Skip to main content

Guides

Caution

In order to connect a data source to ALTR, you must have access to a service user that has the appropriate privileges to access the database and enforce security policies. ALTR strongly recommends updating the service user's privileges before connecting a new data source, even if you think the privileges are already properly configured.

Data sources can be connected on the Data Source page in ALTR, Data ConfigurationData Sources.To connect a new data source:

  1. Click the Add New button.

  2. If your ALTR account was created from Snowflake Partner Connect, select the Snowflake account and database you wish to connect.

  3. If your ALTR account was not created from Snowflake Partner Connect, or you wish to manually configure the connection, enter the following information:

    1. Snowflake Hostname. This can be found in the bottom left-hand corner of the Snowsight UI.

    2. Database Name. If you created this database using a case-sensitive name, be sure to encase it in double quotation marks.

    3. Snowflake Service User Username.

    4. Snowflake Service User Password.

    5. (Optional) Set advanced settings for this data source. ALTR does not recommend users change any of these settings without consulting ALTR Support.

      1. Snowflake Role. If present, ALTR will attempt to use this role when connecting to Snowflake. If this value is not supplied, ALTR will use the Service User's default role.

      2. Snowflake Warehouse. If present, ALTR will attempt to use this warehouse when connecting to Snowflake. If this value is not supplied, ALTR will use the Service User's default warehouse.

      3. Port ID. The default is 443.

      4. Maximum Number of Connections. The default is 5.

  4. (Optional) Indicate if you would like to import historical access history information.

  5. (Optional) Indicate if you would like to classify the data in the database.

  6. Click Connect Data Source.

To connect a column:

  1. Click Data ConfigurationData Management in the Navigation menu.

  2. Click the Columns tab.

  3. Click the Connect Column button.

  4. Select the Data Source the column resides in from the data source dropdown.

  5. Select the Schema and Table or View the column resides in from the relevant dropdowns.

  6. Select the column from the relevant dropdown.

  7. (Optional) Select the Tokenized check box to use ALTR policy to detokenize sensitive data. Ensure all values for this column are tokenized. Refer to Tokenization Access Policies for more information.

  8. Assign a name to the column (cosmetic).

  9. Click the Connect Column button.

To disconnect a column:

  1. Select Data ConfigurationData ManagementColumns in the Navigation menu.

  2. Select the column you wish to disconnect.

  3. Click the Disconnect Column button.

Warning

Before force disconnecting a column, consult ALTR Support.

Force disconnecting columns could have a negative impact on your source system if you do not fully understand your data and this feature.

Force disconnect a column if you are unable to disconnect the column as expected. This action ignores any errors encountered during the disconnect process. Use great caution with this feature because it cannot be undone.

Reasons to force disconnect columns include:

  • Column no longer exists in your source system

  • Service user's privileges have been decommissioned

  • ALTR could not connect to Snowflake

To force disconnect a column:

  1. Select Data ConfigurationData ManagementColumns in the Navigation menu.

  2. Select the column you wish to disconnect.

  3. Click the Disconnect Column button.

  4. Click the Trouble Disconnecting? link.

  5. Click the Force Disconnect Column button.

  6. Click the Force Disconnect Column button.

  7. Review your source system and clean up any object left behind.

Column Access Policies are managed on the Column Access tab in the Locks page.

To create a column access policy:

  1. Click Data PolicyLocksColumn Access in the Navigation menu.

  2. Click the Add New button.

  3. Enter a (cosmetic) Lock Name.

  4. Select an Application. This list box displays all driver applications configured in ALTR.

  5. Select the ALTR User Groups (typically role) that the policy affects.

    Note

    If a User Group is not included in a policy, they receive NULL values when querying data protected by ALTR.

  6. Click the Tag or the Column toggle to define the User Group's level of access.

  7. If creating a Tag policy, indicate how the masking policy is applied. There are two options

    • Tag Name and Value—applies the masking policy to the tag name-value pair, enabling you to set different policies on different tag values

    • Tag Name only—applies the masking policy to only the tag name; access is the same for all values associated with the tag

    The default option is Tag Name and Value. Refer to the examples for use cases on each option.

  8. Select the Masking Policy. Whenever a user in the User Group queries this data, the results are masked using this strategy.

    Note

    If a user group is assigned multiple masking strategies to a single column or tag between different locks, ALTR enforces whichever strategy is most permissive. Refer to Column Access Policy for more information.

  9. Click the +Add Another link to add all columns or tags for this policy.

  10. Click the Add Lock button.

Once a column access policy is created, it is immediately in effect. All queries against the columns or tags protected by the policy will control data access using the rules you specified.

Tag Usage Examples

The following are use cases for each option when defining locks directly on tags:

Tag Name and Value

Use this option when you want to set up specific, complex or granular policies. Let's say you have two different kids of sensitive employee data: SSNs and phone numbers. By using a single tag with different values for SSN and phone number, you can set a policy around SSNs where the first 5 digits are masked (###-##-1234) and only HR has access. And then you can set a different policy on phone numbers with no mask and grants access to anyone in the company.

Tag Name only

Use this option to control policy at the tag level without specifying each value. This option is good for simple, broad, high-level policies on a tag. For example, set a policy to mask all salary data and grant access to only the CFO. In this example, salary data is the tag and the columns (i.e., values) themselves are irrelevant because they will all be masked the same.

Row Access Policies are created on the Row Access tab page in ALTR's Policy UI, Data PolicyLocksRow Access. To create a Row Access Policy:

  1. Click the Add New Button.

  2. Identify the table the policy will apply to and the reference column that will dictate access.

  3. Specify the list of roles who will be able to access all values in the table.

  4. Specify the list of user groups who will have limited access to rows within the table.

    1. For those user groups, identify the particular values of the reference column those users will be able to access. If that value is not present for a given row, those users will not be able to access the row.

      Note

      ALTR does not sample customer data except where absolutely necessary. Because of this, customers must manually enter column values when defining row access policies.

      Warning

      These fields are case sensitive. Be careful to enter the data exactly as it matches the real column values

  5. Assign a name to the Policy (cosmetic).

  6. Click the Submit button.

Once submitted, the policy enters a pending state. It may take several minutes for a row access policy to apply. If you have trouble successfully applying row access policies, contact ALTR Support.

Access to the Altrnet, ALTR's user interface, requires valid users to log into ALTR. Logging into ALTR involves providing ALTR with an organization ID, username, password, and 2-factor authentication code. If SSO is enabled for your organization, logging in requires authentication through your identity provider.

To log into ALTR:

  1. Navigate to ALTR's Login Page.

  2. Enter your Organization ID. Click Submit.

    Tip

    If you favorite the resulting page, you won't need to enter your organization ID the next time you log in.

    1. If you don't know your organization ID, you can have it sent to your email address.

  3. Enter your Username and Password. Click Log In.

    1. If you don't know your username, you can have it sent to your email address.

    2. If you forgot your password, you can reset it.

  4. Enter your 2-factor authentication code. This will either be sent through email, SMS, or an authentication App depending on your user settings. Click Submit.

    Note

    If you can no longer access you two-factor authentication code, contact ALTR support.

    1. If you can no longer access you two-factor authentication code, contact ALTR support.

This guide walks users through the process of recovering their ALTR Username or Organization ID.

ALTR employs tenant-based authentication, where users must submit their tenant (Organization) and username along with relevant authentication factors (password, etc.). ALTR identifies different tenants through the user of an Organization ID which must be provided when signing into ALTR. This is done by entering an organization ID on ALTR's login page.

Tip

After entering an organization ID, users are directed to a login URL specific to their organization. You can favorite this URL to skip entering an Organization ID during future logins.

After specifying an organization, users must enter a username, password, and 2-factor authentication code to log in. Usernames are a case-sensitive unique identifier for an ALTR user that is specified when a user's account is created.

If an ALTR user forgets their Organization ID or Username, they can recover this information in a Organization ID and Username recovery email. There are two different ways to trigger this email:

  1. Click the Don't know your Organization ID? button

  2. Enter the email address associated with your ALTR account.

  3. Click the Submit button.

From an Organization-Specific Login Page
  1. Click the Forgot your Username? button.

  2. Enter the email address associated with your ALTR account.

  3. Click the Submit button.

If there is an email address associated with at least one ALTR account, this flow will trigger an email including a list of all organization IDs and Usernames associated with email address. The organization IDs in this email include links to the relevant organization-specific login page to make it easier to log into ALTR.

Caution

Didn't get an email? Make sure that you entered your email address correctly. Additionally, make sure you are using the URL for the correct ALTR environment. For instance, you cannot recover the username for an ALTR altrnet.live organization from a different environment's URL.

Users who need to reset or wish to update their ALTR password can do so in a variety of ways.

This guide walks users through changing their ALTR password from ALTR's Settings page.

ALTR users can update their passwords from the User Preferences page,

ALTR users can update their passwords from the User Preferences page, SettingsPreferencesUser. Follow the below steps to change your ALTR password.

  1. Enter your existing ALTR password.

  2. Enter your new ALTR password. This password must meet ALTR's password requriements.

  3. Confirm your new ALTR password.

  4. Click the Submit button.

ALTR Password Requirements

When creating new passwords, the following requirements must be met:

  • The password must be different than previously-used passwords.

  • The password must be between 8 and 64 characters.

  • The password must include at least one capital letter.

  • The password must include at least one number.

  • The password must include at least one symbol..

This guide walks users through resetting their ALTR password from ALTR's login page. If Single Sign-On is enabled for your organization, you are not able to reset your password.

If a user has forgotten their ALTR password, they can reset it through a password reset email. To trigger a password reset email:

  1. Navigate to your organization's ALTR login page

  2. Click the Forgot Password button

  3. Enter your ALTR username

    Caution

    ALTR usernames are case sensitive. If you have forgotten your ALTR username, follow our guide for recovering your username and organization ID.

  4. Click the Submit button.

If the username is valid, an email will be sent to that user's email address with a link to reset their password.

Caution

If you did not receive an email, you may have mistyped your username or may be attempting to log into the wrong ALTR organization. See ALTR's guide for recovering a Username and Organization ID.

Follow the below steps to reset your ALTR password:

  1. Click the link provided in the password reset email

  2. Enter a new ALTR password. This must meet ALTR's password requirements.

  3. Confirm the new ALTR password.

  4. Click the Submit button.

Once completed, your password will be updated and you can log into your ALTR account with the new password.

ALTR Password Requirements

When creating new passwords, the following requirements must be met:

  • The password must be different than previously-used passwords.

  • The password must be between 8 and 64 characters.

  • The password must include at least one capital letter.

  • The password must include at least one number.

  • The password must include at least one symbol..