0
0
Snowflakecloud~10 mins

Column-level security with masking policies in Snowflake - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - Column-level security with masking policies
User Queries Data
Check Masking Policy on Column
Evaluate User Role
Apply Masking Logic
Return Masked or Original Data
User Sees Data Based on Permissions
When a user queries a column with a masking policy, Snowflake checks the user's role, applies the masking logic, and returns either masked or original data accordingly.
Execution Sample
Snowflake
CREATE MASKING POLICY ssn_mask AS
  (val STRING) RETURNS STRING ->
  CASE
    WHEN CURRENT_ROLE() IN ('FULL_ACCESS_ROLE') THEN val
    ELSE 'XXX-XX-XXXX'
  END;

ALTER TABLE employees MODIFY COLUMN ssn SET MASKING POLICY ssn_mask;
This code creates a masking policy for the SSN column that shows the real value only to users with FULL_ACCESS_ROLE; others see a masked value.
Process Table
StepUser RoleColumn ValueMasking Policy AppliedReturned Value
1FULL_ACCESS_ROLE123-45-6789Check role in policy123-45-6789
2READ_ONLY_ROLE123-45-6789Check role in policyXXX-XX-XXXX
3ANALYST_ROLE123-45-6789Check role in policyXXX-XX-XXXX
4FULL_ACCESS_ROLE987-65-4321Check role in policy987-65-4321
5READ_ONLY_ROLE987-65-4321Check role in policyXXX-XX-XXXX
6ANALYST_ROLE987-65-4321Check role in policyXXX-XX-XXXX
7No role or unknown123-45-6789Check role in policyXXX-XX-XXXX
💡 Execution stops after returning masked or original data based on user role.
Status Tracker
VariableStartAfter Step 1After Step 2After Step 3After Step 4After Step 5After Step 6After Step 7
User RoleN/AFULL_ACCESS_ROLEREAD_ONLY_ROLEANALYST_ROLEFULL_ACCESS_ROLEREAD_ONLY_ROLEANALYST_ROLENo role
Column ValueN/A123-45-6789123-45-6789123-45-6789987-65-4321987-65-4321987-65-4321123-45-6789
Returned ValueN/A123-45-6789XXX-XX-XXXXXXX-XX-XXXX987-65-4321XXX-XX-XXXXXXX-XX-XXXXXXX-XX-XXXX
Key Moments - 3 Insights
Why does the returned value change based on user role?
Because the masking policy checks the user's role (see execution_table rows 1 and 2). If the role is allowed, the real data is returned; otherwise, a masked value is returned.
What happens if a user has no role or an unknown role?
The masking policy treats unknown or missing roles as unauthorized and returns the masked value (see execution_table row 7).
Is the original data changed in the database when masking is applied?
No, the original data stays the same. Masking only changes what the user sees at query time (refer to variable_tracker 'Column Value' vs 'Returned Value').
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what value does a user with FULL_ACCESS_ROLE see for the SSN '987-65-4321'?
AXXX-XX-XXXX
BNULL
C987-65-4321
DAccess Denied
💡 Hint
Check execution_table row 4 under 'Returned Value'.
At which step does the masking policy return a masked value for the SSN '123-45-6789'?
AStep 2
BStep 1
CStep 4
DStep 7
💡 Hint
Look at execution_table rows with 'READ_ONLY_ROLE' and 'Returned Value'.
If a new role 'HR_ROLE' is added to FULL_ACCESS_ROLE list, how would the returned value change for that role querying '123-45-6789'?
AIt would return 'XXX-XX-XXXX'
BIt would return '123-45-6789'
CIt would return NULL
DIt would cause an error
💡 Hint
Refer to the masking policy logic in execution_sample and how roles affect returned value.
Concept Snapshot
Column-level security with masking policies:
- Define a masking policy with CASE logic based on user roles.
- Attach the policy to sensitive columns.
- When queried, Snowflake checks user role.
- Returns original data if authorized, else masked data.
- Original data remains unchanged in storage.
Full Transcript
Column-level security with masking policies in Snowflake works by defining a masking policy that controls what data users see based on their roles. When a user queries a column with a masking policy, Snowflake evaluates the user's role. If the role is authorized, the user sees the original data. Otherwise, the data is masked, for example, replaced with 'XXX-XX-XXXX' for social security numbers. The original data in the database is never changed; masking only affects query results. This ensures sensitive data is protected while allowing authorized users full access.