Skip to main content

Masking Policies

ALTR supports several out-of-the-box masking types for column and tag policies as well as the ability to customize masking behavior. Learn more.

Refer to the following table for the supported masking types and details, including the associated ID included in the API .

Note

Hash masking types specifically mean the lower-case–hex-encoded SHA-256 hash of the UTF-8–encoded string, exactly equivalent to Snowflake’s built-in function SHA2('str'). Learn more.

Masking Type

Strategy ID (Management API)

Description

Supported Data Types

Supported Policy Types

Example

No Mask

10000

Users see the original data

all

  • governed (default masking)

  • tokenization

  • format-preserving encryption

  • native masking

Before: Georgia

After: Georgia

E-Mail Hash

10007

Users only see data to the right of the @ symbol, protected data is hashed

string

native masking

Before: jane@example.com

After: ...7eb13e24546a2@example.com

E-Mail

10002

Users only see data to the right of the @ symbol. Protected data is replaced with *

string

  • governed (default masking)

  • tokenization

  • format-preserving encryption

  • native masking

Before: jane@example.com

After: ****@example.com

Show Last Four Hash

10008

Users only see the last 4 characters of the data, protected data is hashed. A hyphen is added to separate the last 4 from hash.

string

native masking

Before: 1111-11-1234

After: …f1b8852c6c-1234

Show Last Four

10003

Users only see the last 4 characters of the data. Protected data is replaced with *

string

  • governed (native masking)

  • tokenization

  • format-preserving encryption

  • native masking

Before: 1111-11-1234

After: ****-**-1234

Full Mask Hash

10006

Users only see a hash of the data, protected data is hashed in totality

  • string

  • number

native masking

Before: Georgia

After: …660d1a7b8156ae

Full Mask

10001

Users only see the length of the data. Protected data is replaced with *

string

  • governed (native masking)

  • tokenization

  • format-preserving encryption

  • native masking

Before: Georgia

After: *******

Constant Date

10009

Data is replaced with 12/31/9999 regardless of the data type

  • string

  • number

  • datetime

native masking

Before: 12252019

After: 12/31/9999

Constant Mask

10004

Data is replaced with a single value based on the column’s data type:

  • Numbers mask to 1

  • Strings mask to *

  • Datetime mask to 1/1/2000 00:00:00 UTC

    (You may see different values depending on the specific data type and time zone conversion.)

  • string

  • number

  • datetime

  • governed (native masking)

  • tokenization

  • format-preserving encryption

  • native masking

Before: Georgia

After: *

Null

10005

If there is no matching rule for the access being validated, data is replaced with "Null"

all

native masking

Before: Georgia

After: Null

ALTR supports several out-of-the-box masking types for tag policies. Refer to the following table for the supported masking types and details, including the associated ID included in the API.

Masking Type

Strategy ID (Management API)

Description

Supported Data Types

Example

No Mask

10000

Users see the original data

All

Before: Georgia

After: Georgia

E-Mail

10002

Users only see data to the right of the @ symbol. Protected data is replaced with *

String

Before: jane@example.com

After: ****@example.com

Show Last Four

10003

Users only see the last 4 characters of the data. Protected data is replaced with *

String

Before: 1111-11-1234

After: ****-**-1234

Full Mask

10001

Users only see the length of the data. Protected data is replaced with *

String

Before: Georgia

After: *******

Constant Mask

10004

Data is replaced with a single value based on the column’s data type:

  • Numbers mask to 1

  • Strings mask to *

  • Datetime mask to 1/1/2000 00:00:00 UTC

    (You may see different values depending on the specific data type and time zone conversion.)

  • String

  • Number

  • Datetime

Before: Georgia

After: *