Skip to main content

Tag

You can provide configuration to Snowflake Object Lifecycle Engine for the following operations with tag:

  • Manage the lifecycle of new and existing tags
  • Manage the grants of tags
  • Manage masking policies associated with tags

Using this configuration defines the tag as a Snowflake object for further use. It does not apply the tag to an object. For details on how to apply tags to objects within SOLE see SOLE Tags Management.

Usage

databases:
<database-name>:
schemas:
<schema-name>:
tags:
<tag-name>:
<configuration-key>: <value>

Supported parameters

The engine supports the parameters listed below.

Configuration KeyRequired/OptionalData Types and ValuesDescription
allowed_valuesOptionalList of StringList of allowed values for the tag
associated_masking_policiesOptionalObject: See here for a definition of associated_masking_policiesList of masking policy references to apply to the current tag
commentOptionalStringSpecifies a comment for the tag
deletedOptionalBoolean: True enables deletion prevention, False does nothingSpecifies what objects are allowed to be deleted
grantsOptionalMap: See Supported Tag Grants to RolesList of Privileges and Roles to which privileges are granted on the current tag
manage_modeOptionalString: all (default), none, grantsConfigures what properties to manage for the tag.
See Changing Manage Mode before changing the value.

associated_masking_policies parameter

You can specify one or more masking policies to apply to the tag in the tag definition. Each policy must have a unique data type as combining multiple masking policies with the same data type within a single tag is not allowed. See Masking policy with masking expression in multiple lines for an example of a masking policy with a data type.

List the masking policies under associated_masking_policies in an object format with the following parameters:

ParameterRequired/OptionalData Type and ValuesDescription
masking_policyRequiredStringName of the masking policy
schemaRequiredStringSchema of the masking policies identifier
databaseOptionalStringDatabase of the masking policies identifier. If omitted, it defaults to the name of the current database.
Tag applied on Shared objects

If the tag on which the masking policy is set is applied on a shared object, the masking policy will not be unset during the Destroy job to prevent accidental data exposure and might lead to job failure.

To unset the masking policy, you must manually remove it from the tag.

Example

databases:
TEST_DATABASE:
comment: TEST_DATABASE
schemas:
TAG_LIBRARY:
tags:
CONFIDENTIALITY:
comment: "CONFIDENTIALITY Tag"
allowed_values: ["Sensitive", "Highly Sensitive"]
associated_masking_policies:
MASK_STRING:
schema: POLICY_LIBRARY
database: TEST_DATABASE

Supported tag grants to roles

Following is the privilege you can grant to roles in the tag definition:

  • APPLY

Examples

databases:
PRODUCTS_RECORD:
schemas:
PRODUCTS:
tags:
PRODUCT:
comment: "PRODUCT Tag"
allowed_values: ["Red", "Yellow", "Blue"]
grants:
APPLY:
- READER
- WRITER
- ADMIN