Getting Started with ALTR & Snowflake
Configure ALTR's Snowflake Service User
Connect Snowflake Databases
Connect Columns to ALTR
Creating Policy & Manage Data
Classification
Analytics
Column Access Policies
Views
Thresholds
Row Access Policy
Audit Logs
Settings
Tokenization
Tag-Based Data Masking
Tokenization API
Management API
ALTR Driver JDBC Installation
ALTR Driver ODBC Installation
Configure Tableau to Gain User Level Observability
Integrating ALTR Notifications with AWS S3
TDS Proxy Installation
CDM Installation
Custom Masking and Extensibility Functions
Bring Your Own Key for Tokenization
Open-Source Integrations
Tag-based dynamic data masking is a method of creating a policy that allows you to connect a Snowflake object tag (instead of a column) to ALTR. Through this Snowflake integration, ALTR will be in the critical path of any query that accesses a column associated with your Snowflake object tag. This governance works even if the schema information of the column changes, the column is cloned, or if the column exists in a database that's not connected to ALTR.
Tag-based dynamic data masking enables your business to more easily scale data governance across your entire organization. Governing data with tag-based masking involves simply assigning a tag to the data in Snowflake. This can be done through a single SnowSQL command via Snowflake’s governance UI and can be automated in third-party tools such as our data cataloguing partner, Alation, as well as ETL providers like our partner, Matillion.
Tag-based masking also makes it much easier for ALTR admins to distribute responsibility for 1)properly identifying sensitive data and 2)assigning access controls to individual data owners/stewards that align with the Data Mesh Architecture for managing cloud data warehouses at scale.
This section provides recommendations to help you configure your Snowflake object tag successfully.
Number of object tags to use per Snowflake account
Database
Note: Do not remove an existing ALTR_DSAAS_DB if it already exists.
Values
This early version of our release that's integrating with Snowflake's tag-based data masking feature includes the following capabilities:
Note: Query audits (which isn't available in our UI yet) will now contain new information in the AWS S3 bucket such as what tags were accessed by a query, what warehouse was used to execute the query, and which Snowflake account and region the query was executed in. For details, visit Integrating ALTR Notifications with AWS S3.
These suggestions provide guidance for implementing tag-based data masking as part of your data governance strategy.
<div class="code-snippet-container"><a href="#" class="copy-button button-2 w-button" fs-copyclip-element="click" fs-copyclip-message="Copied" fs-copyclip-duration="3000"><!--Edit the button text-->Copy Code Snippet<!--stop editing the button--></a><div data-hover="false" data-delay="250" data-w-id="a87f6f50-5ff6-8b71-849c-52b063899ad8" class="code-dropdown w-dropdown"><div class="dropdown-toggle w-dropdown-toggle" aria-controls="w-dropdown-list-1" role="button" tabindex="0"><div class="icon-2 w-icon-dropdown-toggle" aria-hidden="true"></div><div class="text-block show-snippet">View code snippet</div><div class="text-block close-snippet">Close code snippet</div></div> <nav class="dropdown-code-list w-dropdown-list" id="w-dropdown-list-1"><div class="code-snippet w-richtext" id="code-1"><!--Set language as class--><pre><code fs-copyclip-element="copy-this" class="language-sql"><!--insert code here-->CREATE DATABASE IF NOT EXISTS ALTR_DSAAS_DB;
USE DATABASE ALTR_DSAAS;
CREATE SCHEMA IF NOT EXISTS TAG_SCHEMA;
USE SCHEMA ALTR_TAG_SCHEMA;
CREATE TAG ACCESS_CONTROL_LEVEL
allowed_values 'AUDIT', GREEN', 'YELLOW', 'RED';<!--stop inserting code--></code></pre></div></nav></div></div>
<div class="code-snippet-container">
<a href="#" class="copy-button button-2 w-button" fs-copyclip-element="click-1" fs-copyclip-message="Copied" fs-copyclip-duration="3000"><!--Edit the button text-->Copy Code Snippet<!--stop editing the button--></a>
<div data-hover="false" data-delay="250" data-w-id="a87f6f50-5ff6-8b71-849c-52b063899ad8" class="code-dropdown w-dropdown">
<div class="dropdown-toggle w-dropdown-toggle" aria-controls="w-dropdown-list-1" role="button" tabindex="0">
<div class="icon-2 w-icon-dropdown-toggle" aria-hidden="true"></div>
<div class="text-block show-snippet">View code snippet</div>
<div class="text-block close-snippet">Close code snippet</div>
</div>
<nav class="dropdown-code-list w-dropdown-list" id="w-dropdown-list-1">
<div class="code-snippet w-richtext" id="code-1">
<!--Set language as class-->
<pre><code fs-copyclip-element="copy-this-1" class="language-sql">ALTER TABLE <database>.<schema>.<table>
MODIFY COLUMN <column>
SET TAG ALTR_DSAAS_DB.TAG_SCHEMA.ACCESS_CONTROL_LEVEL = 'RED';</code></pre>
</div>
</nav>
</div>
</div>
<div class="code-snippet-container">
<a href="#" class="copy-button button-2 w-button" fs-copyclip-element="click-2" fs-copyclip-message="Copied" fs-copyclip-duration="3000"><!--Edit the button text-->Copy Code Snippet<!--stop editing the button--></a>
<div data-hover="false" data-delay="250" data-w-id="a87f6f50-5ff6-8b71-849c-52b063899ad8" class="code-dropdown w-dropdown">
<div class="dropdown-toggle w-dropdown-toggle" aria-controls="w-dropdown-list-1" role="button" tabindex="0">
<div class="icon-2 w-icon-dropdown-toggle" aria-hidden="true"></div>
<div class="text-block show-snippet">View code snippet</div>
<div class="text-block close-snippet">Close code snippet</div>
</div>
<nav class="dropdown-code-list w-dropdown-list" id="w-dropdown-list-1">
<div class="code-snippet w-richtext" id="code-1">
<!--Set language as class-->
<pre><code fs-copyclip-element="copy-this-2" class="language-sql">ALTER TABLE <database>.<schema>.<table>
MODIFY COLUMN <column>
UNSET TAG ALTR_DSAAS_DB.TAG_SCHEMA.ACCESS_CONTROL_LEVEL;</code></pre>
</div>
</nav>
</div>
</div>
<div class="tip-component"><img src="https://assets.website-files.com/6168874b33b7804322d78118/6450264c370288e48bb9659e_icon-tip-outline.svg" loading="lazy" alt="" class="component-icon"><div class="tip-text"><p>Assigning a tag to a table (or schema, or database) will associate that tag with every single column within that table. This will generate query audits and apply masking rules to every column within that schema object.</p><p>If you apply different tag values to both a table and a column within that table, Snowflake will execute the policy against the <em>more specific</em> schema object - in this case, the column.</p></div></div>
<div class="code-snippet-container">
<a href="#" class="copy-button button-2 w-button" fs-copyclip-element="click-3" fs-copyclip-message="Copied" fs-copyclip-duration="3000"><!--Edit the button text-->Copy Code Snippet<!--stop editing the button--></a>
<div data-hover="false" data-delay="250" data-w-id="a87f6f50-5ff6-8b71-849c-52b063899ad8" class="code-dropdown w-dropdown">
<div class="dropdown-toggle w-dropdown-toggle" aria-controls="w-dropdown-list-1" role="button" tabindex="0">
<div class="icon-2 w-icon-dropdown-toggle" aria-hidden="true"></div>
<div class="text-block show-snippet">View code snippet</div>
<div class="text-block close-snippet">Close code snippet</div>
</div>
<nav class="dropdown-code-list w-dropdown-list" id="w-dropdown-list-1">
<div class="code-snippet w-richtext" id="code-1">
<!--Set language as class-->
<pre><code fs-copyclip-element="copy-this-3" class="language-sql">ALTER TABLE <database>.<schema>.<table>
ALTER TABLE <whatevertableyouwant>
SET TAG ALTR_DSAAS_DB.TAG_SCHEMA.ACCESS_CONTROL_LEVEL = 'RED';</code></pre>
</div>
</nav>
</div>
</div>
<div class="tip-component"><img src="https://assets.website-files.com/6168874b33b7804322d78118/6450264c370288e48bb9659e_icon-tip-outline.svg" loading="lazy" alt="" class="component-icon"><div class="tip-text"><p>Reach out to product to learn how to get new allowable values imported to ALTR to use in locks. This process is not straightforward in the MVP.</p><p>Essentially, you will need to assign the new values to columns in a connected database and then run a snowflake tag import against that database.</p></div></div>
<div class="code-snippet-container">
<a href="#" class="copy-button button-2 w-button" fs-copyclip-element="click-4" fs-copyclip-message="Copied" fs-copyclip-duration="3000"><!--Edit the button text-->Copy Code Snippet<!--stop editing the button--></a>
<div data-hover="false" data-delay="250" data-w-id="a87f6f50-5ff6-8b71-849c-52b063899ad8" class="code-dropdown w-dropdown">
<div class="dropdown-toggle w-dropdown-toggle" aria-controls="w-dropdown-list-1" role="button" tabindex="0">
<div class="icon-2 w-icon-dropdown-toggle" aria-hidden="true"></div>
<div class="text-block show-snippet">View code snippet</div>
<div class="text-block close-snippet">Close code snippet</div>
</div>
<nav class="dropdown-code-list w-dropdown-list" id="w-dropdown-list-1">
<div class="code-snippet w-richtext" id="code-1">
<!--Set language as class-->
<pre><code fs-copyclip-element="copy-this-4" class="language-sql">ALTER TAG ALTR_DSAAS_DB.TAG_SCHEMA.ACCESS_CONTROL_LEVEL
ADD allowed_values 'ORANGE';
ALTER TAG ALTR_DSAAS_DB.TAG_SCHEMA.ACCESS_CONTROL_LEVEL
DROP allowed_values 'ORANGE';</code></pre>
</div>
</nav>
</div>
</div>
<div class="code-snippet-container">
<a href="#" class="copy-button button-2 w-button" fs-copyclip-element="click-5" fs-copyclip-message="Copied" fs-copyclip-duration="3000"><!--Edit the button text-->Copy Code Snippet<!--stop editing the button--></a>
<div data-hover="false" data-delay="250" data-w-id="a87f6f50-5ff6-8b71-849c-52b063899ad8" class="code-dropdown w-dropdown">
<div class="dropdown-toggle w-dropdown-toggle" aria-controls="w-dropdown-list-1" role="button" tabindex="0">
<div class="icon-2 w-icon-dropdown-toggle" aria-hidden="true"></div>
<div class="text-block show-snippet">View code snippet</div>
<div class="text-block close-snippet">Close code snippet</div>
</div>
<nav class="dropdown-code-list w-dropdown-list" id="w-dropdown-list-1">
<div class="code-snippet w-richtext" id="code-1">
<!--Set language as class-->
<pre><code fs-copyclip-element="copy-this-5" class="language-sql">PUT https://api.preview.altr.com/v1/tag/masking
{
"database_id": 528,
"database_name": "ALTR_DSAAS_DB",
"friendly_name": "carl_test_tag_1_20230816",
"masking": {
"mask_data_type_list": [
"VARCHAR",
"NUMBER"
]
},
"schema_name": "CARL_TAG_SCHEMA",
"tag_name": "CARL_POLICY_TAG_1"
}</code></pre>
</div>
</nav>
</div>
</div>
You must be a subscriber of our Enterprise Plus plan to leverage this feature. Once you've moved to this tier plan, then the ability to connect a Snowflake object tag to ALTR for governance is gated behind an entitlement - “feat_tagmasking”. This entitlement is enabled by default for all Enterprise Plus customers and can be manually enabled for relevant non-Enterprise Plus customers by sending a Change Request to support@altr.com
Once the entitlement is enabled, then you can connect a tag using the PUT endpoint. For details, visit Tag Masking API
NOTE: You must have at least one healthy connected database to use this endpoint and the service user for that connection needs to be permissioned to access the database where the Snowflake object tag is located.
Once a tag is connected to ALTR, then any queries against tagged data will automatically start generating query audits. You can also create locks and thresholds against values of that tag to dictate access policy.
For details about our Enterprise Plus plan visit ALTR Pricing.
Follow the steps below to migrate from column-based to tag-based masking policies.
...
Access
Q. How can our organization access tag-based dynamic data masking?
A. The entitlement “feat_tagmasking” is available in the MVP by default to all organizations who are subscribers of our Enterprise Plus plan. It can also be made available to non-Enterprise Plus subscribers by submitting a Change Request to support@altr.com
Connectivity
Q. How do you connect a Snowflake object tag to ALTR?
A. Connecting a Snowflake object tag to ALTR is only available by using the PUT tag masking endpoint.
Data
Q. What types of data does ALTR support with tag-based masking?
A. ALTR supports the same data for tag-based masking as it does for column-based masking except variant and geometry.
Q. Can allowable values be added or removed from a Snowflake object tag after I've created it?
A. Yes. However, you'll need tag data with the new values and run a tag import against it for ALTR to pick on any new allowable values for the tag. We intend to build an easier way to refresh the allowable values list in the future.