Skip to content

Safeguard Policies (Preview Feature)

This document describes how to set up catalog wide safeguard policies for catalog administrators.

Note: This feature is in private beta. Please contact Okera for more information.

How do safeguard policies work?

Safeguard policies do not grant access to data. Instead they act as a global defense check or 'safeguard' to ensure that certain data is always masked, or only allowed to be viewed by certain users, regardless of lower level permissions granting access to it. For example you might want to ensure that highly sensitive data, such as social-security numbers, are always masked, or you might have to comply with regionally specific regulation stipulating that customer data from that region can only be viewed by analysts in that region.

Who do safeguard policies apply to?

Safeguard policies will apply to all users, except for catalog admins. This means that a user can have ‘ALL’ on a dataset, but will still see data masked as per a safeguard policy.

How do safeguard policies interact with existing permissions?

Safeguard policies are applied after the initial permission evaluation. They will always override any other transformation policies on the data, and will apply in addition to any existing row-level filters.

For example if a user had access to a table with a policy condition tokenizing social-security number(ssn), but the safeguard policy was masking ssn, they would see ssn masked.

Who has access to control safeguard policies?

  • Whilst in beta, only catalog admins have access to create and modify safeguard policies.
  • Users who can grant permissions on data objects will be able to view (but not modify) all the safeguard policies that are applying across the catalog.

Create a safeguard policy

To create a safeguard policy, click on Safeguards in the left navigation menu, and select the Create safeguard policy button.

Safeguard policy masking ssn example.

Example: Transform data by tags

The safeguard policy below will ensure that any data tagged pii.us_ssn will always appear masked across the entire catalog, for all users except catalog admins.

Safeguard policy masking ssn example.

Example: Restrict rows to users with a certain attribute

The safeguard policy below will ensure that all rows where the column country contains the value 'Switzerland' will be restricted to only users who have the user attribute 'Switzerland' for country.

Safeguard policy masking ssn example.

Delete a safeguard policy

Click the Delete button under Actions on the list of safeguard policies.


Deleting a safeguard policy could leave highly sensitive data exposed across the catalog and should be done with caution. Before deleting a safeguard policy you should ensure that highly sensitive data will not be able to be accessed via lower level permissions on databases and datasets.

Safeguard policy masking ssn example.

View policy SQL

If you wish to programmatically create safeguard policies, you can view the associated policy SQL by clicking the Show policy SQL button during policy creation, or by clicking the View policy SQL button on the safeguard policy list.

Viewing safeguard policies when granting permissions

Users with access to grant permissions on data objects will see a list of all the active safeguard policies across the catalog both in the policy builder, as well as on the permissions tab on the data object page.

Safeguard policy masking ssn example.

FAQs & troubleshooting

How do safeguard policies work with different datatypes?

Safeguard policies are able to mask data across datatypes, see Privacy and Security Functions for more information.

What conflicts apply to safeguard policies?

You will not be allowed to create a safeguard policy that contradicts another safeguard policy, for example if one safeguard policy is saying mask social-security number, but another one says to null it.