Guides

Features

Advanced

Column Access Policies

ALTR enables users to define governance rules for access to columnar data in Snowflake through Column Access Policies. These policies enable ALTR administrators to define which Snowflake roles can access particular columns, including if they should only be able to access masked data. Column Access Policies can be accessed from the Locks section of ALTR.

How to Define Column Access Policies in ALTR

To create a Column Access Policy in ALTR, navigate to the Column Access Policy tab in the Locks Page. From here, you can click the “Add New” button to create new Column Access Policies. Every Column Access Policy requires:

  1. A name for the Column Access Policy
  2. A list of User Groups (Snowflake Roles) that will have access to columns
  3. A list of columns and associated masking policies to define what level of access those User Groups have to the specified columns

Note: If a Role is not included in a Column Access Policy, any query against that column will return NULL values

Note: If a Role is included in more than one policy for a particular column, ALTR will resolve the conflict to give the Role which access is more permissive to the column.

Column vs Tag-Based Access Policies

Instead of specifying individual columns, Enterprise ALTR users can define Column Access Policies on Data Tags. When a policy is created on a Data Tag, ALTR automatically applies that policy for all connected columns associated with that Data Tag. This enables users to create a few policies that affect many columns, instead of having to regularly specify every column individually.

Note: After a column is tagged by a Google DLP Classification or Snowflake Object Tag import, it must still be connected to ALTR before it is governed by a tag-based Column Access Policy.

What Happens when I Create a Column Access Policy in ALTR?

When a Column Access Policy is created, ALTR’s governance engine creates new rules dictating which Snowflake Roles can access the column. Whenever a connected column is queried in Snowflake, the Dynamic Data Masking Policy in Snowflake call’s out to ALTR’s governance engine to determine whether or not the role of the querying user can access the columns in the query. ALTR will instruct Snowflake to either allow the query to proceed uninterrupted (if the role is assigned “no mask” for a column), to proceed but substitute the values in sensitive columns (if the role is assigned a masking strategy for the column), or to replace the column’s values with NULL (if the role is not included in any Column Access Policies for the affected Columns).

Masking Strategies for Column Access Policies

ALTR enables administrators to set a variety of access levels for particular columns through Masking Strategies - where an affected query returns masked values for governed columns instead of the raw values or NULLs. ALTR offers a variety of type-specific masking strategies, including:

  • No Mask: users can see the data in cleartext. This is available to all data types.
  • Last4: users can only access the last four characters of data. This is only available for Strings.
  • Email mask: users can only access data to the right of an ampersand. This is only available for Strings.
  • Full Mask: users can only see the length of data. This is only available for Strings.
  • Constant Mask: data is replaced with a static value; no useful information is returned. This is available for Strings, Numbers, and Datetimes.

What happens if I create conflicting Column Access Policies?

If conflicting Column Access Policies are created in ALTR - where a single Role is assigned more than one masking policy to a particular column - ALTR resolves the conflict by granting the Role the most permissive masking policy. This is particular likely for tag-based Column Access Policies, because columns may be associated with more than one Data Tag.

Example: If one policy grants ACCOUNTADMIN access to column_phone with a full mask, and another policy grants ACCOUNTADMIN access to column_phone with no mask, whenever a user queries column_phone as the ACCOUNTADMIN role, they will be able to access the raw values.

The hierarchy of masking policies is, from most permissive to least permissive,

  1. No Mask
  2. Last4
  3. Email
  4. Full Mask
  5. Constant Mask

Troubleshooting and FAQ

  1. I’m trying to create a column access policy, but the column I want to govern isn’t in the dropdown.
    Columns must be connected to ALTR before they can be included in Column Access Policies. Connect any sensitive columns before defining Column Access Policies.
  2. I created a tag-based column access policy, but the columns aren’t being governed in Snowflake
    Even for tag-based Column Access Policies, columns are only affected if they are connected to ALTR. Connect any sensitive columns before defining Column Access Policies.

First section of content