Snowflake Dynamic Data Masking (DDM) masks column values in query results at runtime based on the executing user's role, without modifying the underlying table data. You simply create a Masking Policy object and attach it to a column to protect sensitive data such as PII, credit card numbers, and email addresses. Enterprise Edition or higher is required.
DDM is evaluated at query execution time in Snowflake's service layer. The conditional expression in the Masking Policy attached to a column is evaluated against the executing role, and if the condition matches, the masked value is returned.
Query execution flow:
[SELECT email FROM customers]
│
▼
[Service layer: Masking Policy evaluation]
│
├─ Executing role = DATA_ADMIN → returns original: [email protected]
│
└─ Executing role = ANALYST → returns masked: ****@****.comA Masking Policy is created with CREATE MASKING POLICY. The input data type and the return type must match.
-- Mask an email address
CREATE OR REPLACE MASKING POLICY email_mask AS
(val STRING) RETURNS STRING ->
CASE
WHEN IS_ROLE_IN_SESSION('DATA_ADMIN') THEN val
WHEN IS_ROLE_IN_SESSION('ANALYST') THEN REGEXP_REPLACE(val, '.+@', '****@')
ELSE '********'
END;
-- Mask a numeric value (salary)
CREATE OR REPLACE MASKING POLICY salary_mask AS
(val NUMBER) RETURNS NUMBER ->
CASE
WHEN IS_ROLE_IN_SESSION('HR_ADMIN') THEN val
ELSE 0
END;
-- Mask a date (reduce date of birth to the year only)
CREATE OR REPLACE MASKING POLICY dob_mask AS
(val DATE) RETURNS DATE ->
CASE
WHEN IS_ROLE_IN_SESSION('DATA_ADMIN') THEN val
ELSE DATE_FROM_PARTS(YEAR(val), 1, 1)
END;| Function | Behavior | Recommendation |
|---|---|---|
| IS_ROLE_IN_SESSION() | Checks whether the role exists in the current session's role hierarchy | Recommended |
| CURRENT_ROLE() | Returns the name of the currently active role | Not recommended; does not consider the role hierarchy |
| IS_GRANTED_TO_INVOKER_ROLE() | Checks the invoker's privileges (used inside stored procedures) | For specialized use cases |
IS_ROLE_IN_SESSION() respects the role hierarchy, so roles inherited from child roles are evaluated correctly. CURRENT_ROLE() only returns the name of the active role and therefore ignores the role hierarchy.
Attach a Masking Policy to a column with ALTER TABLE ... ALTER COLUMN ... SET MASKING POLICY.
-- Attach a policy to a column on an existing table
ALTER TABLE customers
ALTER COLUMN email SET MASKING POLICY email_mask;
ALTER TABLE employees
ALTER COLUMN salary SET MASKING POLICY salary_mask;
ALTER TABLE employees
ALTER COLUMN date_of_birth SET MASKING POLICY dob_mask;
-- Detach a policy
ALTER TABLE customers
ALTER COLUMN email UNSET MASKING POLICY;
-- Attach a policy at table-creation time
CREATE TABLE sensitive_data (
id NUMBER,
ssn STRING WITH MASKING POLICY ssn_mask,
email STRING WITH MASKING POLICY email_mask
);Tag-based Masking binds object tags to Masking Policies so that every column carrying the tag is automatically masked. In large environments with hundreds or thousands of columns, it eliminates the chore of attaching policies column by column.
-- Step 1: Create the tag
CREATE OR REPLACE TAG pii_type
ALLOWED_VALUES 'email', 'phone', 'ssn', 'name';
-- Step 2: Bind Masking Policies to the tag
ALTER TAG pii_type SET
MASKING POLICY email_mask FOR 'email',
MASKING POLICY phone_mask FOR 'phone',
MASKING POLICY ssn_mask FOR 'ssn',
MASKING POLICY name_mask FOR 'name';
-- Step 3: Apply the tag to columns (the policy is applied automatically)
ALTER TABLE customers ALTER COLUMN email
SET TAG pii_type = 'email';
ALTER TABLE customers ALTER COLUMN phone_number
SET TAG pii_type = 'phone';
-- The matching Masking Policy is auto-applied based on the tag value| Approach | Unit of configuration | Manageability | Best fit |
|---|---|---|---|
| Direct attachment (ALTER COLUMN SET) | Per column | Easy for a small number of columns | Small scale or column-specific control |
| Tag-based Masking | Per tag value | Bulk management at scale | Hundreds of columns with clear PII classification |
When both a directly attached Masking Policy and a Tag-based Masking Policy apply to the same column, the directly attached policy wins.
| Feature | Standard | Enterprise | Business Critical |
|---|---|---|---|
| Dynamic Data Masking | × | ○ | ○ |
| Tag-based Masking | × | ○ | ○ |
| Row Access Policy | × | ○ | ○ |
| Object Tagging | × | ○ | ○ |
| External Tokenization | × | × | ○ |
-- List Masking Policy references in the account
SELECT * FROM TABLE(INFORMATION_SCHEMA.POLICY_REFERENCES(
POLICY_NAME => 'email_mask'
));
-- Inspect which policies are attached to a table's columns
DESCRIBE TABLE customers;
-- List Masking Policies in a schema with SHOW MASKING POLICIES
SHOW MASKING POLICIES IN SCHEMA my_db.my_schema;
-- Inspect a policy's definition
DESCRIBE MASKING POLICY email_mask;Dynamic Data Masking
問題 1
A table's email column has a Masking Policy directly attached, and the same column also carries a tag that has a Tag-based Masking Policy bound to it. Which policy is evaluated at query time?
正解: B
In Snowflake, a Masking Policy directly attached to a column (ALTER COLUMN SET MASKING POLICY) takes precedence over a Tag-based Masking Policy. When both are set, only the directly attached policy is evaluated and the Tag-based Masking is ignored. No conflict error is raised.
What is the difference between Dynamic Data Masking and Static Data Masking?
Dynamic Data Masking (DDM) masks data in real time at query execution and leaves the underlying data untouched. Whether a query returns masked or unmasked values depends on the executing user's role. Static Data Masking, by contrast, irreversibly transforms the source data itself; it is not a native Snowflake feature and is handled via external tools. The SnowPro exam covers DDM.
Which Snowflake edition is required to use a Masking Policy?
Dynamic Data Masking is available on Enterprise Edition or higher and is not supported on Standard Edition. Tag-based Masking Policy also requires Enterprise Edition or higher. Other features that require Enterprise or above include Row Access Policy, Column-level Security, and Object Tagging.
Can you attach multiple Masking Policies to a single column?
No. Only one Masking Policy can be attached to a given column. However, inside a single Masking Policy you can use CASE expressions and IS_ROLE_IN_SESSION to define different masking behavior for different roles. With Tag-based Masking, you can also bind tags to Masking Policies and apply them across many columns by tag value.
Practice with certification-focused question sets
無料で問題を解いてみるNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
Snowflake Certifications: All 11 Exams Explained (2026)
Every SnowPro certification — Associate, Core, Specialty, Ad...
Snowflake Exam Difficulty Ranking: All 11 Certs Compared (2026)
All 11 SnowPro exams ranked by difficulty with study-time es...
Snowflake Study Guide: Fastest Pass Route by Exam (2026)
How to pass SnowPro certifications efficiently — official ma...
SnowPro Core (COF-C03): Complete Exam Guide (2026)
Pass the SnowPro Core exam — six domains, scope, sample ques...
SnowPro Associate Platform (SOL-C01): Complete Guide (2026)
The entry-level SnowPro Associate exam — scope, weighting, s...