Skip to main content

Row Access Policies

Row Access Policies enable ALTR customers to limit which rows users or application can access when querying sensitive data.

Row Access Policies are one of ALTR's tools for controlling access to sensitive data. These policies control access to particular rows within a table or view by filtering query results when a user or application selects data. Access to rows within a table are controlled by the value of a Reference Column. When defining a Row Access Policy, ALTR administrators define a relationship between roles and values of the reference column. Each Row Access Policy Includes:

  • A table or view, defined by:

    • A connected ALTR data source.

    • A schema within that data source.

    • The table or view to which the policy will be applied.

      Note

      Row Access Policy on Views is currently only supported in ALTR's API.

  • The Reference Column used to dictate access to particular rows. This can be a string or number.

    Caution

    Due to limitations in Snowflake, the Reference Column cannot be connected to ALTR or used in a Column Access Policy.

  • A list of roles that can access all data within the table.

  • A list of roles that can only access certain rows within the table.

    • For each role, the value(s) they can access. If the reference column does not contain one of these values, the row will be filtered out from the user's query resutls.

      Caution

      These values are case sensitive. Make sure they are entered as they exist in your source system.

  • A name for the policy (cosmetic).

Once an ALTR administrator defines a Row Access Policy, it will enter a pending state as ALTR attempts to create the policy. It may take some time to create a Row Access Policy. Once a Row Access Policy is created, it will enter the Applied state. If there is an issue creating a Row Access Policy, it will enter a Failed state. Contact ALTR Support for help with failed Row Access Policies.

Creating ALTR Row Access Policies

Row Access Policies are created on the Row Access tab page in ALTR's Policy UI, Data PolicyLocksRow Access. To create a Row Access Policy:

  1. Click the Add New Button.

  2. Identify the table the policy will apply to and the reference column that will dictate access.

  3. Specify the list of roles who will be able to access all values in the table.

  4. Specify the list of user groups who will have limited access to rows within the table.

    1. For those user groups, identify the particular values of the reference column those users will be able to access. If that value is not present for a given row, those users will not be able to access the row.

      Note

      ALTR does not sample customer data except where absolutely necessary. Because of this, customers must manually enter column values when defining row access policies.

      Warning

      These fields are case sensitive. Be careful to enter the data exactly as it matches the real column values

  5. Assign a name to the Policy (cosmetic).

  6. Click the Submit button.

Once submitted, the policy enters a pending state. It may take several minutes for a row access policy to apply. If you have trouble successfully applying row access policies, contact ALTR Support.

In this section: