During the last post we have seen the Masking Policies remains intact while Cloning and Sharing to the same account (Cloning) or different account (Sharing to Reader Account). In this final part of series we will see how the Masking Policy works when we replicate the entire Database to the Same Region but with different Account or replication to the new Region.
We will consider the same Employee table where masking is define on SSN and Phone Number and will replicate the entire Database i.e. DEMO_DB. Moreover, We will use the ORGADMIN role to enable Replication feature in Snowflake.
LOGIN to the Primary Account and Enable the Replication:
grant role ORGADMIN to user sachinsnowpro
use role ORGADMIN ;
Replication to Same region:
Create new Account inside the Same region:
CREATE ACCOUNT target_Accnt
ADMIN_NAME = sachinreplicate
ADMIN_PASSWORD = ‘xxxxxx’
EMAIL = ‘sachin.mittal04@gmail.com’
EDITION = ENTERPRISE
alter database DEMO_DB enable replication to accounts aws_us_east_1.XCA53150;
LOGIN to the Replicated Account:
Firstly, Create the Replicated database available inside the Primary Account and refresh the DB.
Secondly and most importantly ,Query on the Employee table in New Account and still data is mask and we can not see the Original value.
Replication to New region:
Replication to New region:
Create new Account inside the new region:
alter database DEMO_DB enable replication to accounts AWS_US_WEST_2.VOA25795;
LOGIN to the Replicated Account:
Verify the Region Name: We can clearly see we are into the new Region.
Create the Replicated database available inside the Primary Account and refresh the DB.
Above all, Even the database is replicated to the new Region ,Masking policies remain SET to the table and we can not see the Original value in table.
In conclusion: Masking policies are replicated to the secondary or shared database.
However, replication operation is blocked if either of the following use cases is true:
- The primary database is in an Enterprise (or higher) account and contains a policy but one or more of the accounts approved for replication are on lower editions.
- A policy contained in the primary database has a reference to a policy in another database.
We will discuss the technical implementation of Replication in great details in another post.