🎭 Unity Catalog Authorization

Column Masks

How Unity Catalog automatically transforms sensitive column values based on who's viewing them.

📖 Row Filters & Column Masks Documentation
↓ Scroll to explore the flow
1

Sensitive Data Exists

The customers table contains SSN numbers — highly sensitive PII that not everyone should see.

Raw values: 123-45-6789, 987-65-4321, etc.

2

Column Mask Defined

A mask function is applied to the SSN column:

CASE WHEN is_member('admins') THEN VALUE ELSE '***-**-' || SUBSTR(VALUE, -4) END

3

Analyst Queries

Sarah (Analyst) runs: SELECT name, ssn FROM customers

She's in the analysts group, but NOT in admins.

4

Mask Applied Automatically

UC evaluates is_member('admins')FALSE for Sarah.

Sarah sees: ***-**-6789 — the last 4 digits only.

5

Admin Sees Full Value

Dave (Admin) runs the exact same query.

UC evaluates is_member('admins')TRUE for Dave. He sees: 123-45-6789

📊
customers
Contains SSN
🎭
Column Mask
mask_ssn()
👩‍💻
Sarah
Group: analysts
👨‍💼
Dave
Group: admins
SSN Column (Raw)
John 123-45-6789
Jane 987-65-4321
Bob 456-78-9012
Sarah's View (Masked)
John ***-**-6789
Jane ***-**-4321
Bob ***-**-9012
Sarah sees:
***-**-6789
Dave sees:
123-45-6789

Key Takeaways

🎭 Value Transformation

Column masks transform values, not hide rows. Users still see the row, just with masked values.

👥 Group-Based Logic

is_member() function checks group membership to decide masking behavior.

🔐 PII/PHI Protection

Ideal for SSN, credit cards, health records — show partial info for verification.

⚡ Same Query, Different View

Users run identical queries but see different values based on their groups.

← Back to AI Governance 📄 View Full Docs on GitHub