Skip to main content

Guides

Connecting Data Sources

Caution

In order to connect a data source to ALTR, you must have access to a service user that has the appropriate privileges to access the database and enforce security policies. ALTR strongly recommends updating the service user's privileges before connecting a new data source, even if you think the privileges are already properly configured.

Data sources can be connected on the Data Source page in ALTR, Data ConfigurationData Sources.To connect a new data source:

  1. Click the Add New button.

  2. If your ALTR account was created from Snowflake Partner Connect, select the Snowflake account and database you wish to connect.

  3. If your ALTR account was not created from Snowflake Partner Connect, or you wish to manually configure the connection, enter the following information:

    1. Snowflake Hostname. This can be found in the bottom left-hand corner of the Snowsight UI.

    2. Database Name. If you created this database using a case-sensitive name, be sure to encase it in double quotation marks.

    3. Snowflake Service User Username.

    4. Snowflake Service User Password.

    5. (Optional) Set advanced settings for this data source. ALTR does not recommend users change any of these settings without consulting ALTR Support.

      1. Snowflake Role. If present, ALTR will attempt to use this role when connecting to Snowflake. If this value is not supplied, ALTR will use the Service User's default role.

      2. Snowflake Warehouse. If present, ALTR will attempt to use this warehouse when connecting to Snowflake. If this value is not supplied, ALTR will use the Service User's default warehouse.

      3. Port ID. The default is 443.

      4. Maximum Number of Connections. The default is 5.

  4. (Optional) Indicate if you would like to import historical access history information.

  5. (Optional) Indicate if you would like to classify the data in the database.

  6. Click Connect Data Source.

Connecting Columns to ALTR

To connect a column:

  1. Click Data ConfigurationData Management in the Navigation menu.

  2. Click the Columns tab.

  3. Click the Connect Column button.

  4. Select the Data Source the column resides in from the data source dropdown.

  5. Select the Schema and Table or View the column resides in from the relevant dropdowns.

  6. Select the column from the relevant dropdown.

  7. (Optional) Select the Tokenized check box to use ALTR policy to detokenize sensitive data. Ensure all values for this column are tokenized. Refer to Tokenization Access Policies for more information.

  8. Assign a name to the column (cosmetic).

  9. Click the Connect Column button.

Disconnecting Columns from ALTR

To disconnect a column:

  1. Select Data ConfigurationData ManagementColumns in the Navigation menu.

  2. Select the column you wish to disconnect.

  3. Click the Disconnect Column button.

Force Disconnect Columns

Warning

Before force disconnecting a column, consult ALTR Support.

Force disconnecting columns could have a negative impact on your source system if you do not fully understand your data and this feature.

Force disconnect a column if you are unable to disconnect the column as expected. This action ignores any errors encountered during the disconnect process. Use great caution with this feature because it cannot be undone.

Reasons to force disconnect columns include:

  • Column no longer exists in your source system

  • Service user's privileges have been decommissioned

  • ALTR could not connect to Snowflake

To force disconnect a column:

  1. Select Data ConfigurationData ManagementColumns in the Navigation menu.

  2. Select the column you wish to disconnect.

  3. Click the Disconnect Column button.

  4. Click the Trouble Disconnecting? link.

  5. Click the Force Disconnect Column button.

  6. Click the Force Disconnect Column button.

  7. Review your source system and clean up any object left behind.

Creating Column Access Policies in ALTR

Column Access Policies are managed on the Column Access tab in the Locks page.

To create a column access policy:

  1. Click Data PolicyLocksColumn Access in the Navigation menu.

  2. Click the Add New button.

  3. Enter a (cosmetic) Lock Name.

  4. Select an Application. This list box displays all driver applications configured in ALTR.

  5. Select the ALTR User Groups (typically role) that the policy affects.

    Note

    If a User Group is not included in a policy, they receive NULL values when querying data protected by ALTR.

  6. Click the Tag or the Column toggle to define the User Group's level of access.

  7. If creating a Tag policy, indicate how the masking policy is applied. There are two options

    • Tag Name and Value—applies the masking policy to the tag name-value pair, enabling you to set different policies on different tag values

    • Tag Name only—applies the masking policy to only the tag name; access is the same for all values associated with the tag

    The default option is Tag Name and Value. Refer to the examples for use cases on each option.

  8. Select the Masking Policy. Whenever a user in the User Group queries this data, the results are masked using this strategy.

    Note

    If a user group is assigned multiple masking strategies to a single column or tag between different locks, ALTR enforces whichever strategy is most permissive. Refer to Column Access Policy for more information.

  9. Click the +Add Another link to add all columns or tags for this policy.

  10. Click the Add Lock button.

Once a column access policy is created, it is immediately in effect. All queries against the columns or tags protected by the policy will control data access using the rules you specified.

Tag Usage Examples

The following are use cases for each option when defining locks directly on tags:

Tag Name and Value

Use this option when you want to set up specific, complex or granular policies. Let's say you have two different kids of sensitive employee data: SSNs and phone numbers. By using a single tag with different values for SSN and phone number, you can set a policy around SSNs where the first 5 digits are masked (###-##-1234) and only HR has access. And then you can set a different policy on phone numbers with no mask and grants access to anyone in the company.

Tag Name only

Use this option to control policy at the tag level without specifying each value. This option is good for simple, broad, high-level policies on a tag. For example, set a policy to mask all salary data and grant access to only the CFO. In this example, salary data is the tag and the columns (i.e., values) themselves are irrelevant because they will all be masked the same.

Creating ALTR Row Access Policies

Row Access Policies are created on the Row Access tab page in ALTR's Policy UI, Data PolicyLocksRow Access. To create a Row Access Policy:

  1. Click the Add New Button.

  2. Identify the table the policy will apply to and the reference column that will dictate access.

  3. Specify the list of roles who will be able to access all values in the table.

  4. Specify the list of user groups who will have limited access to rows within the table.

    1. For those user groups, identify the particular values of the reference column those users will be able to access. If that value is not present for a given row, those users will not be able to access the row.

      Note

      ALTR does not sample customer data except where absolutely necessary. Because of this, customers must manually enter column values when defining row access policies.

      Warning

      These fields are case sensitive. Be careful to enter the data exactly as it matches the real column values

  5. Assign a name to the Policy (cosmetic).

  6. Click the Submit button.

Once submitted, the policy enters a pending state. It may take several minutes for a row access policy to apply. If you have trouble successfully applying row access policies, contact ALTR Support.

In this section: