An approach is provided for masking data. A determination is made whether an action initiated by an authenticated user corresponds to one of a plurality of policies stored in a policy store, wherein the policies relate to whether data to be retrieved from a data source is to be masked. A new policy is generated if no match is found in the policy store. Information associated with the new policy is received, wherein the information is input by the user. The new policy is stored in the policy store.