What's my plan?
All Suites Enterprise or Enterprise Plus
Support Enterprise

Verified AI summary ◀▼

Enable data masking to protect end-user PII like names, emails, and phone numbers for agents in custom roles. Before activation, assess roles and tasks to ensure proper access. You can also modify messaging ticket subject lines to hide user names. Deactivating data masking restores access to previously hidden information. Regularly review and adjust settings to align with your data protection needs.

Note: The features described in this article are currently available in an early access program (EAP). To learn more, see the Data masking EAP community page. You can sign up for the EAP here.

As described in About data masking, customers with Enterprise plans can mask end-user data to protect access to personally identifiable information (PII).

The data masking feature allows you to mask end-user names, phone numbers, and email addresses for agents in custom roles.

This article includes the following topics:
  • Considerations before turning on data masking
  • Turning on data masking
  • Removing end-user names from the subject line of messaging tickets
  • Turning off data masking

Considerations before turning on data masking

  • Define which custom roles require data masking. Configure masking permissions based on the principle of least privilege, ensuring only those who truly need access to PII can see it. You may want to create dedicated roles specifically designed to restrict access to PII.
  • Data masking can significantly affect an agent’s ability to access and interact with end-user information. Before turning on data masking for a custom role, carefully evaluate the tasks and responsibilities of the agents assigned to that role, and ensure agents are assigned to the correct roles when toggling data masking on or off. See Understanding how data masking limits what an agent can do.
  • Carefully select which fields and data types (names, email addresses, or phone numbers) should be masked. Regularly review and update the list to reflect any changes in data collection or business processes.
  • Before rolling out changes broadly, test with sample roles and users to verify that masking rules are working as intended across all relevant interfaces (for example, views, tickets, Guide, reporting, and APIs).

  • Provide clear guidance or documentation so admins and agents understand what is masked and why.

Turning on data masking

Zendesk admins and agents with permission to manage custom roles can turn on data masking for agents in custom roles.

To turn on data masking

  1. In Admin Center, click People in the sidebar, then select Team > Roles.
  2. On the role you want to turn data masking on for, click the options icon () and select Edit.
  3. In the Data masking section, select the Mask checkbox for each end-user field you want to mask for agents in this role.

  4. Click Save.

    An acknowledgment page displays, listing the permission changes that will take effect after clicking Save. These changes are required to prevent agents in this role from accessing the selected end-user fields.

    Additional considerations are also provided:
    • To prevent agents from accessing sensitive data in reports, Explore permissions will be set to No access for roles with data masking turned on.
    • The subject line in the messaging ticket template may include end user names. To secure the PII there, set the messaging template subject line to Conversation with {end user ID}. See Removing end-user names from the subject line of messaging tickets.


  5. Select the statements on the acknowledgment page, then click Save.
  6. Repeat these steps for any other roles you wish to turn on data masking for.

Removing end-user names from the subject line of messaging tickets

By default, new messaging tickets include the end user's name in the subject line (for example, "Conversation with Jane Smith"). If you turned on data masking to hide end-user names, you may want to update the subject line to display the end-user ID instead (for example, "Conversation with 5083543234201"). This option is available when data masking is turned on for at least one role and applies to new tickets only.

You can change the subject line back to show the user name instead of the ID. However, doing so only applies to new messaging tickets. The subject line on existing tickets won't change.

When you update the messaging subject line, it applies to all agents. The subject line can't be updated for specific roles.

To remove end-user names from the subject line of messaging tickets

  1. In Admin Center, click Channels in the sidebar, then select Messaging and social > Messaging.
  2. Click Manage settings.
  3. In the Tickets section, expand the Ticket subject line when data is masked option.
  4. Select Conversation with {end user ID}.


  5. Click Save settings.

Turning off data masking

After you turn off data masking for a custom role, team members assigned to that role can view previously masked PII. In addition, permissions that were previously locked to protect PII become editable again.

To turn off data masking

  1. In Admin Center, click People in the sidebar, then select Team > Roles.
  2. On the role you want to turn data masking off for, click the options icon () and select Edit.
  3. In the Data masking section, deselect the Mask checkbox for all user fields.
  4. Click Save.

    An acknowledgment page displays, listing all the changes that will occur after turning off data masking for this role.



  5. Select the statements on the acknowledgment page, then click Save.
Powered by Zendesk