Data Governance: Classification, Tagging & Data Quality
Master Snowflake data governance with object tagging, classification, and data quality monitoring.
20+ years shipping high-throughput database systems. Drawn from code that ran under real load.
- ✓Basic SQL knowledge (SELECT, ALTER, CREATE)
- ✓Access to a Snowflake account with ACCOUNTADMIN or equivalent privileges
- ✓Understanding of Snowflake roles and warehouses
- Use object tagging to attach metadata (e.g., PII, sensitivity) to columns, tables, and views.
- Leverage System $TAG_REFERENCES and TAG_REFERENCE_ALL_COLUMNS functions to query tags.
- Automate classification with stored procedures that scan column names and data patterns.
- Monitor data quality with custom metrics and alerts using Snowflake tasks and alerts.
- Enforce governance via tag-based masking policies and row access policies.
Think of Snowflake data governance like a library. Tags are color-coded stickers on books (columns) that say 'Confidential' or 'Public'. Classification is the librarian sorting books into sections. Data quality is checking that no pages are missing. Together, they keep the library organized and trustworthy.
In today's data-driven world, organizations collect vast amounts of data, but without proper governance, that data can become a liability. Snowflake's data governance features—object tagging, classification, and data quality monitoring—provide a robust framework to manage metadata, enforce policies, and ensure data trustworthiness. This tutorial dives deep into practical implementation, from tagging sensitive columns to automating classification and monitoring data quality. You'll learn how to use Snowflake's system functions, create dynamic masking policies based on tags, and set up alerts for data anomalies. By the end, you'll be equipped to build a production-ready governance layer that scales with your data warehouse.
Understanding Snowflake Object Tagging
Object tagging in Snowflake allows you to assign key-value pairs to database objects like columns, tables, views, and schemas. Tags are metadata that can be used for governance, cost tracking, and security. For example, you can tag a column with 'sensitive = true' or 'pii = email'. Tags are stored in the Snowflake metadata layer and can be queried using system functions. To create a tag, use CREATE TAG. To apply a tag, use ALTER ... SET TAG. Tags support inheritance: if you tag a schema, all objects in that schema inherit the tag unless overridden. This is powerful for applying policies at scale. However, inheritance is not automatic for all operations; you must explicitly set tags on new objects or rely on classification procedures.
Automated Data Classification with Stored Procedures
Manual tagging doesn't scale. Automate classification using a stored procedure that scans column names and sample data to apply tags. For example, columns named 'email', 'ssn', or containing patterns like '@' can be tagged as PII. Use Snowflake's JavaScript stored procedures to iterate over tables and columns. The procedure can query INFORMATION_SCHEMA.COLUMNS and apply tags using ALTER TABLE ... SET TAG. Schedule it with a task to run daily. This ensures new columns are classified promptly. You can also use Snowflake's built-in classification function (SYSTEM$CLASSIFY) but it's limited; custom procedures give more control.
Enforcing Governance with Tag-Based Masking Policies
Masking policies in Snowflake can be attached to tags, not just columns. This allows dynamic masking based on tag values. For example, create a masking policy that masks columns tagged with 'sensitivity_level = high' for non-privileged roles. To attach a policy to a tag, use ALTER TAG ... SET MASKING POLICY. When a column has that tag, the policy automatically applies. This decouples policy from specific columns, making governance scalable. You can also use conditional masking based on the tag value. For instance, mask 'high' columns fully, 'medium' partially, and 'low' not at all.
Data Quality Monitoring with Alerts and Tasks
Data quality is crucial for trust. Snowflake provides alerts (CREATE ALERT) that can monitor conditions like NULL rates, value ranges, or freshness. For example, alert if the 'order_amount' column has NULLs more than 1% of rows. Use tasks to compute quality metrics and store them in a table, then set alerts on that table. You can also use Snowflake's built-in data quality functions like COUNT, AVG, and STDDEV. Alerts can send notifications via email or webhook. This proactive monitoring catches issues before they affect downstream consumers.
Auditing Tag Coverage and Compliance
Regular audits ensure governance policies are followed. Use Snowflake's TAG_REFERENCE_ALL_COLUMNS function to list all columns and their tags. Compare against a baseline of expected tags. You can also use INFORMATION_SCHEMA.TAG_REFERENCES to check specific objects. Create a dashboard or report that shows untagged columns, especially in critical schemas. Automate this with a task that generates a report and sends it via email. Compliance requirements like GDPR or HIPAA often mandate tagging of sensitive data, so audits are essential.
Integrating with Row Access Policies
Tags can also drive row-level security via row access policies. For example, if a table has a tag 'region' on a column, you can create a row access policy that filters rows based on the user's region. Combine with mapping tables to map tags to access privileges. This allows fine-grained access control without modifying queries. Row access policies are attached to tables, and they can reference tag values indirectly through context functions or mapping tables.
Best Practices and Governance Workflow
Implementing data governance in Snowflake requires a structured workflow: 1) Define tag taxonomy (e.g., sensitivity, data domain, retention). 2) Automate classification with stored procedures. 3) Enforce policies via tag-based masking and row access. 4) Monitor data quality with alerts. 5) Audit regularly. Use Snowflake's built-in governance features like Access History and Query Profile to track usage. Document your tagging conventions and train your team. Consider using a data catalog tool for broader governance. Remember that governance is an ongoing process, not a one-time setup.
The PII Leak That Wasn't Caught by Tags
- Always tag new columns immediately; automate with a classification procedure.
- Use tag-based masking policies so that untagged columns are not automatically exposed.
- Set up alerts for untagged columns to catch governance gaps early.
- Regularly audit tag coverage with system functions like TAG_REFERENCE_ALL_COLUMNS.
- Include tag validation in your CI/CD pipeline for schema changes.
SELECT SYSTEM$TAG_REFERENCE('DB.SCHEMA.TABLE', 'COLUMN');SHOW TAGS;| File | Command / Code | Purpose |
|---|---|---|
| tag_creation.sql | CREATE TAG IF NOT EXISTS sensitivity_level | Understanding Snowflake Object Tagging |
| classification_procedure.sql | CREATE OR REPLACE PROCEDURE classify_columns() | Automated Data Classification with Stored Procedures |
| tag_based_masking.sql | CREATE OR REPLACE MASKING POLICY mask_high AS (val VARCHAR) RETURNS VARCHAR -> | Enforcing Governance with Tag-Based Masking Policies |
| data_quality_alert.sql | CREATE TABLE quality_metrics ( | Data Quality Monitoring with Alerts and Tasks |
| audit_tag_coverage.sql | SELECT TABLE_CATALOG, TABLE_SCHEMA, TABLE_NAME, COLUMN_NAME | Auditing Tag Coverage and Compliance |
| row_access_with_tags.sql | CREATE TABLE region_access ( | Integrating with Row Access Policies |
| governance_workflow.sql | CREATE OR REPLACE VIEW governance_dashboard AS | Best Practices and Governance Workflow |
Key takeaways
Common mistakes to avoid
3 patternsApplying tags directly to columns without using ALLOWED_VALUES
Attaching masking policies to tags but forgetting to set the tag on new columns
Using the same tag for multiple purposes (e.g., sensitivity and data domain)
Interview Questions on This Topic
What is the difference between a tag and a label in Snowflake?
Frequently Asked Questions
20+ years shipping high-throughput database systems. Drawn from code that ran under real load.
That's Snowflake. Mark it forged?
3 min read · try the examples if you haven't