Masking Policy
You can provide configuration to Snowflake Object Lifecycle Engine for the following operations with masking policy:
- Manage the lifecycle of new and existing masking policies
- Manage grants of masking policy
Usage
note
We have introduced SOLE for Data Products as a new framework for SOLE to help you easily build an ecosystem of data products. Learn more about SOLE for Data Products which is currently available as a private preview.
- Masking Policy in Current Configuration
- Masking Policy in SOLE for Data Products
databases:
<database-name>:
schemas:
<schema-name>:
masking_policies:
<masking-policy-name>:
<configuration-key>: <value>
grants:
<privilege>:
- <role-name>
- <role-name>
- masking_policy:
name: <masking-policy-name>
database: rel(database.<database-name>)
schema: rel(schema.<schema-name>)
grants:
<privilege>:
- rel(role.<grant-name>)
- rel(role.<grant-name>)
Supported parameters
The engine supports the parameters listed below.
Configuration Key | Required/Optional | Data Types and Values | Description |
---|---|---|---|
masking_expression | Required | String | Specifies the SQL expression that transforms the data |
return_data_type | Required | String | Specifies the data type to return |
value_data_type | Required | String | Specifies the data type to mask |
comment | Optional | String | Specifies a comment for the masking policy |
deleted | Optional | Boolean: True enables deletion prevention, False does nothing | Specifies what objects are allowed to be deleted |
grants | Optional | Map: See Supported Masking Policy Grants to Roles | Lists Privileges and Roles to which privileges are granted on the current masking policy |
manage_mode | Optional | String: all (default), none , grants | Configures what properties to manage for the masking policy. See Changing Manage Mode before changing the value. |
Supported masking policy grants to roles
Following are the privileges you can grant to roles in the masking policy definition:
- ALL PRIVILEGES
- APPLY
Examples
Masking policy with masking expression in a single line
- Masking Policy in Current Configuration
- Masking Policy in SOLE for Data Products
databases:
SALES_RECORD:
schemas:
SALES:
masking_policies:
MASK_NUMBER:
comment: "Number Masking Policy"
value_data_type: NUMBER
return_data_type: "NUMBER(38,0)"
masking_expression: "CASE WHEN current_role() IN ('ACCOUNTADMIN') THEN val ELSE null END"
- masking_policy:
name: MASK_NUMBER
database: rel(database.SALES_RECORD)
schema: rel(schema.SALES)
comment: "Number Masking Policy"
value_data_type: NUMBER
return_data_type: "NUMBER(38,0)"
masking_expression: "CASE WHEN current_role() IN ('ACCOUNTADMIN') THEN val ELSE null END"
Masking policy with masking expression in multiple lines
- Masking Policy in Current Configuration
- Masking Policy in SOLE for Data Products
databases:
SALES_RECORD:
schemas:
SALES:
masking_policies:
MASK_STRING:
comment: "String Masking Policy"
value_data_type: VARCHAR
return_data_type: VARCHAR(16777216)
masking_expression: >-
CASE
WHEN current_role() IN ('ACCOUNTADMIN') THEN val
ELSE '*******'
END
- masking_policy:
name: MASK_NUMBER
database: rel(database.SALES_RECORD)
schema: rel(schema.SALES)
comment: "String Masking Policy"
value_data_type: VARCHAR
return_data_type: VARCHAR(16777216)
masking_expression: >-
CASE
WHEN current_role() IN ('ACCOUNTADMIN') THEN val
ELSE '*******'
END