Masking Policy
You can provide configuration to Snowflake Object Lifecycle Engine for the following operations with masking policy:
- Manage the lifecycle of new and existing masking policies
- Manage grants of masking policy
Usage
We have introduced SOLE for Data Products as a new framework for SOLE to help you easily build an ecosystem of data products. The major difference is in how you define Snowflake objects in the configuration file.
Rather than having a grouped collection of objects, SOLE for Data Products goes for modular, self-describing, and explicit object definition.
Learn more about SOLE for Data Products, currently available as a public preview.
We have also introduced Data products as an extra layer on top of the data product platform capabilities making managing data products easier than ever. Learn more about Data Products, currently available as a private preview.
- Default Configuration
- Data Products Configuration
databases:
<database-name>:
schemas:
<schema-name>:
masking_policies:
<masking-policy-name>:
<configuration-key>: <value>
grants:
<privilege>:
- <role-name>
- <role-name>
- masking_policy:
name: <masking-policy-name>
database: rel(database.<database-name>)
schema: rel(schema.<schema-name>)
grants:
<privilege>:
- rel(role.<grant-name>)
- rel(role.<grant-name>)
Supported parameters
The engine supports the parameters listed below.
| Configuration Key | Required/Optional | Data Types and Values | Description |
|---|---|---|---|
masking_expression | Required | String | Specifies the SQL expression that transforms the data |
return_data_type | Required | String | Specifies the data type to return |
value_data_type | Required | String | Specifies the data type to mask |
comment | Optional | String | Specifies a comment for the masking policy |
deleted | Optional | Boolean: True enables deletion prevention, False does nothing | Specifies what objects are allowed to be deleted |
grants | Optional | Map: See Supported Masking Policy Grants to Roles | Lists Privileges and Roles to which privileges are granted on the current masking policy |
manage_mode | Optional | String: all (default), none, grants | Configures what properties to manage for the masking policy. See Changing Manage Mode before changing the value. |
Supported masking policy grants to roles
Following are the privileges you can grant to roles in the masking policy definition:
- ALL PRIVILEGES
- APPLY
When you define ALL PRIVILEGES in the SOLE configuration file, you grant all the privileges listed above to roles on this object. However, the management of ALL PRIVILEGES in SOLE differs from its handling in Snowflake. See Handling ALL PRIVILEGES in SOLE for more information.
Examples
Masking policy with masking expression in a single line
- Default Configuration
- Data Products Configuration
databases:
SALES_RECORD:
schemas:
SALES:
masking_policies:
MASK_NUMBER:
comment: "Number Masking Policy"
value_data_type: NUMBER
return_data_type: "NUMBER(38,0)"
masking_expression: "CASE WHEN current_role() IN ('ACCOUNTADMIN') THEN val ELSE null END"
- masking_policy:
name: MASK_NUMBER
database: rel(database.SALES_RECORD)
schema: rel(schema.SALES)
comment: "Number Masking Policy"
value_data_type: NUMBER
return_data_type: "NUMBER(38,0)"
masking_expression: "CASE WHEN current_role() IN ('ACCOUNTADMIN') THEN val ELSE null END"
Masking policy with masking expression in multiple lines
- Default Configuration
- Data Products Configuration
databases:
SALES_RECORD:
schemas:
SALES:
masking_policies:
MASK_STRING:
comment: "String Masking Policy"
value_data_type: VARCHAR
return_data_type: VARCHAR(16777216)
masking_expression: >-
CASE
WHEN current_role() IN ('ACCOUNTADMIN') THEN val
ELSE '*******'
END
- masking_policy:
name: MASK_NUMBER
database: rel(database.SALES_RECORD)
schema: rel(schema.SALES)
comment: "String Masking Policy"
value_data_type: VARCHAR
return_data_type: VARCHAR(16777216)
masking_expression: >-
CASE
WHEN current_role() IN ('ACCOUNTADMIN') THEN val
ELSE '*******'
END