Hi Rupa,
You can define row filters centrally and apply them dynamically to single or multiple tables based on governed tags - no duplication is required.
It has three main components.
- Governed Tags - Apply the account level tags to tables/columns to classify them (sensitivity:high, department:finance etc)
- Row Filter UDFs - SQL functions that return BOOLEAN (if true - user can see the row)
- Policies - Its created at catalog, schema or table level that bind UDFs to users/groups based on tag conditions
You can follow below
-- Create account-level governed tag with allowed values
CREATE TAG sensitivity VALUES ('high', 'medium', 'low');
CREATE TAG department VALUES ('finance', 'hr', 'sales', 'engineering');
CREATE TAG region VALUES ('US', 'EU', 'APAC');โ
-- Tag entire tables
ALTER TABLE main.default.sensitive_transactions
SET TAGS ('sensitivity' = 'high', 'region' = 'US');
ALTER TABLE main.default.employee_data
SET TAGS ('sensitivity' = 'high', 'department' = 'hr');โ
- Create Row Filter UDF that contain filtering code
-- Filter by user's department
CREATE OR REPLACE FUNCTION main.default.filter_by_department(dept_column STRING)
RETURNS BOOLEAN
RETURN
CASE
WHEN is_account_group_member('HR admins') THEN TRUE -- HR sees all
WHEN is_account_group_member('Finance admins') AND dept_column = 'finance' THEN TRUE
WHEN is_account_group_member('Sales team') AND dept_column = 'sales' THEN TRUE
ELSE FALSE
ENDโ
CREATE POLICY dept_filter_on_employees
ON TABLE main.default.employee_data
COMMENT 'Users see rows from their department'
ROW FILTER main.default.filter_by_department
TO `All Users` EXCEPT `Data admins`
FOR TABLES
MATCH COLUMNS has_tag('department') AS dept
USING COLUMNS (dept);โ
You can create policies at catalog/schema level to apply it to all tables under it as below
CREATE POLICY catalog_wide_filter
ON CATALOG main
COMMENT 'Restrict sensitive data across entire catalog by department'
ROW FILTER main.default.filter_by_department
TO `All Users` EXCEPT `C-suite`, `Data admins`
FOR TABLES
WHEN has_tag_value('sensitivity', 'high')
MATCH COLUMNS has_tag('department') AS dept
USING COLUMNS (dept);
You can use the TO and EXCEPT clauses to control which users/groups the policy applies to.
- TO - Policy applies to these users/groups
- EXCEPT - users/groups bypass the filter (see all rows)
You can create policies once & apply it automatically. Unity Catalog evaluates policies at query time and provides the relevant data.