Skip to main content

Databricks

Tag Masking Options

Create Tag Policy

When creating tag policy on Databricks, all data types except for VARCHAR are supported. Tag policy for Databricks use native masking, where data access is controlled by ALTR using only Databricks masking policies. Learn more.

To create a tag-based policy:

  1. Select Policy in the Navigation menu.

  2. Click Create Policy.

  3. Locate the Tag Policy card and click Create Policy.

  4. Click Create Policy for Databricks.

  5. Enter a Tag Name that the policy affects. The policy applies masking rules to all columns assigned to this tag.

    Note

    The tag name is case sensitive in Databricks and when entering it for a policy.

  6. Select a Metastore where the tag is located.

  7. Click Next.

  8. Create the policy rule statement by selecting the following options:

    1. Role that the policy affects, which is a Databricks user group.

      Note

      Any roles (user groups) not included in the policy receive a value of NULL when querying data protected by ALTR.

    2. Tag name or tag name and value to indicate how the masking policy is applied. Learn more.

      Note

      Tags are called “key” and “value” in Databricks.

    3. Masking policy to determine what transformation, if any, occurs to query results when data is accessed. If a particular query is affected by multiple policies, the most permissive masking policy is enforced. Learn more.

  9. (Optional) Click + Rule Statement to add additional rules for this policy.

  10. Click Save.

Delete Tag Policy

Delete a tag policy to remove masking rules for the specified tags. Columns in query results based on the defined roles and tag values will no longer be masked. This action only deletes the tag from ALTR; it does not delete the tag from Databricks.

Force Delete

Warning

Before force deleting a policy, consult ALTR Support.

Force deleting a policy could have a negative impact on your source system if you do not fully understand your data and this feature.

Force deleting a policy if you are unable to delete the policy as expected. This action deletes the policy and supporting functions from ALTR and Databricks, ignoring any errors encountered during the delete process. Use great caution with this action because it cannot be undone.

Force delete a policy if

  • the policy no longer exists in Databricks.

  • service principal permissions have been decommissioned.

  • ALTR could not connect to Databricks.

To force delete a policy:

  1. Select Policy in the Navigation menu.

  2. Click the policy you wish to delete.

  3. Click Edit Policy.

  4. Click the Trouble deleting? link.

  5. Click Force Delete Policy.

  6. Review your source system and clean up any object left behind.

Conflicting Masking Policies

Tip

Example

One policy specifies that the DataStewards group can access data tagged as PII with No Mask applied. Since the AllUsers group is not included in this policy, users in that group will see NULL values when querying columns associated with the PII tag.

However, if a second policy grants the AllUsers group access to the PII tag with a Full Mask, users in that group will instead see masked values rather than NULLs. The most permissive applicable policy determines the masking behavior for each group.

In this section: