Use Null by Default in Masking Else Condition¶

This property determines how the Snowflake connector generates the ELSE clause in masking policy functions when no policy condition is met. You can configure it to return either NULL or the original column value for unmapped or non-matching cases.

Overview¶

When a masking policy is applied to a column in Snowflake, the generated masking function uses a CASE expression. The ELSE branch defines the value returned when none of the policy conditions are met (for example, when the user has no matching access or when no condition evaluates to true).

ELSE NULL END — Returns NULL when no condition matches. This is useful when you want unauthorized or non-matching cases to return no data.
ELSE val0 END — Returns the original column value (val0) when no condition matches. This preserves the original value when no policy condition applies (default and previous behavior).

Property Summary¶

Attribute	Value
Default	`false`
When `true`	Masking function uses `else null end` in the generated `CASE` expression.
When `false`	Masking function uses `else val0 end` (original column value).

When to Use¶

Set to true when you want a strict default: if no masking condition matches, the value should be hidden (returned as NULL).
Leave as false (default) when you want to preserve the original value when no masking condition matches, maintaining backward compatibility with existing deployments.

Configuration¶

Self Managed (Portal Configuration)Self Managed (YAML Configuration) and Data PlanePrivaceraCloud

Navigate to Settings → Applications in the Self-Managed Portal.
From the list of Connected Applications, select Snowflake.
Click on the application name or the icon to edit. Then, go to the Access Management tab.

Under Add New Custom Properties, add the following property:

To use NULL when no condition matches:

Bash
1	`ranger.policysync.connector.0.use.null.by.default.in.masking.else.condition=true`

To use the original column value (default behavior):

Bash
1	`ranger.policysync.connector.0.use.null.by.default.in.masking.else.condition=false`

Click SAVE to apply the changes.

SSH to the instance where Privacera Manager is installed.
Run the following command to open the .yml file to be edited.

If you have multiple connectors, then replace instance1 with the appropriate connector instance name.
Bash
1
vi ~/privacera/privacera-manager/config/custom-vars/connectors/snowflake/instance1/vars.connector.snowflake.yml

Add or update the following property:

To use NULL when no condition matches:

YAML
CONNECTOR_SNOWFLAKE_USE_NULL_BY_DEFAULT_IN_MASKING_ELSE_CONDITION: "true"

To use the original column value (default):

YAML
CONNECTOR_SNOWFLAKE_USE_NULL_BY_DEFAULT_IN_MASKING_ELSE_CONDITION: "false"

Once the property is configured, run the following commands to update your Privacera Manager platform instance:

Step 1 - Setup which generates the helm charts. This step usually takes few minutes.
Bash
1 2
cd ~/privacera/privacera-manager ./privacera-manager.sh setup
Step 2 - Apply the Privacera Manager helm charts.
Bash
1 2
cd ~/privacera/privacera-manager ./pm_with_helm.sh upgrade
Step 3 - (Optional) Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on. This step is not required if you are updating only connector properties.
Bash
1 2
cd ~/privacera/privacera-manager ./privacera-manager.sh post-install

In PrivaceraCloud portal, navigate to Settings → Applications.
On the Connected Applications screen, select Snowflake.
Click on the application name or the icon to edit. Then, go to the Access Management tab.

Under Add New Custom Properties, add the following property:

To use NULL when no condition matches:

Bash
1	`ranger.policysync.connector.0.use.null.by.default.in.masking.else.condition=true`

To use the original column value (default behavior):

Bash
1	`ranger.policysync.connector.0.use.null.by.default.in.masking.else.condition=false`

Click SAVE to apply the changes.

Prev topic: Advanced Configuration