Using Label Policies to Hide and Mask Sensitive Data

Column masking is currently in preview.

Label masking policies are a mechanism for establishing column-level visibility controls for tables, so you can specify whether and to whom to display data from that column.

Masking policies are defined on labels. They leverage Tabular’s standard role-based access controls such that only specified roles can access data in select columns. By applying a label with a masking policy to a column, only authorized users are able to access the column’s data.

At a high level, the process for using labels to limit column visibility is as follows:

  1. At the organization level, you create a label, configure a masking policy, and optionally select exempt roles.
  2. At the individual table level, select the column(s) to which you wish to apply the label.
  3. For roles that only have SELECT on the table, labeled column data is masked unless the role has been exempted.

Keep in mind that applying a masking policy to a table column has no effect on the table schema, nor does it directly alter the column values.

Label masking policies offer 2 ways to obscure data:

  • NULL - if selected, the value of the column always returns as NULL. This also means that the column should not be used as a filter.
  • Hide column - removes the column from the schema, and all schema versions, as though it doesn’t exist. Queries that are subject to this policy and attempt to use the column will fail.

Understanding label permissions

Anyone can create a label. But for all other label actions – enabling policies, assigning roles, applying to columns – Tabular requires discrete role permissions, as it does with access to any resource. This includes:

  • Edit or delete a label
  • Apply or remove the label to a column
  • Assign roles and role privileges to do any of the above

Authorizations are applied to a label via a role, as with other permissions. Also as with other authorizations, to assign any privilege you must possess the GRANT option.

The table below illustrates the different capabilities and their required permissions:

ActionLabel Privilege Required  Table Privilege Required
Create a label
Modify or Delete a labelMODIFY
Set Masking PolicyMODIFY & GRANT
Set Masking PolicyMODIFY & GRANT
Grant privileges on a labelGRANT
Apply to a columnAPPLYUPDATE
Query masked column dataPOLICY_EXEMPTSELECT

To set label permissions, go to Labels Overview > Create (or edit) Label > Access Control.

To set table permissions, go to Table Overview > Access Control.

Understanding label effects

When you set a masking policy, assign a role, and apply a label, whether people can continue to access that data depends on their table permissions and on what roles you exempt from the policy you set. Masking policies are not blanket – that is, even when applied most broadly they only mask data from a subset of Tabular users. You can:

  • Apply a label but exempt no one – Everyone with UPDATE or higher table permissions regardless of role retains access to the masked data.
  • Apply a label and exempt roles – Every member of those roles with least SELECT access on the table PLUS everyone with UPDATE or higher table permissions retain access to the masked data.

Security Admins have privileges to grant access to others via the access control tabs (both on the label and the table). However, they still must have explicit privileges for everything else: modifying the label, setting the policy, applying the label, querying masked columns, and so on.

Creating, configuring, and applying column labels

To create a label:

  1. Navigate to Organizations > Labels.
  2. Click Plus icon. The Create a Label window opens.
  3. Enter a label name and, optionally, a description.
  4. When you’re done, click Create Label, or continue to assign a masking policy.

To assign a masking policy:

  1. In the Policy tab, click the Column masking slider to activate masking.
    • To make the column available for querying but to display all values as NULL, select NULL.
    • To hide the column altogether, including from queries, select Hide column.
  2. Optionally, specify one or more roles you wish to exempt from this policy. To do this, click the Add roles box and, from the list that displays above the box, click the role you want.
    • Remember, you’re not creating a masking policy and specifying the roles it applies to; you’re creating a masking policy and then specifying the roles it DOES NOT apply to.
    • To exempt additional roles, repeat this step.
    • Column values continue to display as is for the members of the roles you exempt.
  3. When you’re done, click Create Label, or continue to configure additional access controls.

Tabular displays an error message if you try to set a policy but do not have the privileges to do so. The label you created remains, without a policy.

If the role you exempt access to the table containing the column, role members will see the true column values (even with the label applied).

Roles with the UPDATE privilege on the table are also exempt.

To specify additional access controls

  1. Click Access Control.
  2. Specify any additional role or roles you wish to grant access. To do this, click the Add roles box and, from the list that displays above, select the role you wish.
    • To assign additional roles, repeat this step.
  3. Click to select the access level you wish.
    • To limit this role to just editing the label name and description, click MODIFY. (This also gives the ability to delete the role.)
    • To allow role members to configure access controls and masking policy for this label, in addition to editing its name and description, click GRANT.
    • To grant role members the ability to apply this policy to a resource, click APPLY.
  4. When you’re done, click Create Label.

Editing a label

Editing a label requires MODIFY permissions on the label, but otherwise involves the same steps as creating a label.

To edit a label

  1. Navigate to Navigate to Organizations > Labels
  2. From the list that displays, find the label you wish to modify, and to the right click edit icon. The Edit label window opens.
  3. To change any of the settings, follow the same steps as creating a label from scratch.
  4. When you’re done, click Save Label.

Labels also display this way in the Table Overview page when applied to a column. .

Applying a label to mask or hide a table column

You need both the UPDATE privilege on the table and the APPLY privilege on the label to apply the label to a column.

To apply a label to a table column

  1. Navigate to the Table Overview page of the table containing a column you wish to mask.
  2. Find the column you want and, to the right, click plus icon.
  3. Search for a label or choose from the list. Click the label you want to apply to this column.
    • To apply more than one label to this column, repeat this step.
    • If you apply multiple labels to a column and each label has a different mask policy, the order of precedence is HIDE, MASK, NONE.

You can apply labels to a nested field in a struct.

You cannot apply labels with an active column masking policy to partition columns; doing so throws an error.

Removing a label from a column

To remove a label from a column

  1. Navigate to Table Overview page of the table containing columns you wish to obscure.
  2. Find the column and label you wish to remove.
  3. On the right side of the label, click close icon.

Deleting a label

Before you can delete a label you must first remove it from all resources to which it has been applied.

To delete a label

  1. Navigate to Organizations > Labels.
  2. From the list that displays, find the label you wish to modify, and to the right click menu icon.
  3. When the Edit Label box displays, click Delete Label, and at the prompt click Delete.


Do these label policies prevent users from accessing the actual files? No. Column masking does not provide file-level access controls to the underlying data.