diff --git a/.github/workflows/bb-masking-3.yml b/.github/workflows/bb-masking-3.yml
index ce10e21..0eb77e2 100644
--- a/.github/workflows/bb-masking-3.yml
+++ b/.github/workflows/bb-masking-3.yml
@@ -63,12 +63,12 @@ jobs:
           CHANGED_FILE="masking/data-classification.json"
           echo "Processing: $CHANGED_FILE"
           
-          response=$(curl -s -w "\n%{http_code}" --request PATCH "${{ steps.bytebase-login.outputs.api_url }}/settings/bb.workspace.data-classification?allow_missing=true" \
+          response=$(curl -s -w "\n%{http_code}" --request PATCH "${{ steps.bytebase-login.outputs.api_url }}/settings/bb.workspace.data-classification" \
             --header "Authorization: Bearer ${{ steps.bytebase-login.outputs.token }}" \
             --header "Content-Type: application/json" \
             --data @"$CHANGED_FILE")
 
-          # Extract status code and response body
+          # Extract status code and response body 
           status_code=$(echo "$response" | tail -n1)
           body=$(echo "$response" | sed '$d')
           
@@ -84,13 +84,13 @@ jobs:
 
       - name: Apply global masking rule
         id: apply-global-masking-rule
-        if: ${{ steps.changed-files.outputs.any_changed == 'true' && contains(steps.changed-files.outputs.all_changed_files, '/global-masking-rule.json') }}
+        if: ${{ steps.changed-files.outputs.any_changed == 'true' && contains(steps.changed-files.outputs.all_changed_files, 'global-masking-rule.json') }}
         run: |
           # Process all global-masking-rule.json files
           echo "${{ steps.changed-files.outputs.all_changed_files }}" | tr ' ' '\n' | grep "global-masking-rule.json" | while read -r CHANGED_FILE; do
             echo "Processing: $CHANGED_FILE"
             
-            response=$(curl -s -w "\n%{http_code}" --request PATCH "${{ steps.bytebase-login.outputs.api_url }}/settings/bb.workspace.global-masking-rule?allow_missing=true" \
+            response=$(curl -s -w "\n%{http_code}" --request PATCH "${{ steps.bytebase-login.outputs.api_url }}/policies/masking_rule?allow_missing=true&update_mask=payload" \
               --header "Authorization: Bearer ${{ steps.bytebase-login.outputs.token }}" \
               --header "Content-Type: application/json" \
               --data @"$CHANGED_FILE")
@@ -103,11 +103,14 @@ jobs:
             echo "Response body: $body"
             
             # Append to outputs (with unique identifiers)
-            echo "${body}" >> $GITHUB_OUTPUT
-            echo "EOF" >> $GITHUB_OUTPUT
-            
-            if [[ $status_code -lt 200 || $status_code -ge 300 ]]; then
+            if [[ $status_code -ge 200 && $status_code -lt 300 ]]; then
+              echo "${body}" >> $GITHUB_OUTPUT
+            else
               echo "Failed with status code: $status_code"
+              echo "Response body: ${body}"
+              if [[ $status_code -eq 403 ]]; then
+                echo "Access denied. Please check your permissions and API token."
+              fi
               exit 1
             fi
           done
@@ -119,7 +122,7 @@ jobs:
         with:
           script: |
             const changedFiles = process.env.CHANGED_FILES || '';
-            let commentBody = `### Masking Policy Update 2 Summary\n\n`;
+            let commentBody = `### Masking Policy Update 3 Summary\n\n`;
             
             // Add status of merge
             commentBody += `✅ **PR Status:** Merged\n\n`;