Snowflake examples

Important 

In Collibra 2024.05, we launched a new user interface (UI) for Collibra Platform! You can learn more about this latest UI in the UI overview.

Use the following options to see the documentation in the latest UI or in the previous, classic UI:

This documentation contains examples of how Snowflake behaves with respect to certain data protection standards and data access rules.

Example 

Suppose that:

  • The Personally Identifiable Information (PII) and Personal Information (PI) data categories exist in Snowflake. These two data categories contain a column named DOB.
  • A standard that applies to the HR group has been created. This standard requires hashing for the PII data category.
  • A standard that applies to the Marketing group has been created. This standard requires default masking for the PI data category.
Behavior

When the standards are synchronized and active, a tag policy is created in Snowflake for each standard and linked to the DOB column. A single column masking policy that combines the two tag policies is then created and applied to the DOB column. This column masking policy includes the protection defined in each standard.

Column masking policy

Example 

Suppose that:

  • The Personally Identifiable Information (PII) data category exists in Snowflake.
  • The Employee Data data set exists in Snowflake. This data set contains PII.
  • A standard that applies to the following groups has been created: Everyone, Human Resources, Marketing, and Sales. This standard requires default masking for the PII data category.

    Image of the standard

    Image of the standard

  • A rule that applies to the Human Resources group has been created. This rule does not require any masking for the PII columns in the Employee Data asset.

    Image of the rule

    Image of the rule

Behavior
Standard

When the standard is synchronized and active, 14 masking policies are created in Snowflake—one policy for each Snowflake data type. These masking policies are associated with the Personally Identifiable Information tag and are created at the schema level. The tag is assigned to those columns that need to be protected. The masking policies are named COLLIBRA/MASKING_POLICY/<asset ID>/<Snowflake type>.

Masking policies for standard

At runtime, Snowflake fetches the right masking policy based on the column data type.

Snowflake masking policy

The following image shows a masking policy for the STRING data type. The data that is shown in the policy depends on the masking level selected in the standard. In the policy, val indicates the value as it is stored in the table.

Masking policy for string data type

Rule

A rule results in a combination of grant instructions, dynamic masking, and row access policies.

The rule grants access of the Employee Data data set to the Human Resources group, as indicated by the selected Grant access... checkbox in the rule. Then, the corresponding Snowflake role for the group can access each database, schema, and table in the data set. In addition, the column masking policy is applied to those columns that need to be protected.

Consider the EMPLOYEE_NAME column in the Employee Data data set. This column belongs to the EMPLOYEES table within the DEMO schema in the PROTECT_QA database.

Image of the Employee Name column

Image of the Employee Name column

In Snowflake, each column that is categorized as PII within the Employee Data dataset inherits the masking policy that is applied to the column in Protect. The masking policies created at the schema level are named COLLIBRA/MASKING_POLICY/<asset ID>.

The following image shows the masking policy created for the EMPLOYEE_NAME column.

Employee Name masking policy

Summary

According to the standard, the Everyone, Human Resources, Marketing, and Sales groups have masked access to the data. However, according to the rule, the Human Resources group has unmasked access to the data. As a result, the EMPLOYEE_NAME column has both a policy tag and a column masking policy applied to it via the standard and the rule, respectively.

In Snowflake, if both a policy tag and a column masking policy exist for the same column, the column masking policy takes priority and the policy tag is not assigned to the column. To ensure that the protection defined in the standard is not ignored, the column masking policy also considers the conditions defined in the standard (policy tag).

Thus, when a standard is created for the Human Resources, Marketing, and Sales groups to mask a column, and when a rule is created for the Human Resources group to not mask the same column, the result is as follows:
  • The column is not masked for the Human Resources group.
  • The column is masked for the Marketing and Sales groups.