Databricks

When creating a tag-based policy, there are two ways to apply masking:

1. Tag name and value: Applies the masking policy to the tag name-value pair, which enables you to set different policies on different tag values.
2. Use: Set up specific, complex or granular policies.
3. Example: Let’s say you have two different kinds of sensitive employee data: SSNs and phone numbers. By using a single tag with different values for SSN and phone number, you can set a policy around SSNs where the first 5 digits are masked (###-##-1234) and only HR has access. And then you can set a different policy on phone numbers with no mask and grants access to anyone in the company.
4. Tag name: Applies the masking policy to only the tag name so access is the same for all values associated with the tag.
5. Use: Control policy at the tag level without specifying each value. This option is good for simple, broad, high-level policies on a tag.
6. Example: Set a policy to mask all salary data and grant access to only the chief financial officer. In this example, salary data is the tag and the columns (i.e., values) themselves are irrelevant because they will all be masked the same.

When creating tag policy on Databricks, all data types except for VARCHAR are supported. Tag policy for Databricks use native masking, where data access is controlled by ALTR using only Databricks masking policies. Learn more.

To create a tag-based policy:

1. Select Policy in the Navigation menu.
2. Click Create Policy .
3. Locate the Tag Policy card and click Create Policy .
4. Click Create Policy for Databricks.
5. Enter a Tag Name that the policy affects. The policy applies masking rules to all columns assigned to this tag.
6. Select a Metastore where the tag is located.
7. Click Next .
8. Create the policy rule statement by selecting the following options:
   1. Role that the policy affects, which is a Databricks user group.
   2. Tag name or tag name and value to indicate how the masking policy is applied. Learn more.
   3. Masking policy to determine what transformation, if any, occurs to query results when data is accessed. If a particular query is affected by multiple policies, the most permissive masking policy is enforced. Learn more .
9. (Optional) Click + Rule Statement to add additional rules for this policy.
10. (Optional) Disable Policy State to deactivate the policy if you want to create the policy now and activate it later. The policy can be activated/deactivated at any time. Deactivating a policy stops applying controls to your data.
11. Click Save .

Delete a tag policy to remove masking rules for the specified tags. Columns in query results based on the defined roles and tag values will no longer be masked. This action only deletes the tag from ALTR; it does not delete the tag from Databricks.

To delete a tag policy:

1. Select Policy in the Navigation menu.
2. Expand the policy to delete.
3. Click Edit Policy .
4. Click Delete Policy ; a modal displays.
5. Click Delete Policy to confirm.

Force Delete

Danger

Before force deleting a policy, consult ALTR Support . Force deleting a policy could have a negative impact on your source system if you do not fully understand your data and this feature.

Force deleting a policy if you are unable to delete the policy as expected. This action deletes the policy and supporting functions from ALTR and Databricks, ignoring any errors encountered during the delete process. Use great caution with this action because it cannot be undone.

Force delete a policy if

• the policy no longer exists in Databricks.
• service principal permissions have been decommissioned.
• ALTR could not connect to Databricks.

To force delete a policy:

1. Select Policy in the Navigation menu.
2. Click the policy you wish to delete.
3. Click Edit Policy .
4. Click the Trouble deleting? link.
5. Click Force Delete Policy .
6. Review your source system and clean up any object left behind.

If multiple policies are applied to a tag where a role is assigned more than one masking policy, masking policies may conflict. If a conflict exists, the most permissive policy is enforced.

The following is a ranking of masking policies from most permissive to least permissive:

• No Mask - most permissive
• E-Mail
• Show Last Four
• Full Mask
• Constant Mask - least permissive

Tip

Example One policy specifies that the DataStewards group can access data tagged as PII with No Mask applied. Since the AllUsers group is not included in this policy, users in that group will see NULL values when querying columns associated with the PII tag. However, if a second policy grants the AllUsers group access to the PII tag with a Full Mask, users in that group will instead see masked values rather than NULLs. The most permissive applicable policy determines the masking behavior for each group.