Tag-based masking is a Snowflake feature that uses tags attached to columns as the trigger for automatically applying masking policies. It enforces consistent controls across thousands of tables and columns, and adapts to additions and schema changes.
This article walks through the mechanics and prerequisites, a minimal implementation, operational automation, comparison with other approaches, and the points most likely to appear on the exam.
Tags attach semantic meaning to columns, and any masking policy bound to a tag is applied automatically. As long as new columns and tables receive tags, you never need to re-attach policies one by one.
Building a pipeline of classification (e.g. PII/CONFIDENTIAL) → tagging → automatic masking removes manual dependence, prevents application gaps, and strengthens auditability.
Tags are schema-level objects. You attach a tag and tag value to a column, then associate a masking policy with that tag (or specific tag value). At query time, the policy is automatically applied to the column and the value is masked according to the user's role.
Precedence generally puts a masking policy attached directly to the column first, with tag-based masking evaluated next. The standard practice is to design away from conflicts entirely.
This example shows a minimal setup that automatically masks a string column (e.g. EMAIL) whenever the PII tag is applied. Other types such as numeric columns get their own type-matched policies.
The clearest implementation order is: define the tag → create the policy → associate the policy with the tag → tag the column → verify. This also keeps the audit trail easy to follow.
Flow: tag → policy → masking at query time
Example: defining the tag, creating the policy, associating it, and applying it to a column
use role SECURITYADMIN;
-- 1) Define the tag
create or replace tag DATA_CLASSIFICATION allowed_values 'PII','CONFIDENTIAL','INTERNAL','PUBLIC';
-- 2) Masking policy for string columns
create or replace masking policy PII_MASK_STR as (val string) returns string ->
case
when is_role_in_session('DATA_STEWARD') then val
else regexp_replace(val, '(?<=.).', 'X')
end;
-- 3) Bind the policy to tag value 'PII'
alter tag DATA_CLASSIFICATION set masking policy PII_MASK_STR using (value => 'PII');
-- 4) Tag the column (masking applies automatically from here)
alter table SALES.CUSTOMER modify column EMAIL set tag DATA_CLASSIFICATION = 'PII';
-- 5) Verify
use role ANALYST;
select EMAIL from SALES.CUSTOMER limit 5;Use Snowflake's data classification or ETL-time pattern detection to surface candidate columns, then automate tagging through workflows (Tasks or external CI/CD). Because masking applies automatically once the tag is set, operations boil down to correct tagging and auditing.
For audit, periodically query ACCOUNT_USAGE views to capture tag and policy references, and detect deviations (e.g. a tag is set but the policy doesn't apply due to a type mismatch).
Audit SQL examples (visualizing tag and policy references)
-- Check tag references on columns
select tag_database, tag_schema, tag_name, object_database, object_schema, object_name, column_name, tag_value
from snowflake.account_usage.tag_references
where tag_name = 'DATA_CLASSIFICATION' and domain = 'COLUMN'
order by object_database, object_schema, object_name, column_name;
-- Check where masking policies are referenced (tags or columns)
select policy_name, policy_kind, ref_entity_name, ref_column_name, ref_entity_domain
from snowflake.account_usage.policy_references
where policy_kind = 'MASKING_POLICY'
order by policy_name;Tag-based masking is the workhorse of large-scale governance. Attaching policies directly per column, or hand-rolling masking in views, still have their place for local requirements. Here's how the characteristics and trade-offs line up.
| Approach | Scope / Scalability | Management Cost | Key Benefits |
|---|---|---|---|
| Tag-based masking | Automatically applied to every tagged column; follows new columns | Low (focused on tag operations) | Unified governance, auto-application, easy auditing |
| Direct policy attachment to columns | Single columns only; new columns require manual application | Medium to high (must react to every change) | Ideal for exceptions and short-term overrides; clear precedence (wins over tags) |
| Manual masking in views | Limited to access through the view | Medium to high (view proliferation and consistency become a burden) | Easy to tailor exposed columns per consumer |
Masking is evaluated at query time and typically doesn't cause noticeable slowdowns on common analytic workloads. That said, stuffing policies with large CASE statements or heavy regex raises CPU cost, so keep them simple.
Conflicts and type mismatches are common governance pitfalls. Make sure everyone knows direct policy attachment takes precedence, avoid stacking multiple tag-based assignments by design, and audit references on a regular cadence.
Quick test (switch roles to verify)
use role DATA_STEWARD; -- role that can see clear text
select EMAIL from SALES.CUSTOMER limit 3; -- clear text
use role ANALYST; -- role that should see masked values
select EMAIL from SALES.CUSTOMER limit 3; -- masked values
-- Confirm which role evaluated the query
select current_role();Security
問題 1
You need to consistently hide PII across thousands of columns spread over many schemas based on data classification results, and the masking must apply automatically to columns added in the future. Which Snowflake approach achieves this with the lowest operational cost?
正解: B
Tag-based masking applies policies automatically with tagging as the trigger, scaling cleanly and following newly added columns. Manual masking in views (A) doesn't scale, C is connection control rather than column exposure control, and D is row-level filtering and doesn't fit a column-masking requirement.
What happens if multiple tag-based masking policies target the same column?
A masking policy attached directly to the column always takes precedence. Avoid designs where multiple tag-based policies compete; keep your tag taxonomy and association rules unambiguous.
Can I use different masking policies per tag value?
Yes. You can associate a policy with a tag or with a specific tag value. For different data types, prepare policies whose signatures match each column type.
Is there a performance impact?
Masking is evaluated at query time, but lightweight role-check policies typically have minimal impact. In practice, keep regex and complex logic to a minimum to stay efficient.
Practice with certification-focused question sets
無料で問題を解いてみるNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
Snowflake Certifications: All 11 Exams Explained (2026)
Every SnowPro certification — Associate, Core, Specialty, Ad...
Snowflake Exam Difficulty Ranking: All 11 Certs Compared (2026)
All 11 SnowPro exams ranked by difficulty with study-time es...
Snowflake Study Guide: Fastest Pass Route by Exam (2026)
How to pass SnowPro certifications efficiently — official ma...
SnowPro Core (COF-C03): Complete Exam Guide (2026)
Pass the SnowPro Core exam — six domains, scope, sample ques...
SnowPro Associate Platform (SOL-C01): Complete Guide (2026)
The entry-level SnowPro Associate exam — scope, weighting, s...