Skip to main content

Manage Tags

Connecting a Snowflake object tag to ALTR automatically enforces ALTR access governance to all columns assigned to that tag. Refer to Column and Tag Connections for more information.

With native masking, tag-based data masking policies run directly inside Snowflake or Databricks, without making API calls to ALTR through the external function. The biggest benefit of native masking over default masking (which uses the external function) is that this local execution improves performance because it does not rely on external calls to ALTR.

Note

For Snowflake: You can choose between native masking or the existing default masking, which uses an external function to call ALTR.

For Databricks: Native masking is built in and used automatically, since external function masking is not supported.

Native Masking versus the External Function

The following chart compares and contrasts data masking using ALTR’s native masking versus the external function. For Snowflake, use this chart to help determine which data masking method is the right fit for your needs.

Native Masking

External Function (Default Masking)

Pros

  • improved query performance

  • more masking options

  • supports real-time policy updates

  • supports near-real-time query audit logs

  • support for detokenization and format-preserving encryption

Cons

  • policy updates may take time to apply

  • no near-time audits

  • no rate limiting / detokenization / decryption

  • reduced query performance

  • fewer masking options

Use cases

  • when performance is critical

  • when your masking rules are stable

  • when you need dynamic policy logic

  • when you need audit logs

  • when you need detokenization and/or format-preserving encryption

To connect a Snowflake object tag to ALTR:

  1. Ensure a data source is connected.

  2. Click Data ConfigurationData Management in the Navigation menu.

  3. Click the Tags tab.

  4. Click Connect Tag.

  5. Select an ALTR Data Source Connected. This can be any data source associated with your Snowflake account where the service user has privileges to access the tag's database.

  6. Select a Tag Database. This is the database where the tag is located and can be different from the data source connection.

  7. Select a Tag Schema. This is the schema within the Tag Database where the tag is located.

  8. Select a Tag Name. This is the name of the tag in Snowflake.

    Note

    If your data doesn't display in the dropdowns, ensure your service user account has privileges to access the data.

  9. (Optional) Turn on the ADVANCED: Enable custom roles switch to use a custom role with this tag. Learn more.

    Note

    In order to change this switch once the tag is connected, disconnect the tag, update the switch and reconnect the tag.

  10. Select an option Which option applies to this tag dropdown. Options are:

    1. Default masking—data access is controlled by ALTR using Snowflake masking policies and external functions. This is the default behavior for connecting Snowflake object tags to ALTR.

    2. Tokenization—data access is and detokenization are controlled by ALTR using Snowflake masking policies and external functions. If this tag is tokenized, ensure all values for this tag are tokenized. Learn more.

    3. Format-preserving encryption—data access and decryption are controlled by Snowflake masking policies and external functions. Ensure the tag has been encrypted in Snowflake. Learn more.

    4. Native masking—Data access is controlled by ALTR using only Snowflake masking policies. Learn more.

  11. (Encryption only) Select the Key, Tweak and Alphabet Type. Learn more.

  12. Click Connect Tag.

    Note

    Once a tag is connected and if new allowed values are added in Snowflake for this object tag, click Refresh Allowed Values to ingest new allowed values to be used when defining ALTR policies.

Tag connection status and other connection details, such as schema information and database, can be viewed directly in ALTR. Viewing the tag connection status helps to identify details for a particular tag, including

  • Snowflake Hostname and Service User Username being used for that tag’s data source connection

  • Tracking ID associated with the job for the most recent operation of the tag. The Tracking ID is useful for communicating with ALTR support if there are issues with the tag connection.

  • Details on any errors associated with failed connections to tags

Note

Tag status can also be viewed using the API. Refer to our API documentation for more information.

To view tag connection status:

  1. Ensure a data source is connected.

  2. Ensure the data source has a connected tag.

  3. Click Data ConfigurationData Management in the Navigation menu.

  4. Click the Tags tab.

  5. Click a tag to view additional details.

Disconnect a tag if you no longer want ALTR to enforce access governance to columns with that tag.

To disconnect a Snowflake object tag:

  1. Select Data ConfigurationData Management in the Navigation menu.

  2. Click the Tags tab.

  3. Select the tag you wish to disconnect.

  4. Click the Disconnect Tag button. The disconnect tag process can take up to several minutes to complete.

Warning

Before force disconnecting a tag, consult ALTR Support.

Force disconnecting tags could have a negative impact on your source system if you do not fully understand your data and this feature.

Force disconnect a tag if you are unable to disconnect the tag as expected. This action removes all masking policies and supporting functions, ignores any errors encountered during the disconnect process and will affect masking policy and integrations. Use great caution with this feature because it cannot be undone.

Reasons to force disconnect tags include

  • Tag no longer exists in your source system.

  • Service user's privileges have been decommissioned.

  • ALTR could not connect to Snowflake.

To force disconnect a tag:

  1. Select Data ConfigurationData ManagementColumns in the Navigation menu.

  2. Select the tag you wish to disconnect.

  3. Click the Disconnect Tag button.

  4. Click the Trouble Disconnecting? link.

  5. Click the Force Disconnect Column button.

  6. Click the Force Disconnect Column button.

  7. Review your source system and clean up any object left behind.