Allows you to create and view all policies in your organization. Click a tab to filter to a specific policy type.
| Name | Description |
|---|
| Data | Information specific to the policy type: Impersonation— repository that is being access by a data consumer via policy Access Management— friendly name of the policy Column Masking— column name where policy is applied Tag Masking— tag name where policy is applied (default masking is applied to the tag) Native Masking— tag name where policy is applied (native masking is applied to the tag) Row— table name where policy is applied |
| Users/Groups | User information specific to the data source used for the policy: Snowflake— roles (this is the same as Roles when you create a policy) Databricks —user groups (this is the same as Roles when you create a policy) OLTP— IdP (i.e., Okta) users or groups |
| Policy Type | Categorization of the policy. Options are: Impersonation— controls access to repository users Access Management— controls access to database objects Column Masking— masks columns in query results by specifying individual column names Tag Masking— masks columns in query results based on the tag values assigned to columns where default masking is applied to the tag Native Masking— masks columns in query results based on the tag values assigned to columns where native masking is applied to the tag Row Access— filters rows from query results based on column values |
| Status | Current state of the policy. Options are: Success— policy has been successfully created In Progress— policy is being created, updated or deleted Error— an error occurred when performing an action. If the error persists, contact ALTR Support . |
| Sort by | Select an option to sort policies and find what you need. Options are: Most Recently Updated— Quickly surface the policies you’ve worked on last. Data (A–Z or Z–A)— Browse your policies alphabetically, in either direction. |
| Policy Statement | A user-friendly summary of the policy. |
| Rule Statements | Clear, concise actions of the policy. |
Impersonation policies enable data consumers to access repositories using single sign-on (SSO), without needing to know the underlying database credentials.
| Name | Description |
|---|
| Data Source | The repository name as it exists in Oracle. |
| Display Name | A user-friendly name to identify the policy. |
| Rule Statement | Clear, concise actions of the policy. If creating a policy, build out the policy rule statement by selecting the IdP user or group that will impersonate the specified repository user. user/group— identity provider user or group Name— name of the user or group in your identity provider Repository User —name of the user in the repository that is being impersonated by the identity provider user or group |
| IdP User/Group | Select either an individual user or a group as configured in your IdP (Okta). |
Access Management policies control privileges for data objects, allowing you to manage access without relying on data engineers or submitting tickets.
| Name | Description |
|---|
| Data Source | The data source that the policy affects. Access to the schema objects within this data source are controlled. |
| Policy Name | A user-friendly name to identify the policy. |
| Rule Statement | Clear, concise actions of the policy. If creating a policy, build out the policy rule statement by defining privileges for the data objects. object name or tag— how access is controlled by database objects. role— the Snowflake role (i.e., ALTR user group) that the policy affects read, write or read/write— level of access of the schema object that the users within the selected role can access object type— database, schema, table or view to determine what kind of object the roles have access to |
| Policy Refresh | Refresh a policy to check for new data objects and update the policy as needed. Set a schedule to automatically check for new data objects at an interval or click Refresh to manually check. |
| Name | Description |
|---|
| Data Source | The data source that the policy affects. Access to the schema objects within this data source are controlled. |
| Policy Name | A user-friendly name to identify the policy. |
| Rule Statement | Clear, concise actions of the policy. If creating a policy, build out the policy rule statement by defining privileges for the data objects. user or group— the identity provider user or group that impersonates the repository user create , read , update or delete —level of access of the schema object that the user/group can access object type— object the user/groups have access to. Options are: database, schema, table/view and column. Define Object— specific database, schema, table/view or column being accessed |
Column masking policies mask column values in query results by specifying individual column names.
| Name | Description |
|---|
| Add an alert | Click to configure notifications and/or block users for this policy. Learn more . |
| Column | Name of column that the policy affects. The policy applies masking rules to all values within this column. |
| Policy State | Activate to make the policy active and apply access controls to your data. Activate a policy at any time. Deactivate to make the policy inactive and stop applying controls to your data. Before deactivating, resolve all alerts. The default is Active. |
| Policy Statement | A user-friendly summary of the policy. |
| Rule Statement | Clear, concise actions of the policy. If creating a policy, build out the policy rule statement. role— ALTR user group (i.e., a Snowflake role) that the policy affects. Learn more . masking policy— Type of masking that is applied to the column. Learn more . Options are: |
Tag masking policy masks columns in query results based on the tag values assigned to columns.
| Name | Description |
|---|
| Add an alert | Click to configure notifications and/or block users for this policy. Learn more . |
| Policy Status | Activate to make the policy active and apply access controls to your data. Activate a policy at any time. Deactivate to make the policy inactive and stop applying controls to your data. Before deactivating, resolve all alerts. The default is Active. |
| Policy Statement | A user-friendly summary of the policy. |
| Rule Statement | Clear, concise actions of the policy. If creating a policy, build out the policy rule statement. role— ALTR user group (i.e., a Snowflake role) that the policy affects. Learn more tag name and value or tag name — Ways to apply masking on tags. Learn more. Options are: masking policy— Type of masking that is applied to the tag. If multiple policies are applied to a tag, the most permissive policy is enforced. Learn more . Options are: |
| Tag Name | Name of tag that the policy affects. The policy applies masking rules to all columns assigned to this tag. |
| Name | Description |
|---|
| Metastore | Location where the tag is stored. |
| Policy Status | Activate to make the policy active and apply access controls to your data. Deactivate to make the policy inactive and stop applying controls to your data. A policy can be activated or deactivated at any time. The default is Active. |
| Policy Statement | A user-friendly summary of the policy. |
| Rule Statement | Clear, concise actions of the policy. If creating a policy, build out the policy rule statement. role— Databricks user groups that the policy affects. tag name and value or tag name — Ways to apply masking on tags. Learn more. Options are: masking policy— Type of masking that is applied to the tag. If multiple policies are applied to a tag, the most permissive policy is enforced. Learn more. |
| Tag Name | Name of tag that the policy affects. The policy applies masking rules to all columns assigned to this tag. |
Native masking is a type of tag masking. To create a tag masking policy that utilizes native masking:
- Connect a tag to ALTR that utilizes native masking , meaning, data access is controlled by ALTR using only Snowflake masking policies.
- Create a tag policy for the native masking tag .
Row access policies filter rows from query results based on column values.
| Name | Description |
|---|
| Database | Database where the row policy is applied. NOTE: If your data doesn’t display in the dropdown, ensure your service user account has privileges to access the data. |
| Policy Name | Friendly name to identify the row policy. |
| Policy Status | Activate to make the policy active and apply access controls to your data. Deactivate to make the policy inactive and stop applying controls to your data. A policy can be activated or deactivated at any time. The default is Active. |
| Policy Statement | A user-friendly summary of the policy |
| Reference Column | Contains values that are used to establish a relationship between the roles defined in the policy and the rows they can access. This relationship determines which rows are visible to which roles based on the values in the reference column. This value must be a string or a number. |
| Rule Statement | Clear, concise actions of the policy. If creating a policy, build out the policy rule statement. role— ALTR user group that the policy affects. Learn more . value— ALTR user group that the policy affects. Learn more . |
| Schema | Schema within the selected database where the row policy is applied. NOTE: If your data doesn’t display in the dropdown, ensure your service user account has privileges to access the data. |
| Table | Table name within the schema where the row policy is applied. NOTE: If your data doesn’t display in the dropdown, ensure your service user account has privileges to access the data. |
