Skip to main content

Column Access Policies

Column Access Policies are security policies enabling ALTR administrators to define masking rules for columnar data. ALTR enforces column access policies by failing, masking, or NULLing query results for data users. Column Access Policies are managed on the Column Access Policy page of ALTR's interface, Data PolicyLocksColumn Access.

Every column access policy defines at least one actor, data, and masking policy. These relationships determine if and how result sets are returned when data is accessed. When defining a column access policy, users specify:

  • A name for the policy (cosmetic).

  • A list of User Groups that are affected by the policy (user groups map to roles). If a user group is not included in a policy, they will receive NULL values when accessing the indicated data.

  • A list of columns or tags that are affected by the policy.

    • If a policy is applied to a tag, it will affect all columns associated with that tag.

  • A masking strategy for each column and/or tag.

    • This masking strategy dictates what transformation, if any, occurs to result sets when data is queried. If a particular query is affected by multiple policies or masking strategies, the most permissive masking strategy is enforced.

Tag-Based Column Access Policies

Tag-based policies enable customers to easily define masking rules to many columns through a small number pf tags. To define a tag-based policy, optionally indicate a list of tag(s) to be affected by a policy, instead of columns. When a tag-based policy is in effect, ALTR will automatically apply the relevant masking rules to all columns assigned that tag,

Note

Tag-Based policies only affect columns already monitored by ALTR. For Snowflake, this occurs automatically if the relevant Snowflake Object Tag is connected to ALTR. For more information, see the Snowflake Integration documentation.

Create Column Access Policies in ALTR

Column Access Policies are managed on the Column Access tab in the Locks page.

To create a column access policy:

  1. Click Data PolicyLocksColumn Access in the Navigation menu.

  2. Click the Add New button.

  3. Enter a (cosmetic) Lock Name.

  4. Select an Application. This list box displays all driver applications configured in ALTR.

  5. Select the ALTR User Groups (typically role) that the policy affects.

    Note

    If a User Group is not included in a policy, they receive NULL values when querying data protected by ALTR.

  6. Click the Tag or the Column toggle to define the User Group's level of access.

  7. If creating a Tag policy, indicate how the masking policy is applied. There are two options

    • Tag Name and Value—applies the masking policy to the tag name-value pair, enabling you to set different policies on different tag values

    • Tag Name only—applies the masking policy to only the tag name; access is the same for all values associated with the tag

    The default option is Tag Name and Value. Refer to the examples for use cases on each option.

  8. Select the Masking Policy. Whenever a user in the User Group queries this data, the results are masked using this strategy.

    Note

    If a user group is assigned multiple masking strategies to a single column or tag between different locks, ALTR enforces whichever strategy is most permissive. Refer to Column Access Policy for more information.

  9. Click the +Add Another link to add all columns or tags for this policy.

  10. Click the Add Lock button.

Once a column access policy is created, it is immediately in effect. All queries against the columns or tags protected by the policy will control data access using the rules you specified.

Tag Usage Examples

The following are use cases for each option when defining locks directly on tags:

Tag Name and Value

Use this option when you want to set up specific, complex or granular policies. Let's say you have two different kids of sensitive employee data: SSNs and phone numbers. By using a single tag with different values for SSN and phone number, you can set a policy around SSNs where the first 5 digits are masked (###-##-1234) and only HR has access. And then you can set a different policy on phone numbers with no mask and grants access to anyone in the company.

Tag Name only

Use this option to control policy at the tag level without specifying each value. This option is good for simple, broad, high-level policies on a tag. For example, set a policy to mask all salary data and grant access to only the CFO. In this example, salary data is the tag and the columns (i.e., values) themselves are irrelevant because they will all be masked the same.

Masking Strategies for Column Access Policies

ALTR supports multiple out of the box masking strategies for Column access policies as well as the ability to customize masking behavior. These policies include:

  • No Mask: users can see the data in cleartext. This is available to all data types.

  • Last4: users can only access the last four characters of data. This is only available for Strings.

  • Email mask: users can only access data to the right of an ampersand. This is only available for Strings.

  • Full Mask: users can only see the length of data. This is only available for Strings.

  • Constant Mask: data is replaced with a static value; no useful information is returned. This is available for Strings, Numbers, and Datetimes.

Conflicting Masking Strategies

Multiple Column Access Policies may result in conflicting masking strategies, where one User Group may be assigned more than one masking strategy for a particular column or tag. If a conflict exists, ALTR will enforce the most permissive policy when a user from that group accesses the column or tag.

Example 1: One policy specifies that Users with the ACCOUNTADMIN role can access the SSN column with a full mask, but a second policy specifies that the ACCOUNTADMIN role can access the SSN column with a Last4 mask. In this scenario, any users querying the data as ACCOUNTADMIN will have the Last4 mask applied when they query the SSN column.

Example 2: One Policy Specifies that the SYSADMIN role can access the PII tag with no mask. Because the PUBLIC role was not included in the policy, the policy would replace PUBLIC's access with NULL values. However, if a second policy specifies that the PUBLIC role can access the PII tag with a full mask, Any user leveraging the public role will get masked access to data when querying columns associated with the PHI tag.

Table 1. Ranking of ALTR Masking Strategies for Conflict Resolution

No Mask Most Permissive

Last 4

Email

Full Mask

Constant Mask Least Permissive