Masking Policies
Snowflake
Section titled “Snowflake”ALTR supports several out-of-the-box masking types for column and tag policies as well as the ability to customize masking behavior. Learn more.
Refer to the following table for the supported masking types and details, including the associated ID included in the API.
| Masking Type | Strategy ID (Management API) | Description | Supported Data Types | Supported Policy Types | Example |
|---|---|---|---|---|---|
| No Mask | 10000 | Users see the original data | all | governed (default masking) tokenization format-preserving encryption native masking | Before: Georgia After: Georgia |
| E-Mail Hash | 10007 | Users only see data to the right of the @ symbol, protected data is hashed | string | native masking | Before: <jane@example.com> After: <...7eb13e24546a2@example.com> |
| 10002 | Users only see data to the right of the @ symbol. Protected data is replaced with * | string | governed (default masking) tokenization format-preserving encryption native masking | Before: <jane@example.com> After: ****@example.com | |
| Show Last Four Hash | 10008 | Users only see the last 4 characters of the data, protected data is hashed. A hyphen is added to separate the last 4 from hash. | string | native masking | Before: 1111-11-1234 After: …f1b8852c6c-1234 |
| Show Last Four | 10003 | Users only see the last 4 characters of the data. Protected data is replaced with * | string | governed (native masking) tokenization format-preserving encryption native masking | Before: 1111-11-1234 After: ****-**-1234 |
| Full Mask Hash | 10006 | Users only see a hash of the data, protected data is hashed in totality | string number | native masking | Before: Georgia After: …660d1a7b8156ae |
| Full Mask | 10001 | Users only see the length of the data. Protected data is replaced with * | string | governed (native masking) tokenization format-preserving encryption native masking | Before: Georgia After: ******* |
| Constant Date | 10009 | Data is replaced with 12/31/9999 regardless of the data type | string number datetime | native masking | Before: 11252019 After: 12319999 |
| Constant Mask | 10004 | Data is replaced with a single value based on the column’s data type: Numbers mask to 1 Strings mask to * Datetime mask to 1/1/2000 00:00:00 UTC (You may see different values depending on the specific data type and time zone conversion.) | string number datetime | governed (native masking) tokenization format-preserving encryption native masking | Before: Georgia After: * |
| Null | 10005 | If there is no matching rule for the access being validated, data is replaced with “Null” | all | native masking | Before: Georgia After: Null |
Databricks
Section titled “Databricks”ALTR supports several out-of-the-box masking types for tag policies. Refer to the following table for the supported masking types and details, including the associated ID included in the API.
| Masking Type | Strategy ID (Management API) | Description | Supported Data Types | Example |
|---|---|---|---|---|
| No Mask | 10000 | Users see the original data | All | Before: Georgia After: Georgia |
| 10002 | Users only see data to the right of the @ symbol. Protected data is replaced with * | String | Before: <jane@example.com> After: ****@example.com | |
| Show Last Four | 10003 | Users only see the last 4 characters of the data. Protected data is replaced with * | String | Before: 1111-11-1234 After: ****-**-1234 |
| Full Mask | 10001 | Users only see the length of the data. Protected data is replaced with * | String | Before: Georgia After: ******* |
| Constant Mask | 10004 | Data is replaced with a single value based on the column’s data type: Numbers mask to 1 Strings mask to * Datetime mask to 1/1/2000 00:00:00 UTC (You may see different values depending on the specific data type and time zone conversion.) | String Number Datetime | Before: Georgia After: * |