Connect Columns to ALTR

To connect a column:

1. Click Data Configuration > Data Management in the navigation menu.
2. Click the Columns tab.
3. Click Connect Column.
4. Select the Data Source the column resides in.
5. Determine if you are connecting the column from a table or a view. By default, columns are connected from a table. Click the Views tab to connect from a view. See Connect Columns Using a View for more details.
6. Select the Schema.
7. Select the Table or View the column resides in.
8. Select the Column.
9. Enter a Name for the column.
10. In the Which option applies to this column dropdown, select one of the following:
    • Default masking — Data access is controlled by ALTR using Snowflake masking policies and external functions. This is the default behavior.
    • Tokenization — Data access and detokenization are controlled by ALTR using Snowflake masking policies and external functions. If this column is tokenized, ensure all values for this column are tokenized.
    • Format-preserving encryption — Data access and decryption are controlled by Snowflake masking policies and external functions. Ensure the column has been encrypted in Snowflake.
11. For Do you have encryption or tokenization applied to this column?, select:
    • No if this column is not tokenized or encrypted, and continue to the next step.
    • Yes if this column is tokenized or encrypted.
12. Click Connect Column.

Connect Columns Using a View

ALTR supports connecting columns from Snowflake views, allowing you to apply column access policies and masking rules just like with tables. Views can be useful when you want to work with combined or filtered data.

Connecting columns in a view works the same way as with tables — just select the view instead.

Note

Ensure the ALTR service user has the necessary privileges to access and control data in the view. You can grant these by running the ALTR stored procedure.

Supported Features

When connecting columns from a view, you can:

• Identify and connect columns in Snowflake views to ALTR
• Apply column-level access policies and masking rules

Limitations

The following features are not supported when using views:

• Row access policies
• Data classification
• Importing historical consumption data

Important Note on View-Based Access Control (Nested Policies)

Be careful when applying access control policies to both a view and its underlying table. Snowflake enforces each policy independently, which can result in nested policies. This can make access behavior harder to understand and maintain, especially if the policies are not consistent.

To keep things simple, ALTR recommends applying access control to either the table or the view, but not both.

Also note:

• A view can reference both base tables and other views.
• This can create deeply nested views, each with separate policies applied at different levels.

Example Scenario

Governance rules applied to a base table execute before those on views. For example, consider a situation where there are rules designed to prevent the role ANALYST from accessing plain text email addresses.

Imagine that there is a table CUSTOMERS that includes a column of email addresses and a view CUSTOMERS_VIEW defined as SELECT * FROM CUSTOMERS. You use ALTR to apply different masking rules to the table and the view:

• In the table, the ANALYST role is configured to access the email column with a Last4 mask.
• In the view, the ANALYST role is configured to access the email column with an email mask.

If a user with the ANALYST role queries the data, they will only see asterisks for the email column. This occurs because the Last4 mask executes first, replacing all of the email addresses with ***.com, ***.net, and so on. Next, the email mask from the view applies and when it cannot find an ampersand to indicate where the domain begins, replaces all characters in every email with an asterisk.