Why is column-level security important for PII governance?

GDPR, CCPA, HIPAA, and other regulations require that personally identifiable information (PII) be accessible only to authorized personnel for legitimate purposes. Column-level security enforces PII access policies consistently at the query layer — analysts running SQL queries see masked or excluded PII columns automatically, without relying on them to apply their own filtering.

How does Dremio implement column masking?

Dremio implements column masking through Column Masking Policies — rules that define replacement values for specific column values based on the querying user's role. When a user without PII access queries a Virtual Dataset containing an email column with a masking policy, Dremio returns a masked email (e.g., 'u***@example.com') transparently — the user sees masked data without knowing the unmasked value.

Column-Level Security: The Definitive Guide for Data Lakehouse

Q: What is column-level security?

Column-level security is the access control capability that governs which users or roles can see specific columns in a table. It typically has two forms: column visibility (certain roles cannot see specific columns at all — the column is excluded from query results) and column masking (certain roles see masked values — SSN appears as '***-**-1234' instead of the full value).

What Is Column-Level Security?

Column-level security is the data access control capability that governs access to specific columns within a table — going beyond table-level RBAC (which controls whether a user can access the table at all) to control which specific data attributes a user can see within an authorized table. Column-level security is essential for protecting sensitive data categories — PII (personally identifiable information), financial data, healthcare data — while still enabling authorized analytics on the non-sensitive columns of the same tables.

Column-level security manifests in two forms in the lakehouse: column visibility (specific columns are completely hidden from unauthorized roles — they do not appear in SELECT * results or schema metadata) and column masking (specific columns return masked values for unauthorized roles — the column exists but returns a transformed value that protects the sensitive information while preserving referential utility).

Column Masking Policies in Dremio

Dremio implements column masking through policies applied to Virtual Datasets. A masking policy defines:

Target column: Which column to mask (e.g., email, ssn, credit_card_number)
Mask conditions: Which roles see masked vs unmasked values
Masking expression: The SQL expression that produces the masked value (e.g., CONCAT(LEFT(email, 2), '***@', SPLIT_PART(email, '@', 2)) produces 'jo***@example.com')

Masking is applied transparently at query execution time — the analyst's SQL query doesn't need to include masking logic; Dremio applies the masking policy automatically based on the querying user's role.

Column Masking Policy Architecture diagram — Figure 1: Column masking policies in Dremio — transparent PII masking based on user role at query time.

Row-Level Security

Closely related to column-level security is row-level security (RLS) — the ability to filter which rows a user sees based on their identity or role. In the lakehouse context:

A regional manager can only see orders from their region (WHERE region = user's assigned region)
A customer service agent can only see records for their assigned customer accounts
A country-specific compliance analyst can only see records where data_residency = their country

Row-level security is implemented in Dremio through VDS definitions that include role-based filters, in AWS Lake Formation through row filter policies, and in Unity Catalog through dynamic row filters. Combined with column masking, row-level security enables highly granular data access control — the right data, to the right people, with the right masking — across all engine queries.

Row Level Security and Column Masking diagram — Figure 2: Row-level security combined with column masking — the complete fine-grained access control model.

Summary

Column-level security is the fine-grained access control capability that enables enterprises to share data broadly for analytics while still protecting sensitive attributes from unauthorized access. By combining column masking (PII protected for unauthorized roles), column visibility restrictions (sensitive columns hidden entirely), and row-level filters (data scoped to authorized subsets), organizations achieve comprehensive data protection without sacrificing analytical utility. Dremio's implementation through VDS-level masking policies makes column-level security consistently enforced across all BI tools and engines that access the semantic layer — protecting sensitive data at the governance layer, not at the individual tool layer.

What Is Column-Level Security?

Column Masking Policies in Dremio

Row-Level Security

Summary

Related Concepts

Go Deeper — Recommended Resources