ALTR enables users to define governance rules for access to columnar data in Snowflake through Column Access Policies. These policies enable ALTR administrators to define which Snowflake roles can access particular columns, including if they should only be able to access masked data. Column Access Policies can be accessed from the Locks section of ALTR.
To create a Column Access Policy in ALTR, navigate to the Column Access Policy tab in the Locks Page. From here, you can click the “Add New” button to create new Column Access Policies. Every Column Access Policy requires:
Note: If a Role is not included in a Column Access Policy, any query against that column will return NULL values
Note: If a Role is included in more than one policy for a particular column, ALTR will resolve the conflict to give the Role which access is more permissive to the column.
Instead of specifying individual columns, Enterprise ALTR users can define Column Access Policies on Data Tags. When a policy is created on a Data Tag, ALTR automatically applies that policy for all connected columns associated with that Data Tag. This enables users to create a few policies that affect many columns, instead of having to regularly specify every column individually.
Note: After a column is tagged by a Google DLP Classification or Snowflake Object Tag import, it must still be connected to ALTR before it is governed by a tag-based Column Access Policy.
When a Column Access Policy is created, ALTR’s governance engine creates new rules dictating which Snowflake Roles can access the column. Whenever a connected column is queried in Snowflake, the Dynamic Data Masking Policy in Snowflake call’s out to ALTR’s governance engine to determine whether or not the role of the querying user can access the columns in the query. ALTR will instruct Snowflake to either allow the query to proceed uninterrupted (if the role is assigned “no mask” for a column), to proceed but substitute the values in sensitive columns (if the role is assigned a masking strategy for the column), or to replace the column’s values with NULL (if the role is not included in any Column Access Policies for the affected Columns).
ALTR enables administrators to set a variety of access levels for particular columns through Masking Strategies - where an affected query returns masked values for governed columns instead of the raw values or NULLs. ALTR offers a variety of type-specific masking strategies, including:
If conflicting Column Access Policies are created in ALTR - where a single Role is assigned more than one masking policy to a particular column - ALTR resolves the conflict by granting the Role the most permissive masking policy. This is particular likely for tag-based Column Access Policies, because columns may be associated with more than one Data Tag.
Example: If one policy grants ACCOUNTADMIN access to column_phone with a full mask, and another policy grants ACCOUNTADMIN access to column_phone with no mask, whenever a user queries column_phone as the ACCOUNTADMIN role, they will be able to access the raw values.
The hierarchy of masking policies is, from most permissive to least permissive,