Skip links

When to use Row Access versus Column Masking Policies

Part 3: Governance on Snowflake Series

  1. Simplify Data Governance with Row Access Policies
  2. How to Apply Row Access Policies with Multiple Columns in Snowflake: A Medical Claims Data Example

Snowflake has multiple options to apply data governance (and is coming out with new features almost continuously). So how do you know what you should be applying and when to use one versus another? There are two main governance features — row access and column masking. They are each made for specific use cases and can also be used together.

Row Access Policies are meant to allow multiple business units or tenants access to the same table or view but only granting them permission to see rows which they have approval to see. The approval is based on a single or set of columns in that data that can tell the policy when to allow that row to be visible to a particular role.

Column masking policies provide the ability to hide sensitive data based on a column. Sensitive data columns are identified from the business users and then masking policies put in place to obscure the relevant data columns if someone is not privy to sensitive information.

Let’s take a look at an example:

A public health care system in a major US city might have multiple payors that contribute to its collection of claims at various facilities throughout the region. Internal financial officers need access to all the data from each of the payors in order to produce financial reports as well as managed care teams needing the same relevant data in order to help project and manage costs across the network. Facilities need a centralized view of all the claims coming through their location as well without having access to other facility’s claims. Certain users in the facilities are allowed to see PII within the claims and others are not.

Instead of creating multiple views of the same dataset and restricting access to each view to the role needing it, imagine creating a single view of the data where changes can be maintained exactly once and then using row access or column masking to manage access. We can leverage the data in the columns to determine what role needs access to which rows.

When to use Row Access versus Column Masking Policies

To see examples of how to create the policies, look at one of the two previous posts.