Skip to main content

Create Column Access Policies in ALTR

Column Access Policies are managed on the Column Access tab in the Locks page.

To create a column access policy:

  1. Click Data PolicyLocksColumn Access in the Navigation menu.

  2. Click the Add New button.

  3. Enter a (cosmetic) Lock Name.

  4. Select an Application. This list box displays all driver applications configured in ALTR.

  5. Select the ALTR User Groups (typically role) that the policy affects.

    Note

    If a User Group is not included in a policy, they receive NULL values when querying data protected by ALTR.

  6. Click the Tag or the Column toggle to define the User Group's level of access.

  7. If creating a Tag policy, indicate how the masking policy is applied. There are two options

    • Tag Name and Value—applies the masking policy to the tag name-value pair, enabling you to set different policies on different tag values

    • Tag Name only—applies the masking policy to only the tag name; access is the same for all values associated with the tag

    The default option is Tag Name and Value. Refer to the examples for use cases on each option.

  8. Select the Masking Policy. Whenever a user in the User Group queries this data, the results are masked using this strategy.

    Note

    If a user group is assigned multiple masking strategies to a single column or tag between different locks, ALTR enforces whichever strategy is most permissive. Refer to Column Access Policy for more information.

  9. Click the +Add Another link to add all columns or tags for this policy.

  10. Click the Add Lock button.

Once a column access policy is created, it is immediately in effect. All queries against the columns or tags protected by the policy will control data access using the rules you specified.

Tag Usage Examples

The following are use cases for each option when defining locks directly on tags:

Tag Name and Value

Use this option when you want to set up specific, complex or granular policies. Let's say you have two different kids of sensitive employee data: SSNs and phone numbers. By using a single tag with different values for SSN and phone number, you can set a policy around SSNs where the first 5 digits are masked (###-##-1234) and only HR has access. And then you can set a different policy on phone numbers with no mask and grants access to anyone in the company.

Tag Name only

Use this option to control policy at the tag level without specifying each value. This option is good for simple, broad, high-level policies on a tag. For example, set a policy to mask all salary data and grant access to only the CFO. In this example, salary data is the tag and the columns (i.e., values) themselves are irrelevant because they will all be masked the same.

In this section: