Tag
You can provide configuration to Snowflake Object Lifecycle Engine for the following operations with tag:
- Manage the lifecycle of new and existing tags
- Manage the grants of tags
- Manage masking policies associated with tags
Using this configuration defines the tag as a Snowflake object for further use. It does not apply the tag to an object. For details on how to apply tags to objects within SOLE see SOLE Tags Management.
Usage
- Default Configuration
- Data Products Configuration
databases:
<database-name>:
schemas:
<schema-name>:
tags:
<tag-name>:
<configuration-key>: <value>
- tag:
name: <tag-name>
<configuration-key>: <value>
database: rel(database.<database-name>)
schema: rel(schema.<schema-name>)
Supported parameters
The engine supports the parameters listed below.
| Configuration Key | Required/Optional | Data Types and Values | Description |
|---|---|---|---|
allowed_values | Optional | List of String | List of allowed values for the tag |
associated_masking_policies | Optional | Object: See here for a definition of associated_masking_policies | List of masking policy references to apply to the current tag |
comment | Optional | String | Specifies a comment for the tag |
deleted | Optional | Boolean: True enables deletion prevention, False does nothing | Specifies what objects are allowed to be deleted |
grants | Optional | Map: See Supported Tag Grants to Roles | List of Privileges and Roles to which privileges are granted on the current tag |
manage_mode | Optional | String: all (default), none, grants | Configures what properties to manage for the tag. See Changing Manage Mode before changing the value. |
associated_masking_policies parameter
You can specify one or more masking policies to apply to the tag in the tag definition. Each policy must have a unique data type as combining multiple masking policies with the same data type within a single tag is not allowed. See Masking policy with masking expression in multiple lines for an example of a masking policy with a data type.
List the masking policies under associated_masking_policies in an object format with the following parameters:
| Parameter | Required/Optional | Data Type and Values | Description |
|---|---|---|---|
masking_policy | Required | String | Name of the masking policy |
schema | Required | String | Schema of the masking policies identifier |
database | Optional | String | Database of the masking policies identifier. If omitted, it defaults to the name of the current database. |
If the tag on which the masking policy is set is applied on a shared object, the masking policy will not be unset during the Destroy job to prevent accidental data exposure and might lead to job failure.
To unset the masking policy, you must manually remove it from the tag.
Example
- Tag with Single Masking Policy
- Tag with Multiple Masking Policies
databases:
TEST_DATABASE:
comment: TEST_DATABASE
schemas:
TAG_LIBRARY:
tags:
CONFIDENTIALITY:
comment: "CONFIDENTIALITY Tag"
allowed_values: ["Sensitive", "Highly Sensitive"]
associated_masking_policies:
MASK_STRING:
schema: POLICY_LIBRARY
database: TEST_DATABASE
databases:
TEST_DATABASE:
comment: TEST_DATABASE
schemas:
TAG_LIBRARY:
tags:
CONFIDENTIALITY:
comment: "CONFIDENTIALITY Tag"
allowed_values: ["Sensitive", "Highly Sensitive"]
associated_masking_policies:
MASK_STRING:
schema: POLICY_LIBRARY
database: TEST_DATABASE
MASK_POLICY:
schema: POLICY_LIBRARY
database: TEST_DATABASE
Supported tag grants to roles
Following is the privilege you can grant to roles in the tag definition:
- APPLY
Examples
- Default Configuration
- Data Products Configuration
databases:
PRODUCTS_RECORD:
schemas:
PRODUCTS:
tags:
PRODUCT:
comment: "PRODUCT Tag"
allowed_values: ["Red", "Yellow", "Blue"]
grants:
APPLY:
- READER
- WRITER
- ADMIN
- tag:
name: PRODUCT
database: rel(database.PRODUCTS_RECORD)
schema: rel(schema.PRODUCTS)
comment: "PRODUCT Tag"
allowed_values: ["Red", "Yellow", "Blue"]
grants:
APPLY:
- rel(role.READER)
- rel(role.WRITER)
- rel(role.ADMIN)