Snowflake

Tag-based policy only affects columns that are connected and being monitored by ALTR. For Snowflake, this occurs automatically if the relevant Snowflake object tag is connected to ALTR. Learn more .

Tag versus Column Policy

Tag- and column-based policies are similar in the sense that they are ways to apply masking rules based on the type of information or sensitivity level of columns, but at different levels. Tag policy is applied to all columns with that applied tag to provide higher-level masking where a column policy is applied to the specific column at the column level. Choose to apply tag or column policies but not both. If deciding between tag and column policies, our recommendation is to use tag policy because it is more scalable, flexible and easier to manage than column policies.

When creating a tag-based policy, there are two ways to apply masking:

1. Tag name and value: Applies the masking policy to the tag name-value pair, which enables you to set different policies on different tag values.
2. Use: Set up specific, complex or granular policies.
3. Example: Let’s say you have two different kinds of sensitive employee data: SSNs and phone numbers. By using a single tag with different values for SSN and phone number, you can set a policy around SSNs where the first 5 digits are masked (###-##-1234) and only HR has access. And then you can set a different policy on phone numbers with no mask and grants access to anyone in the company.
4. Tag name: Applies the masking policy to only the tag name so access is the same for all values associated with the tag.
5. Use: Control policy at the tag level without specifying each value. This option is good for simple, broad, high-level policies on a tag.
6. Example: Set a policy to mask all salary data and grant access to only the chief financial officer. In this example, salary data is the tag and the columns (i.e., values) themselves are irrelevant because they will all be masked the same.

If the tag you’re creating policy for was connected to ALTR using native masking, some policy configuration options may vary. Learn more about native masking .

To create a tag-based policy:

1. Ensure the tag to which you are applying policy has been connected in ALTR. Learn more .
2. Select Policy in the Navigation menu.
3. Click Create Policy .
4. Locate the Tag Policy card and click Create Policy .
5. Select a Tag Name that the policy affects. The policy applies masking rules to all columns assigned to this tag.
6. Click Next .
7. Create the policy rule statement by selecting the following options:
   1. Role that the policy affects, which is an ALTR user group. Learn more .
   2. Tag name or tag name and value to indicate how the masking policy is applied.
   3. Masking policy to determine what transformation, if any, occurs to query results when data is accessed. If a particular query is affected by multiple policies, the most permissive masking policy is enforced. Learn more .
8. (Optional) Click Add an alert to configure notifications and/or block users for this policy. Learn more .
9. (Optional) Click + Rule Statement to add additional rules for this policy.
10. (Optional) Disable Policy State to deactivate the policy if you want to create the policy now and activate it later. The policy can be activated at any time. To deactivate after the policy is created, first resolve all alerts. Deactivating a policy stops applying controls to your data.
11. Click Save .

Delete a tag policy to remove masking rules for the specified tags. Columns in query results based on the defined roles and tag values will no longer be masked. This action only deletes the tag from ALTR; it does not delete the tag from Snowflake.

To delete a tag policy:

1. Select Policy in the Navigation menu.
2. Expand the policy to delete.
3. Click Edit Policy .
4. Click Delete Policy ; a modal displays.
5. Click Delete Policy to confirm.

If multiple policies are applied to a tag where a role is assigned more than one masking policy, masking policies may conflict. If a conflict exists, the most permissive policy is enforced.

The following is a ranking of masking policies from most permissive to least permissive:

• No Mask - most permissive
• E-Mail
• Show Last Four
• Full Mask
• Constant Mask - least permissive

Example

One policy specifies that roles with ACCOUNTADMIN privileges can access the PII tag with No Mask applied. Since the PUBLIC role was not included in the policy, the policy replaces the PUBLIC role’s access with NULL values. However, if a second policy specified that the PUBLIC role can access the PII tag with a Full Mask, any user assigned the PUBLIC role will see masked access when querying columns associated with the PII tag.