Skip to main content

Masking Policies

Snowflake

ALTR supports several out-of-the-box masking types for column and tag policies as well as the ability to customize masking behavior. Learn more.

Refer to the following table for the supported masking types and details, including the associated ID included in the API .

Note

Hash masking types specifically mean the lower-case–hex-encoded SHA-256 hash of the UTF-8–encoded string, exactly equivalent to Snowflake’s built-in function SHA2('str'). Learn more.

Masking Type	Strategy ID (Management API)	Description	Supported Data Types	Supported Policy Types	Example
No Mask	10000	Users see the original data	all	governed (default masking) tokenization format-preserving encryption native masking	Before: Georgia After: Georgia
E-Mail Hash	10007	Users only see data to the right of the @ symbol, protected data is hashed	string	native masking	Before: jane@example.com After: ...7eb13e24546a2@example.com
E-Mail	10002	Users only see data to the right of the @ symbol. Protected data is replaced with *	string	governed (default masking) tokenization format-preserving encryption native masking	Before: jane@example.com After: ****@example.com
Show Last Four Hash	10008	Users only see the last 4 characters of the data, protected data is hashed. A hyphen is added to separate the last 4 from hash.	string	native masking	Before: 1111-11-1234 After: …f1b8852c6c-1234
Show Last Four	10003	Users only see the last 4 characters of the data. Protected data is replaced with *	string	governed (native masking) tokenization format-preserving encryption native masking	Before: 1111-11-1234 After: **--1234
Full Mask Hash	10006	Users only see a hash of the data, protected data is hashed in totality	string number	native masking	Before: Georgia After: …660d1a7b8156ae
Full Mask	10001	Users only see the length of the data. Protected data is replaced with *	string	governed (native masking) tokenization format-preserving encryption native masking	Before: Georgia After: *******
Constant Date	10009	Data is replaced with 12/31/9999 regardless of the data type	string number datetime	native masking	Before: 12252019 After: 12/31/9999
Constant Mask	10004	Data is replaced with a single value based on the column’s data type: Numbers mask to 1 Strings mask to * Datetime mask to 1/1/2000 00:00:00 UTC (You may see different values depending on the specific data type and time zone conversion.)	string number datetime	governed (native masking) tokenization format-preserving encryption native masking	Before: Georgia After: *
Null	10005	If there is no matching rule for the access being validated, data is replaced with "Null"	all	native masking	Before: Georgia After: Null

Databricks

ALTR supports several out-of-the-box masking types for tag policies. Refer to the following table for the supported masking types and details, including the associated ID included in the API.

Masking Type	Strategy ID (Management API)	Description	Supported Data Types	Example
No Mask	10000	Users see the original data	All	Before: Georgia After: Georgia
E-Mail	10002	Users only see data to the right of the @ symbol. Protected data is replaced with *	String	Before: jane@example.com After: ****@example.com
Show Last Four	10003	Users only see the last 4 characters of the data. Protected data is replaced with *	String	Before: 1111-11-1234 After: **--1234
Full Mask	10001	Users only see the length of the data. Protected data is replaced with *	String	Before: Georgia After: *******
Constant Mask	10004	Data is replaced with a single value based on the column’s data type: Numbers mask to 1 Strings mask to * Datetime mask to 1/1/2000 00:00:00 UTC (You may see different values depending on the specific data type and time zone conversion.)	String Number Datetime	Before: Georgia After: *

In this section:

Was this helpful?

Would you like to provide feedback? Just click here to suggest edits.