How row filtering & column masking enables enterprise grade security

  • Alex Breshears

    Alex Breshears

    Product Manager

    Starburst

Share

Column masks are now in public preview.

 

Today, we are excited to announce the addition of row filters and column masks in Starburst Galaxy. The combination of row filtering and column masking enables enterprise grade security across all of your data, ensuring only users with the appropriate permissions have access to view and interact with sensitive data.

In this blog, we will show you some common use cases for row filters and column masks, as well as how to get started with each feature. 

How row filters work

Row filtering is a feature of Galaxy’s access control system that allows data admins to filter tables dynamically based on a user’s roles. This means that you can share the same underlying data set with multiple users without needing to create and store individual subsets of the data – a time consuming and (sometimes) expensive process. 

For example, imagine you have a large orders table that you want to share with sales. Sales teams are only privy to see the orders closed in their region, so you can use row filters to automatically show only the rows that match their role’s region – e.g. if user role = NAMER Sales, then show orders that show “US”, “Canada”, or “Mexico” as the order country.

Before diving into how to create and apply row filters, let’s go over the core concepts:

  • Filters are defined in the policy section of a role
  • Roles can have one or more policies
  • Policies can have one or more filters
  • At query time, a predicate is applied automatically to the query

Applying row filters

Let’s start by creating the row filter and expression. Navigate to the row filters section under access control, and click “Create row filter”. Give your filter a name, and enter in your SQL expression. This is equivalent to a “WHERE” clause at query time. Here we are showing a filter for a specific customer key.

Next, navigate back to the policies screen and add your newly created row filter to the appropriate policy. If you haven’t created a policy yet, check out this blog on ABAC in Galaxy.

The result of this will be a user operating as this role will be “forced” to have this filter applied within the given scope and where the matching expression evaluates to true. Here’s an example of running the same query twice – once as a fully privileged role (account admin) and once as a specific customer with a row filter applied (customer _100100).

Query results from a role with full privileges

Same query from a role with row filters applied

How column masks work

We will also soon be launching the ability to apply column masks in Starburst Galaxy (check back here for status updates!). Column masking is a feature of Galaxy’s access control system that makes it easy to protect sensitive data while not hiding it completely. For example, a common use case of column masking is to obscure credit card information or SSNs (values are exposed as xxx-xx-1234). 

The process of managing column masks in Galaxy is nearly identical to row filters: masks are managed as reusable objects and applied to a role. 

Here are a couple of preview screenshots for your reference:

Creating a column mask

The policy screen with column masks

What’s next for attribute-based access control (ABAC) in Galaxy

This functionality is just the start of our ABAC journey in Starburst Galaxy. We hope to add the following features soon: 

  • User-Based Attributes – A powerful use case for ABAC is dynamically driving policies based on a particular user’s attributes. Examples may include department, logged in location, IP address, or other custom attributes. Galaxy will leverage these attributes to drive policies, including row filter expressions.
  • Fine-Grained Tagging Permissions – Currently to tag a data asset, you need a global permission which would allow you to tag any data asset. We’ll soon have the ability to delegate this specific functionality to data owners, so they can only tag their own assets.

In the meantime, try out Starburst Galaxy today or take the free, hands-on Starburst Academy course to learn more about RBAC and ABAC. 

Try Starburst Galaxy today

The analytics platform for your data lake

Start free