This guide outlines the supported functions for implementing data masking and row-level access control in Databricks when configuring Native Policies in the Platform Authorization Workspace. It covers the creation of policies, the application of functions to tables and columns, and the parameters required for each function. Understanding these constructs ensures proper configuration and enforcement of security policies in your Databricks environment.
Related Articles:
Masking
Masking functions in Databricks are used to control access to sensitive data by transforming or hiding the values in specific columns. This section explains how to define masking functions, apply them to table columns, and the parameters required to configure them effectively. A parameter function table is also available for more information.
Policy
A masking policy in Databricks is defined as a function that specifies how sensitive data should be masked.
CREATE [OR REPLACE] FUNCTION full_function_name
([function_parameter [, ...]])
RETURNS data_type
RETURN { expression | query };
See Policy Function Parameters for more details on full_function_name and parameter, data_type, and expression or query.
- The
full_function_nameis the same name created in the details section. - Must start with
CREATE FUNCTIONorCREATE OR REPLACE FUNCTION - Only one function per policy
- A full function name is required
Columns
Once a masking function is defined, it can be applied to table columns to enforce data masking. This ensures that queries accessing these columns return masked results according to the function logic.
ALTER TABLE <full_table_name> ALTER COLUMN <column_name>
SET MASK <full_func_name> [USING COLUMNS (<other_column_name>)];
- Must start with
ALTER TABLE - Multiple functions can be split using
; - Views are not supported
Function Parameters
The table below summarizes the parameters used when creating masking functions in Databricks, including their purpose and expected values.
| Parameter | Description |
|---|---|
full_function_name |
The full_function_name is the same name created in the details section. |
function_parameter |
List of arguments used in the function |
data_type |
Return type of the function |
expression or query |
SQL expression or query used for masking logic |
Row Access
Row access functions in Databricks allow you to implement row-level security by filtering the data returned for a given query based on defined criteria. This section explains how to define row access functions, apply them to tables, configure the necessary parameters. A parameter function table is also available for more information.
Policy
A row access policy is defined as a function that determines which rows a user can access.
CREATE [OR REPLACE] FUNCTION full_function_name
([function_parameter [, ...]])
RETURNS data_type
RETURN { expression | query };
See Policy Function Parameters for more details on full_function_name and parameter, data_type, and expression or query.
- The
full_function_nameis the same name created in the details section. - Must start with
CREATE FUNCTIONorCREATE OR REPLACE FUNCTION - Only one function per policy
- A full function name is required
Tables
After defining a row access function, it can be applied to specific tables to enforce row-level filtering. This ensures that only rows meeting the function criteria are returned in query results.
ALTER TABLE <full_table_name> SET ROW FILTER <full_func_name> ON (<column_name>);
- Must start with
ALTER TABLE - Multiple functions can be split using
; - Views are not supported
- A full table name is required
Function Parameters
The table below provides a concise summary of the parameters required when creating row access functions in Databricks, explaining the role of each in defining access control logic.
| Parameter | Description |
|---|---|
full_function_name |
The full_function_name is the same name created in the details section. |
function_parameter |
List of arguments used in the function |
data_type |
Return type of the function |
expression or query |
SQL expression or query used for row access logic |
Masking and row access functions in Databricks allow precise control over sensitive data at the column and row level. Creating functions, applying them to tables, and following parameter guidelines ensures secure, predictable enforcement of data access rules.