Hide Columns in Snowflake Data

If a user has SELECT access for a table in Snowflake, they will always be able to see all the columns in the table. To ensure that they cannot see the data in those columns, transform the column data using one of Okera's many transformation functions (mask, hash, tokenize, encrypt, and more).

BI Gateway and Policy Sync Enforcement Differences

You cannot completely hide columns when using Snowflake policy synchronization enforcement, unlike Okera's BI gateway enforcement, which allows you to restrict the columns viewed. With Snowflake policy synchronization, any data in columns for which a user has no permissions, is nullified, but the columns still appear.

For example, suppose table okera_sample.sample has column col1 tagged with pii.phone. Then suppose you have the following GRANT on this table:

GRANT SELECTON TABLE okera_sample.sample HAVING ATTRIBUTES IN (pii.phone) TO ROLE user_role;

In a BI gateway enforcement environment, when a user who is assigned the user_role issues the SQL command SELECT * FROM okera_sample.sample, they will only see col1, because their user_role has only been granted permission to see table columns tagged with pii.phone (in this case, col1 of the table).

However, in a Snowflake policy synchronization enforcement environment (assuming the connection with the GRANT has been synchronized), when a user who is assigned the user_role issues the SQL command SELECT * FROM okera_sample.sample, they will see all the table columns in okera_sample.sample, but all the columns except col1 will have a null transformation applied.