Skip to main content

Masking Policy

You can provide configuration to Snowflake Object Lifecycle Engine for the following operations with masking policy:

  • Manage the lifecycle of new and existing masking policies
  • Manage grants of masking policy

Usage

note

We have introduced SOLE for Data Products as a new framework for SOLE to help you easily build an ecosystem of data products. Learn more about SOLE for Data Products which is currently available as a private preview.

databases:
<database-name>:
schemas:
<schema-name>:
masking_policies:
<masking-policy-name>:
<configuration-key>: <value>
grants:
<privilege>:
- <role-name>
- <role-name>

Supported parameters

The engine supports the parameters listed below.

Configuration KeyRequired/OptionalData Types and ValuesDescription
masking_expressionRequiredStringSpecifies the SQL expression that transforms the data
return_data_typeRequiredStringSpecifies the data type to return
value_data_typeRequiredStringSpecifies the data type to mask
commentOptionalStringSpecifies a comment for the masking policy
deletedOptionalBoolean: True enables deletion prevention, False does nothingSpecifies what objects are allowed to be deleted
grantsOptionalMap: See Supported Masking Policy Grants to RolesLists Privileges and Roles to which privileges are granted on the current masking policy
manage_modeOptionalString: all (default), none, grantsConfigures what properties to manage for the masking policy.
See Changing Manage Mode before changing the value.

Supported masking policy grants to roles

Following are the privileges you can grant to roles in the masking policy definition:

  • ALL PRIVILEGES
  • APPLY

Examples

Masking policy with masking expression in a single line

databases:
SALES_RECORD:
schemas:
SALES:
masking_policies:
MASK_NUMBER:
comment: "Number Masking Policy"
value_data_type: NUMBER
return_data_type: "NUMBER(38,0)"
masking_expression: "CASE WHEN current_role() IN ('ACCOUNTADMIN') THEN val ELSE null END"

Masking policy with masking expression in multiple lines

databases:
SALES_RECORD:
schemas:
SALES:
masking_policies:
MASK_STRING:
comment: "String Masking Policy"
value_data_type: VARCHAR
return_data_type: VARCHAR(16777216)
masking_expression: >-
CASE
WHEN current_role() IN ('ACCOUNTADMIN') THEN val
ELSE '*******'
END