Masking Policy

You can provide configuration to Snowflake Object Lifecycle Engine for the following operations with masking policy:

Manage the lifecycle of new and existing masking policies
Manage grants of masking policy

Usage

note

We have introduced SOLE for Data Products as a new framework for SOLE to help you easily build an ecosystem of data products. Learn more about SOLE for Data Products which is currently available as a private preview.

Masking Policy in Current Configuration
Masking Policy in SOLE for Data Products

databases:
  <database-name>:
    schemas:
      <schema-name>:
        masking_policies:
          <masking-policy-name>:
            <configuration-key>: <value>
            grants:
              <privilege>:
                - <role-name>
                - <role-name>

- masking_policy:
    name: <masking-policy-name>
    database: rel(database.<database-name>)
    schema: rel(schema.<schema-name>)
    grants:
      <privilege>:
        - rel(role.<grant-name>)
        - rel(role.<grant-name>)

Supported parameters

The engine supports the parameters listed below.

Configuration Key	Required/Optional	Data Types and Values	Description
`masking_expression`	Required	String	Specifies the SQL expression that transforms the data
`return_data_type`	Required	String	Specifies the data type to return
`value_data_type`	Required	String	Specifies the data type to mask
`comment`	Optional	String	Specifies a comment for the masking policy
`deleted`	Optional	Boolean: `True` enables deletion prevention, `False` does nothing	Specifies what objects are allowed to be deleted
`grants`	Optional	Map: See Supported Masking Policy Grants to Roles	Lists Privileges and Roles to which privileges are granted on the current masking policy
`manage_mode`	Optional	String: `all` (default), `none`, `grants`	Configures what properties to manage for the masking policy. See Changing Manage Mode before changing the value.

Supported masking policy grants to roles

Following are the privileges you can grant to roles in the masking policy definition:

ALL PRIVILEGES
APPLY

Examples

Masking policy with masking expression in a single line

Masking Policy in Current Configuration
Masking Policy in SOLE for Data Products

databases:
  SALES_RECORD:
    schemas:
      SALES:
        masking_policies:
          MASK_NUMBER:
            comment: "Number Masking Policy"
            value_data_type: NUMBER
            return_data_type: "NUMBER(38,0)"
            masking_expression: "CASE WHEN current_role() IN ('ACCOUNTADMIN') THEN val ELSE null END"

- masking_policy:
    name: MASK_NUMBER
    database: rel(database.SALES_RECORD)
    schema: rel(schema.SALES)
    comment: "Number Masking Policy"
    value_data_type: NUMBER
    return_data_type: "NUMBER(38,0)"
    masking_expression: "CASE WHEN current_role() IN ('ACCOUNTADMIN') THEN val ELSE null END"

Masking policy with masking expression in multiple lines

Masking Policy in Current Configuration
Masking Policy in SOLE for Data Products

databases:
  SALES_RECORD:
    schemas:
      SALES:
        masking_policies:
          MASK_STRING:
            comment: "String Masking Policy"
            value_data_type: VARCHAR
            return_data_type: VARCHAR(16777216)
            masking_expression: >-
              CASE 
                WHEN current_role() IN ('ACCOUNTADMIN') THEN val 
                ELSE '*******' 
              END

- masking_policy:
    name: MASK_NUMBER
    database: rel(database.SALES_RECORD)
    schema: rel(schema.SALES)
    comment: "String Masking Policy"
    value_data_type: VARCHAR
    return_data_type: VARCHAR(16777216)
    masking_expression: >-
      CASE
        WHEN current_role() IN ('ACCOUNTADMIN') THEN val
        ELSE '*******'
      END

Usage​

Supported parameters​

Supported masking policy grants to roles​

Examples​

Masking policy with masking expression in a single line​

Masking policy with masking expression in multiple lines​