{"id":64,"date":"2019-07-16T13:29:31","date_gmt":"2019-07-16T13:29:31","guid":{"rendered":"https:\/\/snowflake.pavlik.us\/?p=64"},"modified":"2019-09-10T16:48:39","modified_gmt":"2019-09-10T16:48:39","slug":"conditional-column-masking-based-on-role","status":"publish","type":"post","link":"https:\/\/snowflake.pavlik.us\/index.php\/2019\/07\/16\/conditional-column-masking-based-on-role\/","title":{"rendered":"Conditional Column Masking Based on Role"},"content":{"rendered":"\n<p>Snowflake secure views offer a powerful way to control who gets to see what. One way to secure data is to mask a column&#8217;s value based on who is accessing the data set.<\/p>\n\n\n\n<p>First a bit of background on Snowflake views. They are not dynamic. Here is the section of the documentation explaining this:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>View definitions are not dynamic, i.e. a view is not automatically updated if the underlying sources are modified such that they no longer match the view definition, particularly when columns are dropped. For example:<\/p><p>A view is created referencing a specific column in a source table and the column is subsequently dropped from the table.<\/p><p> A view is created using SELECT * from a table and any column is subsequently dropped from the table.<\/p><\/blockquote>\n\n\n\n<p>In practice what this means for data security and data privacy is that Snowflake secure views will mask column values rather than suppress the column entirely. Here&#8217;s an example of how to mask a column based on who is viewing the data. This example uses the currently logged in role to determine visibility rights, which is a best practice, but it could also check the current logged in user as well.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: sql; title: ; notranslate\" title=\"\">\n-- Log in as DBA or a login with appropriate permissions\n\n-- Set the context. We&#039;ll be using the TEST warehouse (Extra Small\n-- size is fine for this test), and a database named TEST. \n-- Create them if not already present.\nuse warehouse TEST;\nuse database TEST;\n\n--Create and use schema TPCH_SF1, where we will copy some data from\n--the Snowflake Sample data \ncreate schema TPCH_SF1;\nuse schema TPCH_SF1;\n\n-- Create a writable table from the Snowflake sample data.\ncreate or replace table ORDERS as \n  select * from SNOWFLAKE_SAMPLE_DATA.TPCH_SF1.ORDERS;\n\n--Make sure there are 1.5 million rows in the order table:\nselect count(*) as ROW_COUNT from ORDERS;\n\n-- Mask the sensitive column from anyone not logged in using the DBA role:\ncreate or replace secure view ORDERS_SECURE_VIEW as\nselect\nO_ORDERKEY, O_CUSTKEY, O_ORDERSTATUS, O_TOTALPRICE, O_ORDERDATE, O_ORDERPRIORITY,\ncase current_role()\n    when &#039;DBA&#039; then O_CLERK\n    else &#039;*****&#039;\nend as O_CLERK,\nO_SHIPPRIORITY, O_COMMENT\nfrom ORDERS;\n\n--Grant permissions to the Analyst role\ngrant usage on warehouse TEST to role ANALYST;\ngrant usage on database TEST to role ANALYST;\ngrant select on table ORDERS to role ANALYST;\ngrant select on view ORDERS_SECURE_VIEW to role ANALYST;\ngrant usage on schema TEST.TPCH_SF1 to role ANALYST;\n\n--Test the following sections with the DBA and Analyst roles.\n--The DBA will see unmasked data in the O_CLERK column.\n--The Analyst will see masked data.\n\n--Confirm the currently logged-in session&#039;s role:\nselect current_role() as current_role;\n\n--Test our view using different roles, only the DBA role\n--should see the unmasked data:\nuse warehouse TEST;\nuse database test;\nuse schema TPCH_SF1;\nselect * from orders_secure_view limit 10;\n\n--Suspend our warehouse to save credits.\nalter warehouse test suspend;   \n<\/pre><\/div>","protected":false},"excerpt":{"rendered":"<p>Snowflake secure views offer a powerful way to control who gets to see what. One way to secure data is to mask a column&#8217;s value based on who is accessing the data set. First a bit of background on Snowflake views. They are not dynamic. Here is the section of the documentation explaining this: View [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-64","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\r\n<title>Conditional Column Masking Based on Role - Snowflake in the Carolinas<\/title>\r\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\r\n<link rel=\"canonical\" href=\"https:\/\/snowflake.pavlik.us\/index.php\/2019\/07\/16\/conditional-column-masking-based-on-role\/\" \/>\r\n<meta property=\"og:locale\" content=\"en_US\" \/>\r\n<meta property=\"og:type\" content=\"article\" \/>\r\n<meta property=\"og:title\" content=\"Conditional Column Masking Based on Role - Snowflake in the Carolinas\" \/>\r\n<meta property=\"og:description\" content=\"Snowflake secure views offer a powerful way to control who gets to see what. One way to secure data is to mask a column&#8217;s value based on who is accessing the data set. First a bit of background on Snowflake views. They are not dynamic. Here is the section of the documentation explaining this: View [&hellip;]\" \/>\r\n<meta property=\"og:url\" content=\"https:\/\/snowflake.pavlik.us\/index.php\/2019\/07\/16\/conditional-column-masking-based-on-role\/\" \/>\r\n<meta property=\"og:site_name\" content=\"Snowflake in the Carolinas\" \/>\r\n<meta property=\"article:published_time\" content=\"2019-07-16T13:29:31+00:00\" \/>\r\n<meta property=\"article:modified_time\" content=\"2019-09-10T16:48:39+00:00\" \/>\r\n<meta name=\"author\" content=\"Greg Pavlik\" \/>\r\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\r\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Greg Pavlik\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\r\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/snowflake.pavlik.us\\\/index.php\\\/2019\\\/07\\\/16\\\/conditional-column-masking-based-on-role\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/snowflake.pavlik.us\\\/index.php\\\/2019\\\/07\\\/16\\\/conditional-column-masking-based-on-role\\\/\"},\"author\":{\"name\":\"Greg Pavlik\",\"@id\":\"https:\\\/\\\/snowflake.pavlik.us\\\/#\\\/schema\\\/person\\\/019455f4675665b6cf5edea31ec44d7b\"},\"headline\":\"Conditional Column Masking Based on Role\",\"datePublished\":\"2019-07-16T13:29:31+00:00\",\"dateModified\":\"2019-09-10T16:48:39+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/snowflake.pavlik.us\\\/index.php\\\/2019\\\/07\\\/16\\\/conditional-column-masking-based-on-role\\\/\"},\"wordCount\":207,\"commentCount\":0,\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/snowflake.pavlik.us\\\/index.php\\\/2019\\\/07\\\/16\\\/conditional-column-masking-based-on-role\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/snowflake.pavlik.us\\\/index.php\\\/2019\\\/07\\\/16\\\/conditional-column-masking-based-on-role\\\/\",\"url\":\"https:\\\/\\\/snowflake.pavlik.us\\\/index.php\\\/2019\\\/07\\\/16\\\/conditional-column-masking-based-on-role\\\/\",\"name\":\"Conditional Column Masking Based on Role - Snowflake in the Carolinas\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/snowflake.pavlik.us\\\/#website\"},\"datePublished\":\"2019-07-16T13:29:31+00:00\",\"dateModified\":\"2019-09-10T16:48:39+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/snowflake.pavlik.us\\\/#\\\/schema\\\/person\\\/019455f4675665b6cf5edea31ec44d7b\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/snowflake.pavlik.us\\\/index.php\\\/2019\\\/07\\\/16\\\/conditional-column-masking-based-on-role\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/snowflake.pavlik.us\\\/index.php\\\/2019\\\/07\\\/16\\\/conditional-column-masking-based-on-role\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/snowflake.pavlik.us\\\/index.php\\\/2019\\\/07\\\/16\\\/conditional-column-masking-based-on-role\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/snowflake.pavlik.us\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Conditional Column Masking Based on Role\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/snowflake.pavlik.us\\\/#website\",\"url\":\"https:\\\/\\\/snowflake.pavlik.us\\\/\",\"name\":\"Snowflake in the Carolinas\",\"description\":\"Random thoughts on all things Snowflake in the Carolinas\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/snowflake.pavlik.us\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/snowflake.pavlik.us\\\/#\\\/schema\\\/person\\\/019455f4675665b6cf5edea31ec44d7b\",\"name\":\"Greg Pavlik\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d81df729eebf37a042922b17d4a4c834b1e0ccfa9fea1c2c78cb8e95c7e91701?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d81df729eebf37a042922b17d4a4c834b1e0ccfa9fea1c2c78cb8e95c7e91701?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d81df729eebf37a042922b17d4a4c834b1e0ccfa9fea1c2c78cb8e95c7e91701?s=96&d=mm&r=g\",\"caption\":\"Greg Pavlik\"},\"description\":\"Greg is a Senior Sales Engineer at Snowflake Computing, in the Raleigh-Durham area. He's been in data management and security for the twenty years.\"}]}<\/script>\r\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Conditional Column Masking Based on Role - Snowflake in the Carolinas","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/snowflake.pavlik.us\/index.php\/2019\/07\/16\/conditional-column-masking-based-on-role\/","og_locale":"en_US","og_type":"article","og_title":"Conditional Column Masking Based on Role - Snowflake in the Carolinas","og_description":"Snowflake secure views offer a powerful way to control who gets to see what. One way to secure data is to mask a column&#8217;s value based on who is accessing the data set. First a bit of background on Snowflake views. They are not dynamic. Here is the section of the documentation explaining this: View [&hellip;]","og_url":"https:\/\/snowflake.pavlik.us\/index.php\/2019\/07\/16\/conditional-column-masking-based-on-role\/","og_site_name":"Snowflake in the Carolinas","article_published_time":"2019-07-16T13:29:31+00:00","article_modified_time":"2019-09-10T16:48:39+00:00","author":"Greg Pavlik","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Greg Pavlik","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/snowflake.pavlik.us\/index.php\/2019\/07\/16\/conditional-column-masking-based-on-role\/#article","isPartOf":{"@id":"https:\/\/snowflake.pavlik.us\/index.php\/2019\/07\/16\/conditional-column-masking-based-on-role\/"},"author":{"name":"Greg Pavlik","@id":"https:\/\/snowflake.pavlik.us\/#\/schema\/person\/019455f4675665b6cf5edea31ec44d7b"},"headline":"Conditional Column Masking Based on Role","datePublished":"2019-07-16T13:29:31+00:00","dateModified":"2019-09-10T16:48:39+00:00","mainEntityOfPage":{"@id":"https:\/\/snowflake.pavlik.us\/index.php\/2019\/07\/16\/conditional-column-masking-based-on-role\/"},"wordCount":207,"commentCount":0,"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/snowflake.pavlik.us\/index.php\/2019\/07\/16\/conditional-column-masking-based-on-role\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/snowflake.pavlik.us\/index.php\/2019\/07\/16\/conditional-column-masking-based-on-role\/","url":"https:\/\/snowflake.pavlik.us\/index.php\/2019\/07\/16\/conditional-column-masking-based-on-role\/","name":"Conditional Column Masking Based on Role - Snowflake in the Carolinas","isPartOf":{"@id":"https:\/\/snowflake.pavlik.us\/#website"},"datePublished":"2019-07-16T13:29:31+00:00","dateModified":"2019-09-10T16:48:39+00:00","author":{"@id":"https:\/\/snowflake.pavlik.us\/#\/schema\/person\/019455f4675665b6cf5edea31ec44d7b"},"breadcrumb":{"@id":"https:\/\/snowflake.pavlik.us\/index.php\/2019\/07\/16\/conditional-column-masking-based-on-role\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/snowflake.pavlik.us\/index.php\/2019\/07\/16\/conditional-column-masking-based-on-role\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/snowflake.pavlik.us\/index.php\/2019\/07\/16\/conditional-column-masking-based-on-role\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/snowflake.pavlik.us\/"},{"@type":"ListItem","position":2,"name":"Conditional Column Masking Based on Role"}]},{"@type":"WebSite","@id":"https:\/\/snowflake.pavlik.us\/#website","url":"https:\/\/snowflake.pavlik.us\/","name":"Snowflake in the Carolinas","description":"Random thoughts on all things Snowflake in the Carolinas","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/snowflake.pavlik.us\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/snowflake.pavlik.us\/#\/schema\/person\/019455f4675665b6cf5edea31ec44d7b","name":"Greg Pavlik","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/d81df729eebf37a042922b17d4a4c834b1e0ccfa9fea1c2c78cb8e95c7e91701?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d81df729eebf37a042922b17d4a4c834b1e0ccfa9fea1c2c78cb8e95c7e91701?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d81df729eebf37a042922b17d4a4c834b1e0ccfa9fea1c2c78cb8e95c7e91701?s=96&d=mm&r=g","caption":"Greg Pavlik"},"description":"Greg is a Senior Sales Engineer at Snowflake Computing, in the Raleigh-Durham area. He's been in data management and security for the twenty years."}]}},"_links":{"self":[{"href":"https:\/\/snowflake.pavlik.us\/index.php\/wp-json\/wp\/v2\/posts\/64","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/snowflake.pavlik.us\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/snowflake.pavlik.us\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/snowflake.pavlik.us\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/snowflake.pavlik.us\/index.php\/wp-json\/wp\/v2\/comments?post=64"}],"version-history":[{"count":3,"href":"https:\/\/snowflake.pavlik.us\/index.php\/wp-json\/wp\/v2\/posts\/64\/revisions"}],"predecessor-version":[{"id":67,"href":"https:\/\/snowflake.pavlik.us\/index.php\/wp-json\/wp\/v2\/posts\/64\/revisions\/67"}],"wp:attachment":[{"href":"https:\/\/snowflake.pavlik.us\/index.php\/wp-json\/wp\/v2\/media?parent=64"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/snowflake.pavlik.us\/index.php\/wp-json\/wp\/v2\/categories?post=64"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/snowflake.pavlik.us\/index.php\/wp-json\/wp\/v2\/tags?post=64"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}