This is a deprecated version of the SnowConvert documentation, please visit the official site HERE.
Severity
Low
Description
This EWI is added when SnowConvert finds a masked column inside a CREATE TABLE statement. This functionality doesn't work by adding the option in the column declaration. Manual efford is needed in order to have the same behavour as SQL Server.
Code Example
Input Code:
CREATE TABLE TABLE1( [COL1] nvarchar MASKED WITH (FUNCTION ='default()') NULL, [COL2] varchar(100) MASKED WITH (FUNCTION ='partial(1, "xxxxx", 1)') NULL, [COL3] varchar(100) MASKED WITH (FUNCTION ='email()') NOT NULL, [COL4] smallint MASKED WITH (FUNCTION ='random(1, 100)') NULL);
Output Code:
CREATE OR REPLACE TABLE PUBLIC.TABLE1(COL1 VARCHAR-- ** MSC-WARNING - MSCEWI4016 - COLUMN MASKING NOT SUPPORTED IN CREATE TABLE **-- MASKED WITH (FUNCTION = 'default()')NULL,COL2 VARCHAR(100)-- ** MSC-WARNING - MSCEWI4016 - COLUMN MASKING NOT SUPPORTED IN CREATE TABLE **-- MASKED WITH (FUNCTION = 'partial(1, "xxxxx", 1)')NULL,COL3 VARCHAR(100)-- ** MSC-WARNING - MSCEWI4016 - COLUMN MASKING NOT SUPPORTED IN CREATE TABLE **-- MASKED WITH (FUNCTION = 'email()') NOT NULL,COL4 SMALLINT-- ** MSC-WARNING - MSCEWI4016 - COLUMN MASKING NOT SUPPORTED IN CREATE TABLE **-- MASKED WITH (FUNCTION = 'random(1, 100)')NULL);
Recommendations
SnowConvert is not generating MASKING POLICIES in the current version, so they have to be created manually. For example:
The first step is to create a masking policy administrator role.
createrole masking_admin;
The second one is to grant the necessary privileges to the created role.
grantcreate masking policyonschema PUBLIC torole masking_admin;allow table_owner roletosetor unset the ssn_mask masking policy-- (optional)grantapplyon masking policy ssn_mask torole table_owner;
The next step is to create the masking policy functions.
-- default maskcreateorreplace masking policy default_mask as (val string) returns string ->casewhen current_role() in ('ANALYST') then valelse'xxxx'end;-- partial maskcreateorreplace masking policy partial_mask as (val string) returns string ->casewhen current_role() in ('ANALYST') then valelse LEFT(val,1) ||'xxxxx'|| RIGHT(val,1)end;-- email maskcreateorreplace masking policy email_mask as (val string) returns string ->casewhen current_role() in ('ANALYST') then valelse LEFT(val,1) ||'XXX@XXX.com'end;-- random maskcreateorreplace masking policy random_mask as (val smallint) returnssmallint->casewhen current_role() in ('ANALYST') then valelse UNIFORM(1,100,RANDOM())::SMALLINTend;
For sample purposes, we are taking some examples of masking functions in SQL Server, and manually translating it into its equivalent in Snowflake.
The final step is to add the masking policy to the column that originally had the masking option in SQL Server.
altertableifexists TABLE1 modify column COL1 set masking policy default_mask;altertableifexists TABLE1 modify column COL2 set masking policy partial_mask;altertableifexists TABLE1 modify column COL3 set masking policy email_mask;altertableifexists TABLE1 modify column COL4 set masking policy random_mask;
