2 0
Read Time:4 Minute, 15 Second

Data Masking in Snowflake Using Tags, Policies, and Automation: In modern data platforms, data masking and access control are critical pillars of security and compliance — especially with sensitive fields like SSNs, email addresses, and financial metrics. In this blog, we explore how to implement a tag-driven masking and row-level security framework in Snowflake. It  supports multi-tenant governance, intelligent automation, and centralized control across sensitive data.

  •  Tag-based column masking

  • Row-level security via table tags

  •  Multiple masking policies

  •  Role-based access control

  • Auto-tagging of PII using intelligent pattern matching

 

Architecture Summary

Arch Summary

Key Highlights of the Implementation

 Role-Based Column Masking

Sensitive fields like SSN, EMAIL, ACCOUNT_ID, CREDIT_SCORE are protected using tags and policies. Access is dynamically mask or allow based on the user’s role.

Row-Level Security via Table Tags

Tables are tagged as RESTRICTED, and access is filtered using a row access policy — only allowing certain roles to view specific tenant data.

Auto-Tagging PII

A custom stored procedure scans for columns with patterns like ssn, email, phone, and auto-tags them with 'PII', enabling protection instantly when new columns are added.

1. Tags: The Foundation of Policy-Driven Masking

We created 3 core governance tags:

CREATE OR REPLACE TAG COLUMN_SENSITIVITY ALLOWED_VALUES 'PII', 'FINANCIAL';
CREATE OR REPLACE TAG COLUMN_MASK ALLOWED_VALUES 'PROTECT';
CREATE OR REPLACE TAG TABLE_VISIBILITY ALLOWED_VALUES 'VISIBLE', 'RESTRICTED';

These tags are used across multiple tables and columns to dynamically trigger policies without modifying individual column definitions.

2. Sample Tables and Tagged Columns

Two tables available:

  • CLIENT_PROFILE — Customer identity information

  • CREDIT_EVALUATION — Risk and credit limit assessments

Tagging sensitive columns:

ALTER TABLE CLIENT_PROFILE MODIFY COLUMN SSN SET TAG COLUMN_SENSITIVITY = 'PII';
ALTER TABLE CLIENT_PROFILE MODIFY COLUMN EMAIL SET TAG COLUMN_SENSITIVITY = 'PII';

ALTER TABLE CREDIT_EVALUATION MODIFY COLUMN ACCOUNT_ID SET TAG COLUMN_SENSITIVITY = 'FINANCIAL';
ALTER TABLE CREDIT_EVALUATION MODIFY COLUMN CREDIT_SCORE SET TAG COLUMN_MASK = 'PROTECT';
ALTER TABLE CREDIT_EVALUATION MODIFY COLUMN CREDIT_LIMIT SET TAG COLUMN_MASK = 'PROTECT';

3. Masking Policies

We created two policies — one for PII/Financial sensitivity, and one for strict field-level protection.

a. Tag-Driven Policy for Sensitivity

CREATE OR REPLACE MASKING POLICY MASK_TAGGED_COLUMNS
AS (val STRING) RETURNS STRING ->
CASE
WHEN SYSTEM$GET_TAG_ON_CURRENT_COLUMN('PUBLIC.COLUMN_SENSITIVITY') = 'PII'
AND CURRENT_ROLE() NOT IN ('COMPLIANCE_OFFICER', 'SUPER_ADMIN') THEN '***PII***'

WHEN SYSTEM$GET_TAG_ON_CURRENT_COLUMN('PUBLIC.COLUMN_SENSITIVITY') = 'FINANCIAL'
AND CURRENT_ROLE() NOT IN ( 'SUPER_ADMIN') THEN '***MASKED***'

ELSE val
END;

b. Policy for Strict Fields (e.g., CREDIT_SCORE)

CREATE MASKING POLICY ACCOUNT_ID_COLS
AS (val number) RETURNS number ->
CASE
WHEN SYSTEM$GET_TAG_ON_CURRENT_COLUMN('COLUMN_MASK') = 'PROTECT'
AND CURRENT_ROLE() = 'SUPER_ADMIN' THEN val
ELSE -1
END;

c. Attach Policy to the Tag

ALTER TAG PUBLIC.COLUMN_SENSITIVITY SET MASKING POLICY MASK_TAGGED_COLUMNS;
ALTER TAG PUBLIC.COLUMN_MASK SET MASKING POLICY ACCOUNT_ID_COLS;

3. ROW-Level Access via Table Tag

ALTER TABLE CLIENT_PROFILE SET TAG PUBLIC.TABLE_VISIBILITY = 'RESTRICTED';
ALTER TABLE CREDIT_EVALUATION SET TAG PUBLIC.TABLE_VISIBILITY = 'RESTRICTED';

CREATE OR REPLACE ROW ACCESS POLICY RLS_MULTI_TENANT
AS (TENANT_ID STRING) RETURNS BOOLEAN ->
CASE
WHEN SYSTEM$GET_TAG_ON_CURRENT_TABLE('PUBLIC.TABLE_VISIBILITY') = 'RESTRICTED'
AND CURRENT_ROLE() IN ('SUPER_ADMIN','RISK_ANALYST') THEN TRUE

ELSE FALSE
END;

Attach Policy to the Table

ALTER TABLE CLIENT_PROFILE ADD ROW ACCESS POLICY RLS_MULTI_TENANT ON (TENANT_ID);
ALTER TABLE CREDIT_EVALUATION ADD ROW ACCESS POLICY RLS_MULTI_TENANT ON (TENANT_ID);

RISK_ANALYST
SUPER_ADMIN
Row Access

4. Intelligent PII Auto-Tagging via Stored Procedure

We developed a smart JavaScript stored procedure that scans columns and automatically tags likely PII based on keywords like ssn, email, dob, mobile, etc.

Key Features:

  • Scans only relevant tables

  • Ignores already tagged columns

  • Applies PII tag only when column name matches pattern.

PII Proc

When we added a new column:

ALTER TABLE CREDIT_EVALUATION ADD COLUMN phone STRING(10);
PROC Call

The column was automatically tag.!

Phone Auto Tag

After setting up the masking policies and running the auto-tagging procedure, a new column like phone is automatically tagged and masked — without any manual intervention.

Known issue: Currently Proc is able to set the TAG only on string columns. So if any numeric column gets add then Proc would not throw error but will not tag that column with COLUMN_MASK Tag value.

Tag-based masking in Snowflake offers a declarative, scalable, and auditable way to protect sensitive data. Combined with role-based access control and row-level filtering, it creates a powerful governance model ready for the needs of modern enterprises.

About Post Author

Sachin Mittal

sachin.mittal04@gmail.com
https://cloudyard.in
Happy
0 %
Sad
0 %
Excited
0 %
Sleepy
0 %
Angry
0 %
Surprise
0 %

Related articles

Significance of Snowflake task graphs
Snowflake Scenario

Significance of Snowflake task graphs

By Sachin Mittal
Masking in SF Without Hardcoded Roles: Including ARRAY cols
Snowflake Scenario

Masking in SF Without Hardcoded Roles: Including ARRAY cols

By Sachin Mittal
Snowflake Cost Monitoring with AWS CloudWatch & External Functions
Snowflake Scenario

Snowflake Cost Monitoring with AWS CloudWatch & External Functions

By Sachin Mittal
Schema Evolution with Case Sensitivity Handling in Snowflake
Snowflake Scenario

Schema Evolution with Case Sensitivity Handling in Snowflake

By Sachin Mittal
Private Listing and Masking Policies for Cross-Region Data Sharing
Snowflake Scenario

Private Listing and Masking Policies for Cross-Region Data Sharing

By Sachin Mittal

Average Rating

5 Star
0%
4 Star
0%
3 Star
0%
2 Star
0%
1 Star
0%
(Add your review)

Leave a Reply

Your email address will not be published. Required fields are marked *

Search
Social profiles

Data Masking in Snowflake Using Tags, Policies, and Automation

Snowpark Magic: Auto-Create Tables from S3 Folders

Optimizing Snowflake Serverless Tasks

Significance of Snowflake task graphs

Automating CSV & Parquet File Ingestion from S3 to Snowflake

Masking in SF Without Hardcoded Roles: Including ARRAY cols

Enhancing Snowflake Alerts for Dynamic Table Refresh Failures

Dynamic CSV Column Mapping with Stored Procedures