Row Access Policies
Row Access Policies enable ALTR customers to limit which rows users or application can access when querying sensitive data.
Row Access Policies are one of ALTR's tools for controlling access to sensitive data. These policies control access to particular rows within a table or view by filtering query results when a user or application selects data. Access to rows within a table are controlled by the value of a Reference Column. When defining a Row Access Policy, ALTR administrators define a relationship between roles and values of the reference column. Each Row Access Policy Includes:
A table or view, defined by:
A connected ALTR data source.
A schema within that data source.
The table or view to which the policy will be applied.
Note
Row Access Policy on Views is currently only supported in ALTR's API.
The Reference Column used to dictate access to particular rows. This can be a string or number.
Caution
Due to limitations in Snowflake, the Reference Column cannot be connected to ALTR or used in a Column Access Policy.
A list of roles that can access all data within the table.
A list of roles that can only access certain rows within the table.
For each role, the value(s) they can access. If the reference column does not contain one of these values, the row will be filtered out from the user's query resutls.
Caution
These values are case sensitive. Make sure they are entered as they exist in your source system.
A name for the policy (cosmetic).
Once an ALTR administrator defines a Row Access Policy, it will enter a pending state as ALTR attempts to create the policy. It may take some time to create a Row Access Policy. Once a Row Access Policy is created, it will enter the Applied state. If there is an issue creating a Row Access Policy, it will enter a Failed state. Contact ALTR Support for help with failed Row Access Policies.
Create ALTR Row Access Policies
Row Access Policies are created on the Row Access tab page in ALTR's Policy UI, → → . To create a Row Access Policy:
To create row access policy:
Select Navigation menu.
in theClick Row Access tab.
Click Add New button.
Select a Database , Schema and Table where the policy is applied.
Select a Reference Column that will dictate access.
Note
If your data doesn't display in the dropdowns, ensure your service user account has privileges to access the data.
Click Next.
Select a User Group who has limited access to rows within the table.
For those user groups, identify the particular values of the reference column those users will be able to access. If that value is not present for a given row, those users will not be able to access the row.
Note
ALTR does not sample customer data except where absolutely necessary. Because of this, customers must manually enter column values when defining row access policies.
Warning
These fields are case sensitive. Be careful to enter the data exactly as it matches the real column values
Click Next.
Enter a cosmetic name for the Row Access Policy Name.
Click the
button.
Once submitted, the policy enters a pending state. It may take several minutes for a row access policy to apply. If you have trouble successfully applying row access policies, contact ALTR Support.