Skip to main content

Masking Policy

Configuration can be provided to Snowflake Object Lifecycle Engine for the following operation with Masking Policy:

  • Manage Lifecycle of new and existing Masking Policy
  • Manage Grants of Masking Policy

Supported Parameters

The engine supports the parameters listed below.

  • MASKING_EXPRESSION: Specifies the SQL expression that transforms the data.
    • REQUIRED
    • Configuration key: masking_expression
    • Data Type: String
  • RETURN_DATA_TYPE: Specifies the data type to return.
    • REQUIRED
    • Configuration key: return_data_type
    • Data Type: String
  • VALUE_DATA_TYPE: Specifies the data type to mask.
    • REQUIRED
    • Configuration key: value_data_type
    • Data Type: String
  • COMMENT: Specifies a comment for the masking policy.
    • Configuration key: comment
    • Data Type: String
  • MANAGE_MODE: Configures what properties to manage for the Masking Policy.
    • Configuration key: manage_mode
    • Data Type: String
    • Possible Values:
      • none
      • grants
      • all(Default)
  • GRANTS: List of Privileges and Roles to which privileges are granted to on the current Masking Policy.
    • Configuration key: grants
    • Data Type: Map

Basic syntax

databases:
<database-name>:
schemas:
<schema-name>:
masking_policies:
<masking-policy-name>:
<configuration-key>: <value>
grants:
<privilege>:
- <role-name>
- <role-name>

Supported Masking Policy Grants to Roles

Following is the list of Privileges Grant to Roles that can be specified in the masking policy definition

  • ALL PRIVILEGES
  • APPLY

Examples

Masking Policy with Masking Expression in single line

databases:
SALES_RECORD:
schemas:
SALES:
masking_policies:
MASK_NUMBER:
comment: "Number Masking Policy"
value_data_type: NUMBER
return_data_type: "NUMBER(38,0)"
masking_expression: "CASE WHEN current_role() IN ('ACCOUNTADMIN') THEN val ELSE null END"

Masking Policy with Masking Expression in multiple lines

databases:
SALES_RECORD:
schemas:
SALES:
masking_policies:
MASK_STRING:
comment: "String Masking Policy"
value_data_type: VARCHAR
return_data_type: "VARCHAR(16777216)"
masking_expression: >-
CASE
WHEN current_role() IN ('ACCOUNTADMIN') THEN val
ELSE '*******'
END