Snowflake examples

Example 

Suppose that:

• The Personally Identifiable Information (PII) and Personal Information (PI) data categories exist in Snowflake. These two data categories contain a column named DOB.
• A standard that applies to the HR group has been created. This standard requires hashing for the PII data category.
• A standard that applies to the Marketing group has been created. This standard requires default masking for the PI data category.

Behavior

When the standards are synchronized and active, a tag policy is created in Snowflake for each standard and linked to the DOB column. A single column masking policy that combines the two tag policies is then created and applied to the DOB column. This column masking policy includes the protection defined in each standard.

Example 

Suppose that:

• The Personally Identifiable Information (PII) data category exists in Snowflake.
• The Employee Data data set exists in Snowflake. This data set contains PII.
• A standard that applies to the following groups has been created: Everyone, Human Resources, Marketing, and Sales. This standard requires default masking for the PII data category.

  

  

• A rule that applies to the Human Resources group has been created. This rule does not require any masking for the PII columns in the Employee Data asset.

  

  

Behavior

Standard

When the standard is synchronized and active, 14 masking policies are created in Snowflake—one policy for each Snowflake data type. These masking policies are associated with the Personally Identifiable Information tag and are created at the schema level. The tag is assigned to those columns that need to be protected. The masking policies are named COLLIBRA/MASKING_POLICY/<asset ID>/<Snowflake type>.

At runtime, Snowflake fetches the right masking policy based on the column data type.

The following image shows a masking policy for the STRING data type. The data that is shown in the policy depends on the masking level selected in the standard. In the policy, val indicates the value as it is stored in the table.

Rule

A rule results in a combination of grant instructions, dynamic masking, and row access policies.

The rule grants access of the Employee Data data set to the Human Resources group, as indicated by the selected Grant access... checkbox in the rule. Then, the corresponding Snowflake role for the group can access each database, schema, and table in the data set. In addition, the column masking policy is applied to those columns that need to be protected.

Consider the EMPLOYEE_NAME column in the Employee Data data set. This column belongs to the EMPLOYEES table within the DEMO schema in the PROTECT_QA database.

In Snowflake, each column that is categorized as PII within the Employee Data dataset inherits the masking policy that is applied to the column in Protect. The masking policies created at the schema level are named COLLIBRA/MASKING_POLICY/<asset ID>.

The following image shows the masking policy created for the EMPLOYEE_NAME column.

Summary

According to the standard, the Everyone, Human Resources, Marketing, and Sales groups have masked access to the data. However, according to the rule, the Human Resources group has unmasked access to the data. As a result, the EMPLOYEE_NAME column has both a policy tag and a column masking policy applied to it via the standard and the rule, respectively.

In Snowflake, if both a policy tag and a column masking policy exist for the same column, the column masking policy takes priority and the policy tag is not assigned to the column. To ensure that the protection defined in the standard is not ignored, the column masking policy also considers the conditions defined in the standard (policy tag).