This guide outlines the supported functions for implementing data masking and row-level access control in Snowflake when configuring Native Policies in the Platform Authorization Workspace. It covers the creation of policies, the application of functions to tables, columns, and tags, and the parameters required for each function. Understanding these constructs ensures proper configuration and enforcement of security policies in your Snowflake environment.
Related Articles:
Masking
Masking functions in Snowflake are used to control access to sensitive data by transforming or hiding the values in specific columns. This section explains how to define masking policies, apply them to table columns and tags, and the parameters required to configure them effectively. A parameter function table is also available for more information.
Policy
A masking policy in Snowflake defines the logic used to mask sensitive data.
CREATE [ OR REPLACE ] MASKING POLICY <name> AS
( <arg_name_to_mask> <arg_type_to_mask> [ , <arg_1> <arg_type_1> ... ] )
RETURNS <arg_type_to_mask> -> <body>
[ COMMENT = '<string_literal>' ];
See Policy Function Parameters for more details on arguments, body
, and comment
.
- The
<name>
is the same name created in the details section. - Must start with
CREATE MASKING POLICY
orCREATE OR REPLACE MASKING POLICY
AS
indicates declarative statementRETURNS
defines return value- Only one function per policy
Tags
Masking policies can also be applied to Snowflake tags to ensure consistent masking behavior across columns associated with those tags.
ALTER TAG <name> SET MASKING POLICY <masking_policy_name>;
- Must start with
ALTER TAG
- Only
SET
supported - Multiple functions can be split using
;
[FORCE]
and[IF EXISTS]
are not supported
Columns
After defining a masking policy, it can be applied to table or view columns. This ensures that queries accessing these columns return masked results according to the policy logic.
ALTER TABLE <table_name> MODIFY COLUMN <column_name_to_mask>
SET MASKING POLICY <policy_name> [USING ( <col1_name>, <cond_col_1>, ... )];
ALTER VIEW <view_name> MODIFY COLUMN <column_name_to_mask>
SET MASKING POLICY <policy_name> [USING ( <col1_name>, <cond_col_1>, ... )];
- Must start with
ALTER TABLE
orALTER VIEW
- Only
SET
is supported - Multiple functions can be split using
;
Function Parameters
The table below summarizes the parameters used when creating masking functions in Snowflake, including their purpose and expected values.
Parameter | Description |
---|---|
<arg_name_to_mask> |
Name of the column or value to be masked |
<arg_type_to_mask> |
Data type of the value being masked |
<arg_1>, <arg_type_1>, ... |
Optional additional arguments for policy logic |
<body> |
SQL expression defining the masking logic |
COMMENT |
Optional string literal describing the policy |
Row Access
Row access functions in Snowflake allow you to implement row-level security by filtering the data returned for a given query based on defined criteria. This section explains how to define row access policies, apply them to tables and views, and configure the necessary parameters. A parameter function table is also available for more information.
Policy
A row access policy in Snowflake defines the logic used to determine whether a row should be accessible.
CREATE [ OR REPLACE ] ROW ACCESS POLICY <name> AS
( <arg_name> <arg_type> [ , ... ] ) RETURNS BOOLEAN -> <body>
[ COMMENT = '<string_literal>' ]
See Policy Function Parameters for more details on arguments
, body
, and comment
.
- The
<name>
is the same name created in the details section. - Must start with
CREATE ROW ACCESS POLICY
orCREATE OR REPLACE ROW ACCESS POLICY
AS
indicates declarative statementRETURNS
defines return value- Only one function per policy
Tables
After defining a row access policy, it can be applied to tables or views. This ensures that only rows meeting the policy conditions are returned in query results.
ALTER TABLE <table_name> ADD ROW ACCESS POLICY <policy_name> ON (col_name [ , ... ]);
ALTER VIEW <view_name> ADD ROW ACCESS POLICY <policy_name> ON (col_name [ , ... ]);
- Must start with
ALTER TABLE
orALTER VIEW
- Only
ADD
is supported (noDROP
) - Multiple functions can be split using
;
Function Parameters
The table below provides a concise summary of the parameters required when creating row access policies in Snowflake, explaining the role of each in defining access control logic.
Parameter | Description |
---|---|
<arg_name> |
Name of the argument used in the row access policy |
<arg_type> |
Data type of the argument |
<body> |
SQL expression defining the row access logic |
COMMENT |
Optional description of the policy |
Masking and row access policies in Snowflake provide secure, fine-grained control over data at the column and row levels. Properly defining policies, applying them to tables, views, and tags, and following parameter guidelines ensures consistent enforcement and compliance.