Masking Policy
Configuration can be provided to Snowflake Object Lifecycle Engine for the following operation with Masking Policy:
- Manage Lifecycle of new and existing Masking Policy
- Manage Grants of Masking Policy
Supported Parameters
The engine supports the parameters listed below.
- MASKING_EXPRESSION: Specifies the SQL expression that transforms the data.
- REQUIRED
- Configuration key:
masking_expression
- Data Type: String
- RETURN_DATA_TYPE: Specifies the data type to return.
- REQUIRED
- Configuration key:
return_data_type
- Data Type: String
- VALUE_DATA_TYPE: Specifies the data type to mask.
- REQUIRED
- Configuration key:
value_data_type
- Data Type: String
- COMMENT: Specifies a comment for the masking policy.
- Configuration key:
comment
- Data Type: String
- Configuration key:
- MANAGE_MODE: Configures what properties to manage for the Masking Policy.
- Configuration key:
manage_mode
- Data Type: String
- Possible Values:
none
grants
all
(Default)
- Configuration key:
- GRANTS: List of Privileges and Roles to which privileges are granted to on the current Masking Policy.
- Configuration key:
grants
- Data Type: Map
- Configuration key:
Basic syntax
databases:
<database-name>:
schemas:
<schema-name>:
masking_policies:
<masking-policy-name>:
<configuration-key>: <value>
grants:
<privilege>:
- <role-name>
- <role-name>
Supported Masking Policy Grants to Roles
Following is the list of Privileges Grant to Roles that can be specified in the masking policy definition
- ALL PRIVILEGES
- APPLY
Examples
Masking Policy with Masking Expression in single line
databases:
SALES_RECORD:
schemas:
SALES:
masking_policies:
MASK_NUMBER:
comment: "Number Masking Policy"
value_data_type: NUMBER
return_data_type: "NUMBER(38,0)"
masking_expression: "CASE WHEN current_role() IN ('ACCOUNTADMIN') THEN val ELSE null END"
Masking Policy with Masking Expression in multiple lines
databases:
SALES_RECORD:
schemas:
SALES:
masking_policies:
MASK_STRING:
comment: "String Masking Policy"
value_data_type: VARCHAR
return_data_type: "VARCHAR(16777216)"
masking_expression: >-
CASE
WHEN current_role() IN ('ACCOUNTADMIN') THEN val
ELSE '*******'
END