MASKING POLICY

Config path: /<database>/<schema>/masking_policy/<name>.yaml

Example:

arguments:
  name: VARCHAR(255)

returns: VARCHAR(255)

body: |-
  REPLACE(name, 'A', '*')

references:
  - object_type: TABLE
    object_name: test_table_1
    columns: [name]

Schema

• arguments (dict)

  • {key} (ident) - argument name

  • {value} (str) - argument data type

• returns (str) - return data type

• body (str) - policy SQL expression

• exempt_other_policies (bool)

• references (dict)

  • object_type (str) - reference object type (e.g. TABLE, VIEW)

  • object_name (ident) - reference object name

  • columns (list)

    • {items} (ident) - reference column names

• comment (str)

Usage notes

1. Management of masking policies requires active warehouse due to unavoidable POLICY_REFERENCES table function calls.

2. If arguments or returns of policy was changed, all references will be dropped, policy will be re-created from scratch, and all references will be restored. Also, when other objects are being re-created, such objects will initially lack policy references. Business users might be able to access objects without protection of policy in such case. There is no way to avoid it due to fundamental lack of transaction support for DDL queries in Snowflake. You may consider having weekly "safe maintenance" time slots to apply DDL when business users won't be able to access Snowflake account.

3. Parameter references is deprecated since 0.33.0. Use policy reference parameters directly in TABLE or VIEW configs instead.

Links

• CREATE MASKING POLICY

• SHOW MASKING POLICIES

• DESC MASKING POLICY

• Parser & JSON Schema (GitHub)