Row Access Policy is an ALTR governance tool that allows you to restrict access to individual rows within a table to particular roles. This policy is particularly useful when particular groups of users are only authorized to access subsets of data, such as limiting access on a table of payments data based on the country the data originated from. Row Access Policy acts as a conditional WHERE clause on tables, filtering the rows displayed onto those that a user is authorized to see.
ALTR supports Row Access Policy on Snowflake tables where access needs to be restricted based on the value of a column within that table, which we refer to as the “reference column”. For instance, if you wish to restrict access based on the country data originated from, then you might use COUNTRY_CODE as your reference column. ALTR’s Snowflake Row Access Policies enable you to specify what values within the reference column can be accessed by particular Snowflake roles.
ALTR provides a no-code integration with Snowflake’s native Row Access Policy feature, empowering you to take advantage of powerful governance controls without having to write SnowSQL. When defining row access policies in ALTR, you specify:
Once you define a Row Access Policy in ALTR, then we attempt to insert it into your Snowflake Account for the specified table. Users querying that table will only be returned rows where a mapping exists for their role to specified reference column values. If a user group is not specified in the Row Access Policy, then they will not be able to access any rows in the table.
Row Access Policies are an Enterprise feature and is currently in preview. If you are an Enterprise ALTR user and would like us to enable this feature for your account, then reach out to email@example.com.
Row Access Policies can be accessed on the “Row Access” section of the Locks page.
To create a Row Access Policy, select Add New. This will enable you to specify the table the Row Access Policy will apply to and the reference column that will control access.
Next, you can specify the mappings between User Groups (Snowflake Roles) and column values. When querying data on the table, users using the specified Snowflake Role will only be able to access rows where one of these values matches the value of the Reference Column.
Now, all that’s left is to review your policy and give it a name. This name will be displayed in ALTR to reference the Row Access Policy.
Once you click on Submit, then ALTR will attempt to insert the row access policy into Snowflake. It may take several seconds for this policy to be inserted and active in Snowflake.
Question 1. Can I assign multiple Row Access Policies to the same table?
To avoid the potential of conflicting rules between different Row Access Policies, Snowflake allows for only one Row Access Policy per table.
Question 2. Can I create a Column-Based Access Policy on a Row Access Policy’s Reference Column?
Snowflake does not allow for a Row Access Policy to reference a column with a Dynamic Data Masking policy assigned to it. Because of this, the Reference Column for a Row Access Policy cannot be connected, “governed”, in ALTR.
Question 3. What columns can be a “reference column” for a Row Access Policy in ALTR?
A reference column can be any String column that is not connected, “governed” in ALTR.
Question 4. What happens if I create a Row Access Policy directly in Snowflake?
ALTR will not interfere with any Row Access Policies you create directly in Snowflake; however, you will not be able to view, edit, or remove any manually-created Row Access Policies in ALTR.
If you encounter any issues with ALTR's Snowflake Row Access Policies that you can’t resolve, then please reach out to firstname.lastname@example.org.