Masking Policies
ALTR supports several out-of-the-box masking types for column and tag policies as well as the ability to customize masking behavior. Learn more.
Refer to the following table for the supported masking types and details, including the associated ID included in the API .
Note
Hash masking types specifically mean the lower-case–hex-encoded SHA-256 hash of the UTF-8–encoded string, exactly equivalent to Snowflake’s built-in function SHA2('str')
. Learn more.
Masking Type | Strategy ID (Management API) | Description | Supported Data Types | Supported Policy Types | Example |
---|---|---|---|---|---|
No Mask | 10000 | Users see the original data | all |
| Before: Georgia After: Georgia |
E-Mail Hash | 10007 | Users only see data to the right of the @ symbol, protected data is hashed | string | native masking | Before: jane@example.com After: ...7eb13e24546a2@example.com |
10002 | Users only see data to the right of the @ symbol. Protected data is replaced with * | string |
| Before: jane@example.com After: ****@example.com | |
Show Last Four Hash | 10008 | Users only see the last 4 characters of the data, protected data is hashed. A hyphen is added to separate the last 4 from hash. | string | native masking | Before: 1111-11-1234 After: …f1b8852c6c-1234 |
Show Last Four | 10003 | Users only see the last 4 characters of the data. Protected data is replaced with * | string |
| Before: 1111-11-1234 After: ****-**-1234 |
Full Mask Hash | 10006 | Users only see a hash of the data, protected data is hashed in totality |
| native masking | Before: Georgia After: …660d1a7b8156ae |
Full Mask | 10001 | Users only see the length of the data. Protected data is replaced with * | string |
| Before: Georgia After: ******* |
Constant Date | 10009 | Data is replaced with 12/31/9999 regardless of the data type |
| native masking | Before: 12252019 After: 12/31/9999 |
Constant Mask | 10004 | Data is replaced with a single value based on the column’s data type:
|
|
| Before: Georgia After: * |
Null | 10005 | If there is no matching rule for the access being validated, data is replaced with "Null" | all | native masking | Before: Georgia After: Null |
ALTR supports several out-of-the-box masking types for tag policies. Refer to the following table for the supported masking types and details, including the associated ID included in the API.
Masking Type | Strategy ID (Management API) | Description | Supported Data Types | Example |
---|---|---|---|---|
No Mask | 10000 | Users see the original data | All | Before: Georgia After: Georgia |
10002 | Users only see data to the right of the @ symbol. Protected data is replaced with * | String | Before: jane@example.com After: ****@example.com | |
Show Last Four | 10003 | Users only see the last 4 characters of the data. Protected data is replaced with * | String | Before: 1111-11-1234 After: ****-**-1234 |
Full Mask | 10001 | Users only see the length of the data. Protected data is replaced with * | String | Before: Georgia After: ******* |
Constant Mask | 10004 | Data is replaced with a single value based on the column’s data type:
|
| Before: Georgia After: * |