How to check which database roles can see `masked` columns?

In SQL Server 2016 SP1 standard edition we can use dynamic-data-masking . The masking of data is controlled using the built-in security, for example: REVOKE UNMASK TO user_who_cannot_see_senstive_data Of course, this is not working for the users who are members of the db_owner database role. Is there a list with security roles or cases showing when the REVOKE UNMASK is going to work? I have found a database engine permissions but it's too complicated and does not seem to show when data cannot be masked from a user.