How row filtering & column masking enables enterprise grade security
Alex Breshears
Product Manager
Starburst
Alex Breshears
Product Manager
Starburst
Share
More deployment options
Today, we are excited to announce the addition of row filters and column masks in Starburst Galaxy. The combination of row filtering and column masking enables enterprise grade security across all of your data, ensuring only users with the appropriate permissions have access to view and interact with sensitive data.
In this blog, we will show you some common use cases for row filters and column masks, as well as how to get started with each feature.
How row filters work
Row filtering is a feature of Galaxy’s access control system that allows data admins to filter tables dynamically based on a user’s roles. This means that you can share the same underlying data set with multiple users without needing to create and store individual subsets of the data – a time consuming and (sometimes) expensive process.
For example, imagine you have a large orders table that you want to share with sales. Sales teams are only privy to see the orders closed in their region, so you can use row filters to automatically show only the rows that match their role’s region – e.g. if user role = NAMER Sales, then show orders that show “US”, “Canada”, or “Mexico” as the order country.
Before diving into how to create and apply row filters, let’s go over the core concepts:
- Filters are defined in the policy section of a role
- Roles can have one or more policies
- Policies can have one or more filters
- At query time, a predicate is applied automatically to the query
Applying row filters
Let’s start by creating the row filter and expression. Navigate to the row filters section under access control, and click “Create row filter”. Give your filter a name, and enter in your SQL expression. This is equivalent to a “WHERE” clause at query time. Here we are showing a filter for a specific customer key.
Query results from a role with full privileges
Same query from a role with row filters applied
How column masks work
We will also soon be launching the ability to apply column masks in Starburst Galaxy (check back here for status updates!). Column masking is a feature of Galaxy’s access control system that makes it easy to protect sensitive data while not hiding it completely. For example, a common use case of column masking is to obscure credit card information or SSNs (values are exposed as xxx-xx-1234).
The process of managing column masks in Galaxy is nearly identical to row filters: masks are managed as reusable objects and applied to a role.
Here are a couple of preview screenshots for your reference:
Creating a column mask
The policy screen with column masks
What’s next for attribute-based access control (ABAC) in Galaxy
This functionality is just the start of our ABAC journey in Starburst Galaxy. We hope to add the following features soon:
- User-Based Attributes – A powerful use case for ABAC is dynamically driving policies based on a particular user’s attributes. Examples may include department, logged in location, IP address, or other custom attributes. Galaxy will leverage these attributes to drive policies, including row filter expressions.
- Fine-Grained Tagging Permissions – Currently to tag a data asset, you need a global permission which would allow you to tag any data asset. We’ll soon have the ability to delegate this specific functionality to data owners, so they can only tag their own assets.
In the meantime, try out Starburst Galaxy today or take the free, hands-on Starburst Academy course to learn more about RBAC and ABAC.
Try Starburst Galaxy today
The analytics platform for your data lake