Connecting Columns in ALTR

In order for a column to be governed by ALTR, it must must be 'Connected' to ALTR, which is the process where ALTR creates the necessary Snowflake-Side objects to be invoked for governance decisions,  including a Dynamic Data Masking Policy. Once a column is connected in ALTR, then any queries accessing that column will appear in ALTR’s query log and Data Usage Analytics.

What Happens When a Column is Connected?

When you connect a column, then ALTR creates a Dynamic Data Masking Policy for that column in Snowflake in the ALTR_DSAAS Schema for that column’s database. This Dynamic Data Masking Policy invokes ALTR’s governance engine every time that column is accessed by a query which allows ALTR to:

• Track column access in the Query Log and Data Usage Analytics
• Limit or restrict access to the column in Column Access Policies and Thresholds

Important Details for You to Know‍

• Connecting a column to ALTR will not restrict any access to that column until it (or one of its Data Tags) are included in a Column Access Policy.
• Connecting a column to ALTR incurs a minimal increase to the latency for queries accessing that column, as Snowflake will reach out to ALTR’s governance engine every time that column is accessed. This latency is negligible for large queries.
• ALTR does not support connecting/governing columns that include a collation.

How to Connect Columns to ALTR

ALTR offers multiple avenues in its UI to connect columns: Via the 'Data Management' page and the Google DLP Classification Report.

Connecting Columns via the 'All Columns' page

To connect a column on the 'Columns' page, click the Add New button. From here, you can specify the Data Source (database), table, and column to connect. ALTR also asks you to assign a name to the column, which is a shorter friendly name that ALTR uses to display that column throughout its UI. Once you submit the form with the Add Column button, then ALTR will create a Dynamic Data Masking Policy for that column in Snowflake (see above). This may take several seconds.

NOTE: For large tables, the column dropdown may take several seconds to load.

Connecting Columns via the 'Google DLP Classification Report'

ALTR enables users to easily connect sensitive data in the Google DLP Classification report. When on the report and selecting a classifier, you click the Connect button next to each column to connect that column to the ALTR platform. This will trigger ALTR to create a Dynamic Data Masking Policy for that column in Snowflake (see above). This may take several seconds.

NOTES:

• ALTR automatically generates a Friendly Name for columns connected via the Classification report from the classifier and column identifier in Snowflake. You can edit these Friendly Names on the All Columns page.
• A Classification Report can also be generated through Snowflake.

How to Disconnect Columns from ALTR

There may be situations where you might want to disconnect columns from ALTR. This action will remove various functions (such as governance rules, etc.,) that were defined for them. To disconnect columns, navigate to the 'Data Management' page and click on Disconnect Column as shown in screenshot below.

1. From the left navigation menu, click on Data Configuration.
2. Click on Data Management.
3. Next, select the columns that you want to disconnect.
4. Click on Disconnect Column.

NOTE: You cannot remove a database if you have any columns connected to the database to ALTR.

Troubleshooting and FAQs

Column List Not Loading

Question: I’m trying to connect a column from the All Columns page, but the column list is not loading. Why is this happening?
Answer: ALTR may take a long time to load columns lists for tables with particularly large numbers of columns (1000+). If the columns list does not load after a minute, reach out to support@altr.com

Tables Not Appearing

Question: I’m trying to connect a column from the All Columns page, but some of my tables are not appearing. Why is this happening?
Answer: After first connecting a database, ALTR only refreshes table lists every few hours. If the table was recently added, try coming back later. If you continue to be unable to see the table after several hours, reach out to support@altr.com.

Disconnecting a column connected from the Google DLP Classification Report

Question: I want to disconnect a column that I connected from the Google DLP Classification Report. How can I do it?
Answer: All columns can be disconnected from ALTR on the All Columns Page, which also removes their Dynamic Data Masking Policy.

Force Disconnecting a column that I'm having trouble dropping from ALTR

Question: I want to disconnect a column that I’ve already dropped from Snowflake but am having trouble. How can I do it?
Answer: Certain situations might occur where you will not be able to disconnect a column in ALTR normally. For example, perhaps your column doesn't exist anymore,  the service user's permissions were decommissioned, an AWS outage occurred, or ALTR couldn't connect with Snowflake for some reason. These example scenarios are when the Force Disconnect Column feature would be appropriate to use. It will remove the column from ALTR even if we are unable to successfully clean it up in Snowflake.

You can find this Force Disconnect Column button in the Advanced Options menu by clicking the down arrow to expand it.‍

NOTE: Be aware that the Force Disconnect Column feature should only be used as a last resort if you cannot do it normally. Once you Force Disconnect a Column then this action cannot be reversed. In addition, if you choose to do this, then artifacts such as the masking policy, schema objects from your account, etc., might still be left in Snowflake. We recommend that you after you force disconnect a column, you then go back and check Snowflake in case you'd prefer to clear out remnants due to storage limits, security risk policies from ongoing API call requests, or other reasons. To identify and remove them, you can email support@altr.com

‍

‍