Documentation Index

Fetch the complete documentation index at: https://docs.plainid.io/llms.txt

Use this file to discover all available pages before exploring further.

Google BigQuery Column-Level Security

  • Published on Jun 28, 2026
  • 1 minute(s) read
Prev Next

Column-Level Security (CLS) allows organizations to control access to specific columns within a BigQuery table, ensuring that sensitive data is only visible to authorized principals.

In BigQuery, Column-Level Security is enforced through a three-layer architecture:

  1. Policy Tag (Taxonomy) — A classification label within a Data Catalog Taxonomy (e.g., "SSN" under a "Sensitivity" taxonomy).
  2. Schema Association — The Policy Tag is attached to a specific column in the table schema.
  3. Data Policy — A resource that links the Policy Tag to a masking rule and grants access to specific principals.

Masking is not applied directly to a column. It is applied to a tag on that column. PlainID discovers the Policy Tags as protected resources and the linked Data Policies in their native form, allowing to users to get visibility on the data protection in Google BigQuery and setting the foundations for centralized policy management.

Dynamic Data Masking

BigQuery supports the following masking rules, which PlainID exposes as options when defining a Column Masking Policy:

Masking Rule Behavior
SHA256 Replaces the column value with its SHA-256 hash
ALWAYS_NULL Returns NULL for all values (full redaction)
DEFAULT_MASKING_VALUE Returns 0 for numbers, empty string for strings
LAST_FOUR_CHARACTERS Shows only the last four characters (e.g., for SSN)
FIRST_FOUR_CHARACTERS Shows only the first four characters
EMAIL_MASK Masks the local part of an email address
DATE_YEAR_MASK Returns only the year portion of a date

In addition Routines (User Defined Functions) can be created and set as masking logic within a Data Policy.

Google BigQuery Column-Level Policies in PlainID

Column-Level Policies in PlainID are displayed in the Native mode.

To view a Column-Level Policy in Native:

  1. In the Policies Workspace, select the relevant Policy connected to Google BigQuery.
  2. On the top navigation bar, click Native.
  3. The Native Code panel displays the Policy Core Logic, Identities Filter, and UDF (if applicable) for the Column-Level Policy.

Known Limitations

Limitation Details
Native Mode This POP can only be used in Native Mode.
Editing a Policy Policies edited in the Native tab under Learn Mode are not intended behavior; users should refrain from making Policy changes in their Platform until Manage Mode is released.
Related articles

Copyright and Trademark

© 2026 PlainID LTD. All rights reserved.

All intellectual property rights in, related to or derived from this material will remain with PlainID Ltd. Reproduction, modification, recompilation or transfer in whole or in part without written permission is prohibited. This material is made available as-is, without any implied warranties, all of which are hereby disclaimed, and PlainID Ltd. shall have no liability in relation hereto. All brand names, product names and trademarks are the property of their respective owners.

FAQ
Terms of Use
Privacy Policy