Snowflake Native Policy Support

Prev Next

This guide outlines the supported functions for implementing data masking and row-level access control in Snowflake when configuring Native Policies in the Platform Authorization Workspace. It covers the creation of policies, the application of functions to tables, columns, and tags, and the parameters required for each function. Understanding these constructs ensures proper configuration and enforcement of security policies in your Snowflake environment.

Related Articles:

Creating Policies
Managing Policies
Snowflake Setup


Masking

Masking functions in Snowflake are used to control access to sensitive data by transforming or hiding the values in specific columns. This section explains how to define masking policies, apply them to table columns and tags, and the parameters required to configure them effectively. A parameter function table is also available for more information.

Policy

A masking policy in Snowflake defines the logic used to mask sensitive data.

CREATE [ OR REPLACE ] MASKING POLICY <name> AS
( <arg_name_to_mask> <arg_type_to_mask> [ , <arg_1> <arg_type_1> ... ] )
RETURNS <arg_type_to_mask> -> <body>
[ COMMENT = '<string_literal>' ];
Important Guidelines

See Policy Function Parameters for more details on arguments, body, and comment.

  • The <name> is the same name created in the details section.
  • Must start with CREATE MASKING POLICY or CREATE OR REPLACE MASKING POLICY
  • AS indicates declarative statement
  • RETURNS defines return value
  • Only one function per policy

Tags

Masking policies can also be applied to Snowflake tags to ensure consistent masking behavior across columns associated with those tags.

ALTER TAG <name> SET MASKING POLICY <masking_policy_name>;
Important Notes
  • Must start with ALTER TAG
  • Only SET supported
  • Multiple functions can be split using ;
  • [FORCE] and [IF EXISTS] are not supported

Columns

After defining a masking policy, it can be applied to table or view columns. This ensures that queries accessing these columns return masked results according to the policy logic.

ALTER TABLE <table_name> MODIFY COLUMN <column_name_to_mask> 
SET MASKING POLICY <policy_name> [USING ( <col1_name>, <cond_col_1>, ... )];

ALTER VIEW <view_name> MODIFY COLUMN <column_name_to_mask> 
SET MASKING POLICY <policy_name> [USING ( <col1_name>, <cond_col_1>, ... )];
Important Notes
  • Must start with ALTER TABLE or ALTER VIEW
  • Only SET is supported
  • Multiple functions can be split using ;

Function Parameters

The table below summarizes the parameters used when creating masking functions in Snowflake, including their purpose and expected values.

Parameter Description
<arg_name_to_mask> Name of the column or value to be masked
<arg_type_to_mask> Data type of the value being masked
<arg_1>, <arg_type_1>, ... Optional additional arguments for policy logic
<body> SQL expression defining the masking logic
COMMENT Optional string literal describing the policy

Row Access

Row access functions in Snowflake allow you to implement row-level security by filtering the data returned for a given query based on defined criteria. This section explains how to define row access policies, apply them to tables and views, and configure the necessary parameters. A parameter function table is also available for more information.

Policy

A row access policy in Snowflake defines the logic used to determine whether a row should be accessible.

CREATE [ OR REPLACE ] ROW ACCESS POLICY <name> AS
( <arg_name> <arg_type> [ , ... ] ) RETURNS BOOLEAN -> <body>
[ COMMENT = '<string_literal>' ]
Important Guidelines

See Policy Function Parameters for more details on arguments, body, and comment.

  • The <name> is the same name created in the details section.
  • Must start with CREATE ROW ACCESS POLICY or CREATE OR REPLACE ROW ACCESS POLICY
  • AS indicates declarative statement
  • RETURNS defines return value
  • Only one function per policy

Tables

After defining a row access policy, it can be applied to tables or views. This ensures that only rows meeting the policy conditions are returned in query results.

ALTER TABLE <table_name> ADD ROW ACCESS POLICY <policy_name> ON (col_name [ , ... ]);
ALTER VIEW <view_name> ADD ROW ACCESS POLICY <policy_name> ON (col_name [ , ... ]);
Important Guidelines
  • Must start with ALTER TABLE or ALTER VIEW
  • Only ADD is supported (no DROP)
  • Multiple functions can be split using ;

Function Parameters

The table below provides a concise summary of the parameters required when creating row access policies in Snowflake, explaining the role of each in defining access control logic.

Parameter Description
<arg_name> Name of the argument used in the row access policy
<arg_type> Data type of the argument
<body> SQL expression defining the row access logic
COMMENT Optional description of the policy

Masking and row access policies in Snowflake provide secure, fine-grained control over data at the column and row levels. Properly defining policies, applying them to tables, views, and tags, and following parameter guidelines ensures consistent enforcement and compliance.