Thresholds
Thresholds are extensions of Column Access Policies that enable ALTR Administrators to set limits and trigger alerts on data access, such as limiting the number of values a user can access or limiting the times in which users can run queries against sensitive data.
Thresholds in ALTR
Thresholds are one of ALTR's tools for controlling access to sensitive data. Thresholds set limits on to what extent a user or application can access data, such as limiting the amount of data that can be accessed or limiting access to particular times. Thresholds can be configured either trigger an alert or to block access to all sensitive data for the offending user or application. Every Threshold Includes:
A name for the threshold (cosmetic).
An Action to be taken when the threshold is triggered
Trigger alert will trigger an in-ALTR alert
Block will trigger an alert and block all access to ALTR-protected columnar data for the offending user or application.
Rules to dictate when the threshold is triggered
Access Rate will trigger based on how many records a user or application accesses.
Time Window will trigger based on the time of day or day of the week
The Locks (Column Access Policies) affected by the threshold. The threshold will automatically apply to any columnar data protected by these policies.
The User Groups (typically Roles) affected by the threshold. The threshold will only apply to User Groups specified in the threshold.
(Optional) The ALR Applications affected by the threshold. If this is set to Snowflake Cloud Integration, all access to sensitive data will be blocked to a customer Snowflake Account if the threshold is triggered.
When a threshold is created, it immediately begins controlling access to sensitive data. Thresholds can be toggled on and off in ALTR. A threshold will not trigger an alert if it is turned off, though if a user or application has already triggered a blocking threshold, their data access will continue to be blocked even if the threshold is deactivated. An ALTR administrator must resolve the alert for access to be restored.
Creating Thresholds in ALTR
Thresholds can be access in the Threshold page of ALTR's Policy UI, → . To create a threshold:
Click the button.
Enter a name for the threshold.
Select the action to be taken if the threshold is triggered.
Select the rules to dictate when the threshold is triggered.
Select the locks (Column Access Policies) that the threshold applies to. The threshold will affect access to any data (columns or tags) that are defined in the indicated policies.
Select the User Groups (typically Role) that the threshold applies to. The threshold will only affect the specific user groups defined in the threshold.
If present, do NOT specify an application in the threshold. This field is optional and should only be when the thresholds should cut off access to everyone in a Snowflake account.
Click the button.
Once a threshold is created, it immediately begins controlling access to the indicated sensitive data.
Triggering Thresholds
When a threshold is triggered, an alert is triggered in ALTR. Alerts are accessible in ALTR's UI on the Alerts page.
If the Threshold is configured to block access, the user who triggered the threshold will no longer be able to query any sensitive columns connected to ALTR. All queries against columns protected by ALTR will return NULL until an ALTR administrator resolves the alert.
If a Threshold is configured to only triggered an alert the user will be able to continue querying sensitive data.
Once an alert is triggered, an admin in ALTR can resolve it in the Alerts page. The Alerts page enables ALTR administrators to see all active and resolved alerts including which user triggered the alert, when the alert was triggered, and what the Threshold rule was that triggered the alert. Administrators can resolve an alert by clicking the button and leaving an optional comment. If the alert was blocking user access, access will be restored once the alert is resolved.
Access Rate Enforcement in Snowflake
ALTR leverages multiple mechanisms to determine how much data will be, or was, accessed by a query in Snowflake. Because of the limitations of predicting a query's result set size, ALTR may not be able to trigger a threshold until after the query complete and the threshold rule is violated.
Snowflake’s Dynamic Data Masking Policies invoke ALTR’s governance engine on every query on connected columns, but before result sets are determined. Because of this, thresholds may occur at two different time: before the query executes, and after ALTR obtains metadata on the query result.
If ALTR is unable to predict the query result size or incorrectly predicts the query result size, the threshold will still be triggered and an alert will be triggered once ALTR obtains information on the true size of the result set. This is typically in line with when ALTR generates a query audit log for the affected query. If the threshold is configured to block access, any future queries from that user will have their access blocked by ALTR.
When ALTR is first invoked by a masking policy, ALTR attempts to predict the size of the result set based on a variety of factors including the query itself and the data being accessed. If ALTR is able to predict the query result set size, it will trigger a threshold before the query executes and (if the threshold is configured to block access) prevent the user from accessing the data.
Note
Snowflake occasionally executes dynamic data masking policies multiple times for a single query. Because of this, a threshold may be triggered in the middle of query execution. If a threshold configured to block access is triggered mid-query, a user may see results where some data is blocked but other data is returned.