Categories:

Table, View, & Sequence DDL

DESCRIBE MASKING POLICY

Describes the details about a masking policy, including the creation date, name, data type, and SQL expression.

DESCRIBE can be abbreviated to DESC.

See also:

Masking Policy DDL

Syntax

DESC[RIBE] MASKING POLICY <name>;

Parameters

name

Identifier for the masking policy; must be unique for your account.

The identifier value must start with an alphabetic character and cannot contain spaces or special characters unless the entire identifier string is enclosed in double quotes (e.g. "My object"). Identifiers enclosed in double quotes are also case-sensitive.

For more details, see Identifier Requirements.

Access Control Requirements

A role used to execute this SQL command must have at least one of the following privileges at a minimum:

Privilege

Object

Notes

APPLY MASKING POLICY

Account

APPLY

Masking policy

OWNERSHIP

Masking policy

OWNERSHIP is a special privilege on an object that is automatically granted to the role that created the object, but can also be transferred using the GRANT OWNERSHIP command to a different role by the owning role (or any role with the MANAGE GRANTS privilege).

Note that operating on any object in a schema also requires the USAGE privilege on the parent database and schema.

For instructions on creating a custom role with a specified set of privileges, see Creating Custom Roles.

For general information about roles and privilege grants for performing SQL actions on securable objects, see Access Control in Snowflake.

For additional details on masking policy DDL and privileges, see Managing Column-level Security.

Example

DESC MASKING POLICY ssn_mask;

+-----+------------+---------------+-------------------+-----------------------------------------------------------------------+
| Row | name       | signature     | return_type       | body                                                                  |
+-----+------------+---------------+-------------------+-----------------------------------------------------------------------+
| 1   | SSN_MASK   | (VAL VARCHAR) | VARCHAR(16777216) | case when current_role() in ('ANALYST') then val else '*********' end |
+-----+------------+---------------+-------------------+-----------------------------------------------------------------------+
Back to top