Skip to main content

Row-Level Access Policy

Row-level access policy allows you to filter rows from query results based on column values in order to control who has access to sensitive data.

When a row-level policy is created in ALTR, it is also created in your Snowflake account.

Create Row Policy

To create a row policy:

  1. Select Policy in the Navigation menu.

  2. Click Create Policy.

  3. Locate the Row Policy card and click Create Policy.

  4. Enter a Policy Name. This is a friendly name to identify the policy.

  5. Select a Database, Schema and Table where the policy is applied.

  6. Select a Reference Column, which contains values that are used to establish a relationship between the roles defined in the policy and the rows they can access. This relationship determines which rows are visible to which roles based on the values in the reference column. This value must be a string or a number.

    Note

    If your data doesn't display in the dropdowns, ensure your service user account has privileges to access the data.

  7. Click Next.

  8. Create the policy rule statement by selecting the following options:

    1. Role that the policy affects, which is an ALTR user group. Learn more.

      Note

      Any roles not included in the policy receive NULL values when querying data protected by ALTR.

    2. Value that the role can access. If the Reference Column does not contain the value, the row is filtered out from the user’s query results.

  9. (Optional) Click + Rule Statement to add additional rules for this policy.

  10. Click Save.

Delete Row Policy

When deleting row-level policy from ALTR, rows from query results based on column values will no longer be restricted to the assigned roles. The policy is deleted from ALTR and from your Snowflake account.

To delete a row policy:

  1. Select Policy in the Navigation menu.

  2. Click the row policy you wish to delete.

  3. Click Edit Policy.

  4. Click Delete Policy; the Delete row policy modal displays.

  5. Click Delete Policy to confirm.

Force Delete Row Policy

Warning

Before force deleting a row-level policy, consult ALTR Support.

Force disconnecting row-level policy could have a negative impact on your source system if you do not fully understand your data and this feature.

Force disconnect a row-level policy if you are unable to disconnect the policy as expected. This action deletes the policy and supporting functions from ALTR and Snowflake, ignores any errors encountered during the delete process. Use great caution with this feature because it cannot be undone.

Reasons to force delete a row policy include

  • Policy no longer exists in your source system.

  • Service user's privileges have been decommissioned.

  • ALTR could not connect to Snowflake.

To force delete a row-access policy:

  1. Select Policy in the Navigation menu.

  2. Click the row policy you wish to delete.

  3. Click Edit Policy.

  4. Click Delete Policy; the Delete row policy modal displays.

  5. Click the Trouble deleting? link.

  6. Click Force Delete Column.

  7. Review your source system and clean up any object left behind.

In this section: