A data engineer discovers that sensitive PII data in a `customers` table is visible to all analysts in their workspace because a previous admin granted `SELECT` on the table to all users. The engineer needs to ensure that analysts can only see a masked version of the `ssn` column (showing only the last 4 digits), while the data team retains full access. Which Unity Catalog security feature implements this column-level masking dynamically based on the querying user''s group membership?

Question

Accepted Answer

B. A Unity Catalog column mask policy on the `ssn` column that checks group membership. Unity Catalog column masks allow administrators to attach a masking function to a specific column. The function can use `current_user()` or `is_account_group_member()` to conditionally return the full value for authorized users (data team) and a masked value (e.g., `CONCAT('***-**-', RIGHT(ssn, 4))`) for all others. This is the correct Unity Catalog feature for field-level security based on user group membership. Row-level security filters entire rows, not column values. Column mapping renames columns, not masks values. NOT NULL prevents nulls.

Related Questions

Discussion