Learn
/
Snowflake
September 16, 2024

What is a Snowflake Masking Policy?

Dexter Chu
Head of Marketing

Get started with Secoda

See why hundreds of industry leaders trust Secoda to unlock their data's full potential.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

How to evaluate a data catalog

See why hundreds of industry leaders trust Secoda to unlock their data's full potential.

Get the guide

A masking policy in Snowflake is a robust security feature available in the Enterprise Edition or higher. It allows the creation, management, and application of rules to mask or tokenize sensitive data in table columns or views. This feature ensures that sensitive data is protected and only accessible based on predefined roles and conditions.

CREATE [ OR REPLACE ] MASKING POLICY [ IF NOT EXISTS ] <name>
AS ( <arg_name_to_mask> <arg_type_to_mask> [ , <arg_1> <arg_type_1> ... ] )
RETURNS <arg_type_to_mask> -> <body>
[ COMMENT = '<string_literal>' ]
[ EXEMPT_OTHER_POLICIES = { TRUE | FALSE } ]

This code snippet demonstrates the syntax for creating a masking policy in Snowflake. The policy defines rules and conditions under which data should be masked, ensuring sensitive information is protected.

How is a Masking Policy Created?

Creating a masking policy involves defining rules and conditions under which data should be masked. The syntax for creating a masking policy is as follows:

CREATE OR REPLACE MASKING POLICY email_mask
AS (val string)
RETURNS string ->
CASE
WHEN current_role() IN ('ANALYST') THEN val
ELSE '*********'
END;

This example shows a masking policy that displays plain-text for the 'ANALYST' role and a masked value for others.

  • name: A unique identifier for the masking policy within the schema.
  • AS (arg_name_to_mask arg_type_to_mask [ , arg_1 arg_type_1 ... ]): Specifies the input columns and data types to evaluate at query runtime.
  • RETURNS arg_type_to_mask: The return data type must match the input data type of the first column.
  • body: SQL expression that transforms the data in the column.

What are the Access Control Requirements?

To create and manage masking policies, specific privileges are required:

  • CREATE MASKING POLICY: Privilege on the schema.
  • USAGE: Privilege on the parent database and schema.

How to Use and Manage Masking Policies?

1. Viewing and Managing Policies

To see the current definition of an existing masking policy, use the GET_DDL function or DESCRIBE MASKING POLICY command. It's essential to centralize mapping tables in the same database as the protected table. Notably, a column can be specified in either a masking policy or a row access policy, but not both simultaneously.

2. Tag-based Masking Policies

Tag-based masking policies allow users to combine tagging and masking policies, setting them at the TAG level using the ALTER command.

CREATE TAG sensitive_data;
CREATE MASKING POLICY email_mask AS (val string) RETURNS string -> CASE WHEN current_role() IN ('ANALYST') THEN val ELSE '*********' END;
ALTER TAG sensitive_data SET MASKING POLICY email_mask;
ALTER TABLE employee SET TAG sensitive_data;

This example demonstrates creating a tag, a masking policy, and assigning the policy to the tag and the tag to a table.

3. Implementation Steps

Follow these steps to implement tag-based masking policies:

  • Create a Tag: Use the CREATE TAG command.
  • Create a Masking Policy: Use the CREATE MASKING POLICY statement.
  • Set Masking Policy to Tag: Use the ALTER command.
  • Set Tag to Snowflake Objects: Use the ALTER command.

Common Challenges and Solutions

  • Ensure the data types in the masking policy match the column data types to avoid errors.
  • Verify that the necessary privileges are granted to create and manage masking policies.
  • Use the INFORMATION_SCHEMA to validate the application of masking policies.

Recap

  • Snowflake masking policies provide robust security for sensitive data.
  • Tag-based masking policies offer scalable and flexible data protection.
  • Proper implementation and validation are crucial for maintaining data security and compliance.
In this story
This is also a heading
This is a heading

Keep reading

View all
Data Catalog

Secoda vs Atlan: A comparative study on data compliance features

Compliance Features: Reviewing how Secoda and Atlan support data compliance and regulatory requirements.

Data Catalog

Data literacy and adoption in your organization: Secoda vs Atlan

Data Literacy: Evaluating the role of Secoda and Atlan in promoting data literacy and user adoption.

Data Catalog

Scalability and performance: Comparative review of Secoda and Atlan

System Performance: Assessing the scalability and performance metrics of Secoda and Atlan in data management.

Get started in minutes

Built for data teams, designed for everyone so you can get more from your data stack.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
CustomersCareersDocumentationGlossary

Product

Data catalogData dictionaryData lineageData sharingData ticketingData governanceData privacyData observability

Solutions

Data LeadData EngineerData AnalystData ConsumersGovernance ManagerBusiness OperationsProduct Managers

Use cases

Metadata managementData onboardingData enablementData documentationSelf service business intelligence

Resources

PricingCustomersBlogGuidesDocumentationBuyers guideSecoda vs. AtlanSecoda vs. Open SourceSecoda vs. CastorSecoda vs. Select StarSecoda vs. CollibraROI calculatorData enablement whitepaperExplore

Company

AboutContact usCareersGDPR readinessSecurityBrand

Social

LinkedInXInstagramYoutube

© 2024 Secoda, Inc. All rights reserved.
By using this website, you accept our Terms of Use and Privacy Policy.