docs: masking excemption

Author: tianzhou

content/docs/_layout.md

@@ -183,7 +183,7 @@ expand_section_list: ['Self-host']
 
 ### [Column Masking](/security/data-masking/column-masking)
 
-### [Access Unmasked Data](/security/data-masking/access-unmasked-data)
+### [Masking Exemption](/security/data-masking/access-unmasked-data)
 
 ### [Export Masked Data](/security/data-masking/export-masked-data)
 

content/docs/security/data-masking/access-unmasked-data.md

@@ -1,15 +1,22 @@
 ---
-title: Access Unmasked Data
+title: Masking Exemption
 ---
 
-`Workspace Admin` and `DBA` can unmask the data for the users.
+<HintBlock type="info">
 
-1. Go to the project, click **Manage** > **Masking Exemptions**.
-1. Click **Grant Exemption**.
-1. Select the user and the database, and click **Confirm**.
+Masking precedence: [Masking Exemption](/security/data-masking/access-unmasked-data) > [Global Masking Rule](/security/data-masking/global-masking-rule) > [Column Masking](/security/data-masking/column-masking).
 
-   ![bb-grant-exemption](/content/docs/security/data-masking/bb-grant-exemption.webp)
+</HintBlock>
+
+Certain roles can grant masking exemption to the users to access the unmasked data:
+
+- Built-in roles: `Workspace Admin`, `DBA`, `Project Owner`.
+- [Custom roles](/docs/administration/custom-roles/): `bb.policies.create`, `bb.policies.update`, `bb.policies.delete`.
 
-1. The selected user can now access the unmasked data.
+To grant masking exemption:
 
-   ![bb-sql-editor-none-masking](/content/docs/security/data-masking/bb-sql-editor-none-masking.webp)
+1. Go to the project, click **Manage** > **Masking Exemptions**.
+1. Click **Grant Exemption**. You can grant either `Export` or `Query` exemption.
+1. Select the user/groups and the database/table, and click **Confirm**.
+
+   ![bb-grant-exemption](/content/docs/security/data-masking/bb-grant-exemption.webp)

content/docs/security/data-masking/column-masking.md

@@ -4,11 +4,11 @@ title: Column Masking
 
 <HintBlock type="info">
 
-The [global masking rule](../global-masking-rule) takes precedence over the column masking.
+Masking precedence: [Masking Exemption](/security/data-masking/access-unmasked-data) > [Global Masking Rule](/security/data-masking/global-masking-rule) > [Column Masking](/security/data-masking/column-masking).
 
 </HintBlock>
 
-In the project level, besides `Workspace Admin` and `DBA`, `Project Owner` can set table columns semantic type to mask the data. However, the [global masking rule](../global-masking-rule) takes precedence over the column masking.
+In the project level, besides `Workspace Admin` and `DBA`, `Project Owner` can set table columns semantic type to mask the data.
 
 Go to the **table detail** page, and click the **pen icon** and apply the semantic type.
 
@@ -20,4 +20,4 @@ Combined with [Semantic Types](/docs/security/data-masking/semantic-types), here
 
 However, if the global masking rule is also applied, the result will be as follows. Because the global masking rule takes precedence over the column masking.
 
-![bb-sql-editor-full-masking](/content/docs/security/data-masking/bb-sql-editor-full-masking.webp)
+![bb-sql-editor-full-masking](/content/docs/security/data-masking/bb-sql-editor-full-masking.webp)

content/docs/security/data-masking/global-masking-rule.md

@@ -4,7 +4,7 @@ title: Global Masking Rule
 
 <HintBlock type="info">
 
-The [Masking Exemption](/docs/security/data-masking/access-unmasked-data) takes precedence over the global masking rule.
+Masking precedence: [Masking Exemption](/security/data-masking/access-unmasked-data) > [Global Masking Rule](/security/data-masking/global-masking-rule) > [Column Masking](/security/data-masking/column-masking).
 
 </HintBlock>