Skip to main content

Masking Policy

Configuration can be provided to Snowflake Object Lifecycle Engine for the following operation with Masking Policy:

  • Manage Lifecycle of new and existing Masking Policy
  • Manage Grants of Masking Policy

Supported Parameters#

The engine supports the parameters listed below.

  • MASKING_EXPRESSION: Specifies the SQL expression that transforms the data.
    • REQUIRED
    • Configuration key: masking_expression
    • Data Type: String
  • RETURN_DATA_TYPE: Specifies the data type to return.
    • REQUIRED
    • Configuration key: return_data_type
    • Data Type: String
  • VALUE_DATA_TYPE: Specifies the data type to mask.
    • REQUIRED
    • Configuration key: value_data_type
    • Data Type: String
  • COMMENT: Specifies a comment for the masking policy.
    • Configuration key: comment
    • Data Type: String
  • MANAGE_MODE: Configures what properties to manage for the Masking Policy.
    • Configuration key: manage_mode
    • Data Type: String
    • Possible Values:
      • none
      • grants
      • all(Default)
  • GRANTS: List of Privileges and Roles to which privileges are granted to on the current Masking Policy.
    • Configuration key: grants
    • Data Type: Map

Basic syntax#

databases:  <database-name>:    schemas:      <schema-name>:        masking_policies:          <masking-policy-name>:            <configuration-key>: <value>            grants:              <privilege>:                - <role-name>                - <role-name>

Supported Masking Policy Grants to Roles#

Following is the list of Privileges Grant to Roles that can be specified in the masking policy definition

  • ALL PRIVILEGES
  • APPLY

Examples#

Masking Policy with Masking Expression in single line#

databases:  SALES_RECORD:    schemas:      SALES:        masking_policies:          MASK_NUMBER:            comment: "Number Masking Policy"            value_data_type: NUMBER            return_data_type: "NUMBER(38,0)"            masking_expression: "CASE WHEN current_role() IN ('ACCOUNTADMIN') THEN val ELSE null END"

Masking Policy with Masking Expression in multiple lines#

databases:  SALES_RECORD:    schemas:      SALES:        masking_policies:          MASK_STRING:            comment: "String Masking Policy"            value_data_type: VARCHAR            return_data_type: "VARCHAR(16777216)"            masking_expression: >-              CASE                 WHEN current_role() IN ('ACCOUNTADMIN') THEN val                 ELSE '*******'               END
Last updated on