Hi experts, 

Am new to DLP. trying out the possibilities of usage in our Org.

Use-case:
Our primary intended use-case is to be able to de-identify(by masking) all the documents in our cloud storage buckets of a project for PII, PCI and other sensitive information covered by the DLP infotypes. If our application service account needs to access the objects in the bucket, it should be able to read clear values in the JSON files, csv files etc. But people accessing the buckets through AD groups, should see masked values.

My question: 
What is a good(simple) solution architecture to enable this set-up/use-case?