ATTACH MASKING POLICY - Amazon Redshift
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

ATTACH MASKING POLICY

Attaches an existing dynamic data masking policy to a column. For more information on dynamic data masking, see Dynamic data masking.

Superusers and users or roles that have the sys:secadmin role can attach a masking policy.

Syntax

ATTACH MASKING POLICY policy_name ON { relation_name } ( {output_columns_names | output_path} ) [ USING ( {input_column_names | input_path )} ] TO { user_name | ROLE role_name | PUBLIC } [ PRIORITY priority ];

Parameters

policy_name

The name of the masking policy to attach.

relation_name

The name of the relation to attach the masking policy to.

output_column_names

The names of the columns that the masking policy will apply to.

output_paths

The full path of the SUPER object that the masking policy will apply to, including the column name. For example, for a relation with a SUPER type column named person, output_path might be person.name.first_name.

input_column_names

The names of the columns that the masking policy will take as input. This parameter is optional. If not specified, the masking policy uses output_column_names as inputs.

input_paths

The full path of the SUPER object that the masking policy will take as input. This parameter is optional. If not specified, the masking policy uses output_path for inputs.

user_name

The name of the user to whom the masking policy will attach. You can't attach two policies to the same combination of user and column or role and column. You can attach a policy to a user and another policy to the user's role. In this case, the policy with the higher priority applies.

You can only set one of user_name, role_name, and PUBLIC in a single ATTACH MASKING POLICY command.

role_name

The name of the role to which the masking policy will attach. You can't attach two policies to the same column/role pair. You can attach a policy to a user and another policy to the user's role. In this case, the policy with the higher priority applies.

You can only set one of user_name, role_name, and PUBLIC in a single ATTACH MASKING POLICY command.

PUBLIC

Attaches the masking policy to all users accessing the table. You must give other masking policies attached to specific column/user or column/role pairs a higher priority than the PUBLIC policy for them to apply.

You can only set one of user_name, role_name, and PUBLIC in a single ATTACH MASKING POLICY command.

priority

The priority of the masking policy. When multiple masking policies apply to a given user's query, the highest priority policy applies.

You can't attach two different policies to the same column with equal priority, even if the two policies are attached to different users or roles. You can attach the same policy multiple times to the same set of table, output column, input column, and priority parameters, as long as the user or role the policy attaches to is different each time.

You can't apply a policy to a column with the same priority as another policy attached to that column, even if they're for different roles. This field is optional. If you don't specify a priority, the masking policy defaults to attaching with a priority of 0.