Manage Columns
Connecting a column to ALTR enables you to enforce data access governance and advanced data security on that column. Connected Columns are managed on the
→ → page.Use this page to
Connect columns to ALTR
Disconnect columns from ALTR
Update metadata about columns connected to ALTR
View a list of columns connected to ALTR
Indicate columns that contain tokens
Indicate columns that are encrypted
A column that is connected to ALTR invokes ALTR's cloud-based access control when it is queried. This process enables ALTR to apply data access rules on the column, enforce detokenization policy, and monitor and log access to the column. Refer to ALTR's Integration Documentation for details on how this manifests for different data source.
To connect a column:
Click Navigation menu.
→ in theClick the Columns tab.
Click Connect Column
Select the Data Source the column resides in.
Determine if you are connecting the column from a table or a view. By default, columns are connected from a table. Click the Views tab to connect from a view. Learn more.
Select the Schema.
Select the Table or View the column resides in.
Select the Column.
Enter a Name for the column.
For Do you have encryption or tokenization applied to this column?, select
No, if this column is not tokenized or encrypted and continue to the next step.
Yes, if this column is tokenized or encrypted.
Note
If this column is tokenized, ensure all values for this column are tokenized and select Tokenization from the Advanced Data Protection dropdown. Learn more.
If this column is encrypted, ensure the column has been encrypted in Snowflake and select Format-Preserving Encryption from the Advanced Data Protection dropdown. Select the Key, Tweak and Alphabet Type. Learn more.
Click
.
This page provides information about using ALTR to govern views in Snowflake. ALTR offers the capability for you to govern views (which support basic column access and masking) as part of your data security needs. A 'View' allows a query result to be accessed just like it were a table.
You can use views in situations where you might want to see data that's combined or separated.
Views enables you to:
Identify and connect columns to ALTR that exist in Snowflake Views
Apply column access policies and masking rules to those columns
This section provides the steps to govern data in a View. You will need to grant the appropriate Service User permissions for ALTR to identify and govern data in a view. Learn more.
A few notes:
After you run the newest stored procedure, any newly connected databases will be able to operate on views shortly afterward.
It might take up to three days for ALTR to identify view information for Snowflake databases that are already connected.
Similar to tables, columns in views must be connected to ALTR before they can be included in governance policies. To govern a column in a Snowflake view, follow the steps below.
From the Data Management page, click the Add New button.
In the resulting form, select a Snowflake database.
Next, click the View tab. This will enable you to identify a specific column to connect by selecting the schema and view for that column.
Click Connect. Once a column in a Snowflake view is connected to ALTR, then it can be included in column access policies just like columns from tables.
Note
Columns in views can also be governed through our Management API. Learn more.
Views in Snowflake inherit the governance policies of their base tables; so, if you query data in a view, then Snowflake will still apply any Dynamic Data Masking Policies and/or Row Access Policies assigned to the Views base table. Because of this, it's usually much simpler to only apply governance rules once to the data in tables and leverage this functionality to prevent an explosion of masking policies.
Use Cases that Might Warrant Creating Governance Policies on Views
Use Case 1) Databases created from Snowflake Shares where Snowflake limits the application of masking policies
To govern data within a share, you can create a separate database with views that select from the shared database. You can then leverage ALTR to govern access to these views while preventing users from querying the share database directly.
Use Case 2) Materialized Views
Snowflake does not allow materialized views to select from base tables that include Dynamic Data Masking Policies or Row Access Policies. In this scenario, you can leverage ALTR to directly govern the materialized view while preventing users from querying the share database directly.
Use Case 3) Organizations that require different access rules for the same data within a Snowflake account or database
If your organization has a data consumption paradigm that involves a single role having different access to a dataset based on what view it is selecting, then this can be accomplished by using ALTR to govern the view directly.
To disconnect a column:
Select Navigation menu.
→ → in theSelect the column you wish to disconnect.
Click the Disconnect Column button.
Warning
Before force disconnecting a column, consult ALTR Support.
Force disconnecting columns could have a negative impact on your source system if you do not fully understand your data and this feature.
Force disconnect a column if you are unable to disconnect the column as expected. This action ignores any errors encountered during the disconnect process. Use great caution with this feature because it cannot be undone.
Reasons to force disconnect columns include:
Column no longer exists in your source system
Service user's privileges have been decommissioned
ALTR could not connect to Snowflake
To force disconnect a column:
Select Navigation menu.
→ → in theSelect the column you wish to disconnect.
Click the Disconnect Column button.
Click the Trouble Disconnecting? link.
Click the Force Disconnect Column button.
Click the Force Disconnect Column button.
Review your source system and clean up any object left behind.