1

I created a masking policy that I can apply across different schemas and databases. However, unless I recreate the masking policy in each database schema combination it won't let me apply the policy. It would throw Masking policy 'DATABASE_NAME.SCHEMA_NAME.POLICY_NAME' does not exist or not authorized. Until i create the masking policy with that database and schema selected.

Kyle
  • 53
  • 5
  • 1
    Yes. It's actually best practice that you keep utility-type content in a separate db schema so it can be centrally managed. That said policy can then be applied to any table any where as long as you have defined your RBAC + privileges well. That same utility area could also house other content that you could centrally manage, like functions, stored procedures and so on. – patrick_at_snowflake Nov 08 '21 at 22:35
  • @patrick_at_snowflake do you mean that i have the masking policy AND the PII tables in the same db/schema? – Kyle Nov 09 '21 at 03:25
  • in that case how can i use the masking policy defined in a separate db and apply it to columns in my prod db? It keeps throwing that the masking policy does not exist – Kyle Nov 09 '21 at 05:06
  • As Eric states below, in Snowflake you have the flexibility to define these objects in the same area or in seperate areas; access of those objects is controlled by RBAC. – patrick_at_snowflake Nov 09 '21 at 06:43

1 Answers1

2

@Kyle you simply define your masking policy in a separate DB/Schema, and you can reference it from any other DBs/Schemas.

For example, you create policy_db.policy_schema.email_mask, then you can reference this policy using the absolute path in your apply query.

alter table if exists user_info 
  modify column email set masking policy policy_db.policy_schema.email_mask;

The policy does not have to be under the same DB/Schema where the table you want to apply sits under.

Eric Lin
  • 1,440
  • 6
  • 9