Skip to main content

Manage Columns

Connecting a column to ALTR enables you to enforce data access governance and advanced data security on that column. Connected Columns are managed on the Data ConfigurationData ManagementColumns page.

Use this page to

  • Connect columns to ALTR

  • Disconnect columns from ALTR

  • Update metadata about columns connected to ALTR

  • View a list of columns connected to ALTR

  • Indicate columns that contain tokens

  • Indicate columns that are encrypted

A column that is connected to ALTR invokes ALTR's cloud-based access control when it is queried. This process enables ALTR to apply data access rules on the column, enforce detokenization policy, and monitor and log access to the column. Refer to ALTR's Integration Documentation for details on how this manifests for different data source.

To connect a column:

  1. Click Data ConfigurationData Management in the Navigation menu.

  2. Click the Columns tab.

  3. Click Connect Column

  4. Select the Data Source the column resides in.

  5. Determine if you are connecting the column from a table or a view. By default, columns are connected from a table. Click the Views tab to connect from a view. Learn more.

  6. Select the Schema.

  7. Select the Table or View the column resides in.

    Note

    If using a view, read our documentation for important notes.

  8. Select the Column.

  9. Enter a Name for the column.

  10. For Do you have encryption or tokenization applied to this column?, select

    1. No, if this column is not tokenized or encrypted and continue to the next step.

    2. Yes, if this column is tokenized or encrypted.

      Note

      If this column is tokenized, ensure all values for this column are tokenized and select Tokenization from the Advanced Data Protection dropdown. Learn more.

      If this column is encrypted, ensure the column has been encrypted in Snowflake and select Format-Preserving Encryption from the Advanced Data Protection dropdown. Select the Key, Tweak and Alphabet Type. Learn more.

  11. Click Connect Column.

ALTR supports connecting columns from Snowflake views, allowing you to apply column access policies and masking rules, just like with tables. Views can be useful when you want to work with combined or filtered data.

Connecting columns in a view works the same way as with tables—just select the view instead. Learn more.

Note

Ensure the ALTR service user has the necessary privileges to access and control data in the view. You can grant these by running the ALTR stored procedure. Learn more.

When connecting columns from a view, you can:

  • Identify and connect columns in Snowflake views to ALTR

  • Apply column-level access policies and masking rules

The following features are not supported when using views:

  • Row access policies

  • Data classification

  • Importing historical consumption data

Be careful when applying access control policies to both a view and its underlying table. Snowflake enforces each policy independently, which can result in nested policies. This can make access behavior harder to understand and maintain—especially if the policies aren't consistent.

To keep things simple, ALTR recommends applying access control to either the table or the view, but not both.

Also note:

  • A view can reference both base tables and other views.

  • This can create deeply nested views, each with separate policies applied at different levels.

Example Scenario

Governance rules applied to a base table execute before those on views. For example, let's use a situation where there are rules designed to prevent the role ANALYST from accessing plain text email addresses. Imagine that there's a table CUSTOMERS that includes a column of email addresses and a view CUSTOMERS_VIEW that is defined as "SELECT * FROM CUSTOMERS". You use ALTR to apply different masking rules to the table and the view.

In the table, the ANALYST role is configured to access the email column with a Last4 mask. In the view, the ANALYST role is configured to access the email column with an email mask. If a user with the ANALYST role queries the data, then they will only see asterisks for the email column. This will occur because the Last4 mask executes first, replacing all of the email addresses with "***.com", "***.net", and so on. Next, the email mask from the view applies and when it cannot find an ampersand to indicate where the domain begins, replaces all characters in every email with an asterisk.

In Snowflake, views inherit policies from their underlying tables. That means any masking or row access policies applied to a table also apply when querying data through a view.

To simplify policy management, it’s usually best to connect and apply rules to tables—then use views to access the data. This avoids duplicating policies across multiple objects.

Use Cases for Creating Policies on Views

Use Case 1) Databases created from Snowflake Shares where Snowflake limits the application of masking policies

To govern data within a share, you can create a separate database with views that select from the shared database. You can then leverage ALTR to govern access to these views while preventing users from querying the share database directly.

Use Case 2) Materialized Views

Snowflake does not allow materialized views to select from base tables that include Dynamic Data Masking Policies or Row Access Policies. In this scenario, you can leverage ALTR to directly govern the materialized view while preventing users from querying the share database directly.

Use Case 3) Organizations that require different access rules for the same data within a Snowflake account or database

If your organization has a data consumption paradigm that involves a single role having different access to a dataset based on what view it is selecting, then this can be accomplished by using ALTR to govern the view directly.

To disconnect a column:

  1. Select Data ConfigurationData ManagementColumns in the Navigation menu.

  2. Select the column you wish to disconnect.

  3. Click the Disconnect Column button.

Warning

Before force disconnecting a column, consult ALTR Support.

Force disconnecting columns could have a negative impact on your source system if you do not fully understand your data and this feature.

Force disconnect a column if you are unable to disconnect the column as expected. This action ignores any errors encountered during the disconnect process. Use great caution with this feature because it cannot be undone.

Reasons to force disconnect columns include:

  • Column no longer exists in your source system

  • Service user's privileges have been decommissioned

  • ALTR could not connect to Snowflake

To force disconnect a column:

  1. Select Data ConfigurationData ManagementColumns in the Navigation menu.

  2. Select the column you wish to disconnect.

  3. Click the Disconnect Column button.

  4. Click the Trouble Disconnecting? link.

  5. Click the Force Disconnect Column button.

  6. Click the Force Disconnect Column button.

  7. Review your source system and clean up any object left behind.