How to get all the masking policies created in a particular account in snowflake? Is there any view to see it?
show masking policies only retrieves data related to the policies and not where it is applied?
How can I get all policies and in which columns in which tables it is applied?
You can query the information schema table-function POLICY_REFERENCES, see here: https://docs.snowflake.com/en/sql-reference/functions/policy_references.html
Here is also an example from the docs:
use database my_db;
use schema information_schema;
select *
from table(information_schema.policy_references(policy_name => 'ssn_mask'));
Important: You have to execute the USE DATABASE ... and USE SCHEMA INFORMATION_SCHEMA commands or use a full qualified identifier.
If this is not enough, you can query all policies with all tables and all columns when you combine the query above with your SHOW MASKING POLICIES; and the RESULT_SCAN()-function.
RESULT_SCAN() allows you to query the results of SHOW MASKING POLICIES; (https://docs.snowflake.com/en/sql-reference/functions/result_scan.html)
Consequence: You get all names of policies and for each of them you can call POLICY_REFERENCES().
Related
I know that masking policies can be assigned to columns, for example:
alter table if exists user_info modify column email set masking policy email_mask;
But can we assign one masking policy to a tag? So that all the columns with the tag in one table can automatically be assigned the masking policy?
Thanks.
The simple answer is No. Masking policies can only be attached on columns of Tables and Views.
If you are looking to automatically assign Masking Policies to tagged columns, you can do the following:
Join the COLUMNS View and TAG_REFERENCES View to generate an ALTER Statement that sets the masking policy to tagged columns that doesn't have masking policies assigned to them
Put it in a Stored Procedure
Schedule a Task to run the Stored Procedure regularly
As of June 2022, tag-based masking policies are now in public preview:
https://docs.snowflake.com/en/release-notes/preview-features.html
https://docs.snowflake.com/en/user-guide/tag-based-masking-policies.html
I created a masking policy for PII data. I then applied it to a table like so:
CREATE TABLE EXAMPLE.EXAMPLE_TABLE
(ID INT,
LAST_NAME STRING,
PHONE_NUMBER INT);
ALTER TABLE EXAMPLE.EXAMPLE_TABLE MODIFY COLUMN LAST_NAME SET MASKING POLICY PUBLIC.PII_MASK_STRING;
ALTER TABLE EXAMPLE.EXAMPLE_TABLE MODIFY COLUMN PHONE_NUMBER SET MASKING POLICY PUBLIC.PII_MASK_NUMERIC;
Now I want to be able to reverse engineer a DDL script like this with the ALTER TABLE... SET MASKING POLICY included.
Is there a way to query for the list of columns that have masking policies applied to them (and which mask it uses)?
EDIT: For this case, the user has ownership of the table but not the masking policy. what permissions are required to query this information?
The information schema table-function POLICY_REFERENCES has some interesting information in this case, more here: https://docs.snowflake.com/en/sql-reference/functions/policy_references.html
If this is not enough, you can query all policies with all tables and all columns when you combine the query above with your SHOW MASKING POLICIES; and the RESULT_SCAN()-function. RESULT_SCAN() allows you to query the results of SHOW MASKING POLICIES; (https://docs.snowflake.com/en/sql-reference/functions/result_scan.html)
Consequence: You get all names of policies and for each of them you can call POLICY_REFERENCES().
A vendor option is to use a Snowflake partner solution to automate masking policies on PII for dynamic data masking using Immuta. There is a demo video here if you find it helpful.
Full disclosure: I am employed my Immuta and my team works on content for data engineers.
I'm interested in getting the structure of each table in my DB.
Currently I'm using: DESCRIBE TABLE table1.
However, this means I have to do a separate query for each table. Was wondering whether there is a query I can get the structure of several tables at once (and therefore saving me some queries)?
Thanks,
Nir.
You can use Account Usage/Information Schema view COLUMNS
https://docs.snowflake.com/en/sql-reference/account-usage/columns.html
Following article have a slight difference example of using COLUMNS view to create a select statement but it should give you an idea
https://community.snowflake.com/s/article/Select-columns-based-on-condition-in-Snowflake-using-Information-Schema-and-Stored-Procedure
You have a couple options:
you can use the COLUMNS view in the information schema
https://docs.snowflake.com/en/sql-reference/info-schema/columns.html
Note: The view only displays objects for which the current role for the session has been granted access privileges.
you can use the COLUMNS view in the account_usage share schema:
https://docs.snowflake.com/en/sql-reference/account-usage/columns.html
Note: this will show all the columns in all tables, will show deleted objects and such as well.
Also note, there is a delay in the data (latency could be as much as 90 minutes, typically isn't though)
I'm working at a company where one team manages the databases and others use tables / views from there. From time to time, views get refactored which might break things for other teams.
Is it possible to protect some columns so that those cannot simply be renamed / dropped? Or at least have a log message telling the person who wants to do it that another team depends on it?
In Snowflake, only users with roles who have privileges to update a view by changing its definition are able to make changes on the specified view. If a specific role has privileges to replace view definition, there is no mechanism to stop them from renaming or dropping columns.
You can see the logs in QUERY_HISTORY function in Snowflake Information_schema. The functions gives extensive information on which user ran the query and the time it ran. A query like below would bring the appropriate information:
select user_name, role_name, query_text, start_time, end_time from table(information_schema.query_history())
where query_text ilike '%replace view %'
order by start_time desc;
The privilege to alter a view is all or nothing. It does not restrict which columns the role can or cannot alter, remove, add, etc. However, since Snowflake allows using views as part of another view, this can form part of your organization's overall approach to do what you're seeking.
For example, create a base view that has all the protected columns. Tightly control access to which roles can alter the base view. From the base view, create views on top that less privileged roles can alter.
In a database (Microsoft Access, Relational), is it possible to restrict access to a specific field in a table for a certain group?
So the group would have access to the table but not see one of the fields?
If not, is the only way to do this by seperating the data into another table and restricting it for this group?
You can not restrict access to a specific field.
However, you can create a query based off a table. And you can also set a table's "Visible" property to "No". This isn't foolproof; if the user knows how to change the properties of a table then they can change it back to "Visible".
There really is no 100% foolproof way to lock down an Access database entirely. However, you can make it awfully difficult by hiding the objects, hiding the database and bypassing the CTRL key (to avoid the old Shift/CTRL trick).
You can create different views for difference users | users group with only required columns that they should allow to access. Then grant permission for users/user groups on those views accordingly.