Skip to main content

Masking Policy

Configuration can be provided to Snowflake Object Lifecycle Engine for the following operation with Masking Policy:

  • Manage Lifecycle of new and existing Masking Policy
  • Manage Grants of Masking Policy

Supported Parameters

The engine supports the parameters listed below.

  • MASKING_EXPRESSION: Specifies the SQL expression that transforms the data.
    • REQUIRED
    • Configuration key: masking_expression
    • Data Type: String
  • RETURN_DATA_TYPE: Specifies the data type to return.
    • REQUIRED
    • Configuration key: return_data_type
    • Data Type: String
  • VALUE_DATA_TYPE: Specifies the data type to mask.
    • REQUIRED
    • Configuration key: value_data_type
    • Data Type: String
  • COMMENT: Specifies a comment for the masking policy.
    • Configuration key: comment
    • Data Type: String
  • MANAGE_MODE: Configures what properties to manage for the Masking Policy.
    • Configuration key: manage_mode
    • Data Type: String
    • Possible Values:
      • none
      • grants
      • all(Default)
  • GRANTS: List of Privileges and Roles to which privileges are granted to on the current Masking Policy.
    • Configuration key: grants
    • Data Type: Map

Basic syntax

databases:
  <database-name>:
    schemas:
      <schema-name>:
        masking_policies:
          <masking-policy-name>:
            <configuration-key>: <value>
            grants:
              <privilege>:
                - <role-name>
                - <role-name>

Supported Masking Policy Grants to Roles

Following is the list of Privileges Grant to Roles that can be specified in the masking policy definition

  • ALL PRIVILEGES
  • APPLY

Examples

Masking Policy with Masking Expression in single line

databases:
  SALES_RECORD:
    schemas:
      SALES:
        masking_policies:
          MASK_NUMBER:
            comment: "Number Masking Policy"
            value_data_type: NUMBER
            return_data_type: "NUMBER(38,0)"
            masking_expression: "CASE WHEN current_role() IN ('ACCOUNTADMIN') THEN val ELSE null END"

Masking Policy with Masking Expression in multiple lines

databases:
  SALES_RECORD:
    schemas:
      SALES:
        masking_policies:
          MASK_STRING:
            comment: "String Masking Policy"
            value_data_type: VARCHAR
            return_data_type: "VARCHAR(16777216)"
            masking_expression: >-
              CASE 
                WHEN current_role() IN ('ACCOUNTADMIN') THEN val 
                ELSE '*******' 
              END
Last updated on