Skip to main content

Snowflake

Tag-based policy only affects columns that are connected and being monitored by ALTR. For Snowflake, this occurs automatically if the relevant Snowflake object tag is connected to ALTR. Learn more.

Tip

Tag versus Column Policy

Tag- and column-based policies are similar in the sense that they are ways to apply masking rules based on the type of information or sensitivity level of columns, but at different levels. Tag policy is applied to all columns with that applied tag to provide higher-level masking where a column policy is applied to the specific column at the column level.

Choose to apply tag or column policies but not both. If deciding between tag and column policies, our recommendation is to use tag policy because it is more scalable, flexible and easier to manage than column policies.

Tag Masking Options

Create Tag Policy

If the tag you’re creating policy for was connected to ALTR using native masking, some policy configuration options may vary. Learn more about native masking.

To create a tag-based policy:

  1. Ensure the tag to which you are applying policy has been connected in ALTR. Learn more.

  2. Select Policy in the Navigation menu.

  3. Click Create Policy.

  4. Locate the Tag Policy card and click Create Policy.

  5. Select a Tag Name that the policy affects. The policy applies masking rules to all columns assigned to this tag.

    Note

    Tag Name Notes

    • Only tags connected in ALTR display in the dropdown. If your tag name does not display in the dropdown, ensure it has been connected to ALTR.

    • If the tag was connected using native masking, configuration options for the policy may vary. Learn more.

  6. Click Next.

  7. Create the policy rule statement by selecting the following options:

    1. Role that the policy affects, which is an ALTR user group. Learn more.

      Note

      Any roles not included in the policy receive NULL values when querying data protected by ALTR.

    2. Tag name or tag name and value to indicate how the masking policy is applied.

    3. Masking policy to determine what transformation, if any, occurs to query results when data is accessed. If a particular query is affected by multiple policies, the most permissive masking policy is enforced. Learn more.

      Note

      Masking policy options vary depending on whether or not the tag used in the policy was connected using native masking. Learn more.

  8. (Optional) Click Add an alert to configure notifications and/or block users for this policy. Learn more.

    Note

    Alerts are not available if the tag was connected using native masking.

  9. (Optional) Click + Rule Statement to add additional rules for this policy.

  10. Click Save.

Delete Tag Policy

Delete a tag policy to remove masking rules for the specified tags. Columns in query results based on the defined roles and tag values will no longer be masked. This action only deletes the tag from ALTR; it does not delete the tag from Snowflake.

Conflicting Masking Policies

Tip

Example

One policy specifies that roles with ACCOUNTADMIN privileges can access the PII tag with No Mask applied. Since the PUBLIC role was not included in the policy, the policy replaces the PUBLIC role’s access with NULL values. However, if a second policy specified that the PUBLIC role can access the PII tag with a Full Mask, any user assigned the PUBLIC role will see masked access when querying columns associated with the PII tag.

In this section: