Skip to main content

Manage Columns

Connecting a column to ALTR enables you to enforce data access governance and advanced data security on that column. Connected Columns are managed on the Data ConfigurationData ManagementColumns page.

Use this page to

  • Connect columns to ALTR

  • Disconnect columns from ALTR

  • Update metadata about columns connected to ALTR

  • View a list of columns connected to ALTR

  • Indicate columns that contain tokens

  • Indicate columns that are encrypted

A column that is connected to ALTR invokes ALTR's cloud-based access control when it is queried. This process enables ALTR to apply data access rules on the column, enforce detokenization policy, and monitor and log access to the column. Refer to ALTR's Integration Documentation for details on how this manifests for different data source.

To connect a column:

  1. Click Data ConfigurationData Management in the Navigation menu.

  2. Click the Columns tab.

  3. Click Connect Column

  4. Select the Data Source the column resides in.

  5. Determine if you are connecting the column from a table or a view. By default, columns are connected from a table. Click the Views tab to connect from a view. Learn more.

  6. Select the Schema.

  7. Select the Table or View the column resides in.

  8. Select the Column.

  9. Enter a Name for the column.

  10. For Do you have encryption or tokenization applied to this column?, select

    1. No, if this column is not tokenized or encrypted and continue to the next step.

    2. Yes, if this column is tokenized or encrypted.

      Note

      If this column is tokenized, ensure all values for this column are tokenized and select Tokenization from the Advanced Data Protection dropdown. Learn more.

      If this column is encrypted, ensure the column has been encrypted in Snowflake and select Format-Preserving Encryption from the Advanced Data Protection dropdown. Select the Key, Tweak and Alphabet Type. Learn more.

  11. Click Connect Column.

This page provides information about using ALTR to govern views in Snowflake. ALTR offers the capability for you to govern views (which support basic column access and masking) as part of your data security needs. A 'View' allows a query result to be accessed just like it were a table.

You can use views in situations where you might want to see data that's combined or separated.

Views enables you to:

  • Identify and connect columns to ALTR that exist in Snowflake Views

  • Apply column access policies and masking rules to those columns

Due to differences in how data technologies treat views, ALTR does not support governing data in views for non-Snowflake data sources (for example, SQL Server, Postgres, etc.,). In addition, ALTR does not currently support the following features in Views:

  • Row Access Policies

  • Classification of data

  • Importing historical consumption data

Note

Even though ALTR allows you to create thresholds on View data or analyze query usage analytics on views, there are some known scenarios where thresholds will prematurely trigger for columns in views. In addition, usage analytics will incorrectly count some data accesses on columns in views. This is due to how Snowflake treats masking policies on Views while the rest will be addressed by ALTR.

This section provides the steps to govern data in a View. You will need to grant the appropriate Service User permissions for ALTR to identify and govern data in a view. Learn more.

A few notes:

  • After you run the newest stored procedure, any newly connected databases will be able to operate on views shortly afterward.

  • It might take up to three days for ALTR to identify view information for Snowflake databases that are already connected.

Similar to tables, columns in views must be connected to ALTR before they can be included in governance policies. To govern a column in a Snowflake view, follow the steps below.

  1. From the Data Management page, click the Add New button.

  2. In the resulting form, select a Snowflake database.

  3. Next, click the View tab. This will enable you to identify a specific column to connect by selecting the schema and view for that column.

  4. Click Connect. Once a column in a Snowflake view is connected to ALTR, then it can be included in column access policies just like columns from tables.

Note

Columns in views can also be governed through our Management API. Learn more.

Views in Snowflake inherit the governance policies of their base tables; so, if you query data in a view, then Snowflake will still apply any Dynamic Data Masking Policies and/or Row Access Policies assigned to the Views base table. Because of this, it's usually much simpler to only apply governance rules once to the data in tables and leverage this functionality to prevent an explosion of masking policies.

Use Cases that Might Warrant Creating Governance Policies on Views

Use Case 1) Databases created from Snowflake Shares where Snowflake limits the application of masking policies

To govern data within a share, you can create a separate database with views that select from the shared database. You can then leverage ALTR to govern access to these views while preventing users from querying the share database directly.

Use Case 2) Materialized Views

Snowflake does not allow materialized views to select from base tables that include Dynamic Data Masking Policies or Row Access Policies. In this scenario, you can leverage ALTR to directly govern the materialized view while preventing users from querying the share database directly.

Use Case 3) Organizations that require different access rules for the same data within a Snowflake account or database

If your organization has a data consumption paradigm that involves a single role having different access to a dataset based on what view it is selecting, then this can be accomplished by using ALTR to govern the view directly.

To disconnect a column:

  1. Select Data ConfigurationData ManagementColumns in the Navigation menu.

  2. Select the column you wish to disconnect.

  3. Click the Disconnect Column button.

Warning

Before force disconnecting a column, consult ALTR Support.

Force disconnecting columns could have a negative impact on your source system if you do not fully understand your data and this feature.

Force disconnect a column if you are unable to disconnect the column as expected. This action ignores any errors encountered during the disconnect process. Use great caution with this feature because it cannot be undone.

Reasons to force disconnect columns include:

  • Column no longer exists in your source system

  • Service user's privileges have been decommissioned

  • ALTR could not connect to Snowflake

To force disconnect a column:

  1. Select Data ConfigurationData ManagementColumns in the Navigation menu.

  2. Select the column you wish to disconnect.

  3. Click the Disconnect Column button.

  4. Click the Trouble Disconnecting? link.

  5. Click the Force Disconnect Column button.

  6. Click the Force Disconnect Column button.

  7. Review your source system and clean up any object left behind.