Skip to main content

Tag-Based Access Policy

Important

This documentation is for the newly redesigned policy user interface. If you are looking for the former policy documentation, please refer to Tag-Based Column Access Policies.

Tip

Tag- and column-based policies are similar in the sense that they are ways to apply masking rules based on the type of information or sensitivity level of columns, but at different levels. Tag policy is applied to all columns with that applied tag to provide higher-level masking where a column policy is applied to the specific column at the column level.

If deciding between tag and column policies, our recommendation is to use tag policy because it is more scalable, flexible and easier to manage than column policies.

Tag-based policy masks columns in query results based on tag values assigned to the columns. If a policy is applied to a tag, it affects all columns associated with that tag.

Tag-based policy only affects columns that are connected and being monitored by ALTR. For Snowflake, this occurs automatically if the relevant Snowflake object tag is connected to ALTR. Learn more.

Tag Masking Options

When creating a tag-based policy, there are two ways to apply masking:

  1. Tag value: Applies the masking policy to the tag name-value pair, which enables you to set different policies on different tag values.

    1. Use: Set up specific, complex or granular policies.

    2. Example: Let's say you have two different kinds of sensitive employee data: SSNs and phone numbers. By using a single tag with different values for SSN and phone number, you can set a policy around SSNs where the first 5 digits are masked (###-##-1234) and only HR has access. And then you can set a different policy on phone numbers with no mask and grants access to anyone in the company.

  2. Tag name: Applies the masking policy to only the tag name so access is the same for all values associated with the tag.

    1. Use: Control policy at the tag level without specifying each value. This option is good for simple, broad, high-level policies on a tag.

    2. Example: Set a policy to mask all salary data and grant access to only the chief financial officer. In this example, salary data is the tag and the columns (i.e., values) themselves are irrelevant because they will all be masked the same.

Create Tag Policy

To create a tag-based policy:

  1. Ensure the tag to which you are applying policy has been connected in ALTR. Learn more.

  2. Select Policy in the Navigation menu.

  3. Click Create Policy.

  4. Locate the Tag Policy card and click Create Policy.

  5. Select a Tag Name that the policy affects. The policy applies masking rules to all columns assigned to this tag.

    Note

    Only tags connected in ALTR display in the dropdown. If your tag name does not display in the dropdown, ensure it has been connected to ALTR.

  6. Click Next.

  7. Create the policy rule statement by selecting the following options:

    1. Role that the policy affects, which is an ALTR user group. Learn more.

      Note

      Any roles not included in the policy receive NULL values when querying data protected by ALTR.

    2. Tag name or tag value to indicate how the masking policy is applied. Learn more.

    3. Masking policy to determine what transformation, if any, occurs to query results when data is accessed. If a particular query is affected by multiple policies, the most permissive masking policy is enforced. Learn more.

  8. (Optional) Click Add an alert to configure notifications and/or block users for this policy. Learn more.

  9. (Optional) Click + Rule Statement to add additional rules for this policy.

  10. Click Save.

Delete Tag Policy

Delete a tag policy to remove masking rules for the specified tags. Columns in query results based on the defined roles and tag values will no longer be masked. This action only deletes the tag from ALTR; it does not delete the tag from Snowflake.

To delete a tag policy:

  1. Select Policy in the Navigation menu.

  2. Click the tag policy you wish to delete.

  3. Click Edit Policy.

  4. Click Delete Policy; the Delete tag policy modal displays.

  5. Click Delete Policy to confirm.

Conflicting Tag Policies

If multiple policies are applied to a tag where a role is assigned more than one masking type, it masking types may conflict. If a conflict exists, the most permissive policy is enforced.

The following is a ranking of masking types from most permissive to least permissive:

  • No Mask - most permissive

  • Show Last Four

  • E-Mail

  • Full Mask

  • Constant Mask - least permissive

Tip

Example

One policy specifies that roles with ACCOUNTADMIN privileges can access the PII tag with No Mask applied. Since the PUBLIC role was not included in the policy, the policy replaces the PUBLIC role’s access with NULL values. However, if a second policy specified that the PUBLIC role can access the PII tag with a Full Mask, any user assigned the PUBLIC role will see masked access when querying columns associated with the PII tag.

In this section: