@ -1225,6 +1228,7 @@ Constructs and operations not supported:
 
 - The DEFAULT constraint on external table columns
 - Data Manipulation Language (DML) operations of delete, insert, and update
+- [Dynamic Data Masking](../../relational-databases/security/dynamic-data-masking.md) on external table columns
 
 ### Query limitations
 
@@ -1247,7 +1251,7 @@ The following data types cannot be used in PolyBase external tables:
 - `text`
 - `nText`
 - `xml`
-- Any user defined type
+- Any user-defined type
 
 ## Locking