List masking policies configured in your ALTR organization.

Returns each policy's tag, policy ID, and current rule count. Use the policy_id from results when calling add_rules, get_rules, or delete_policy.

Masking levels reference:

• 10000: No mask (show raw value)

• 10001: Full mask (replace with * matching data length)

• 10002: Email mask (show domain only)

• 10003: Show last four

• 10004: Constant mask (1 for numbers,

  • for strings, 1/1/2000 for dates)

• 10005: Null (replace with NULL)

• 10006: Full mask hash (replace with hashed value)

• 10007: Email hash (show domain, hash local part)

• 10008: Show last four hash (hash prefix, show last 4)

• 10009: Constant date (replace with 12/31/9999)

View all masking rules configured for a specific policy.

Shows which roles have what masking levels for which tag values.

Masking levels reference:

• 10000: No mask (show raw value)

• 10001: Full mask (replace with * matching data length)

• 10002: Email mask (show domain only)

• 10003: Show last four

• 10004: Constant mask (1 for numbers,

  • for strings, 1/1/2000 for dates)

• 10005: Null (replace with NULL)

• 10006: Full mask hash (replace with hashed value)

• 10007: Email hash (show domain, hash local part)

• 10008: Show last four hash (hash prefix, show last 4)

• 10009: Constant date (replace with 12/31/9999)

Create an empty masking policy for a specific tag.

Creates a masking policy that controls how data tagged with the specified tag is masked. Until you add rules with add_rules, all users will see NULL for tagged columns.

Each tag can only have one policy — check get_policies first to avoid conflicts.

After creating a policy, use add_rules to define masking behavior.

PLATFORM DIFFERENCES — TAG HANDLING:

Snowflake and Databricks tags are FUNDAMENTALLY DIFFERENT in ALTR:

• A Snowflake tag is a connected ALTR object — it has been registered with connect_tag, owns a tag_group_id, a masking configuration, and shows up in get_tags. You reference it here by its UPPERCASE name.

• A Databricks tag is NOT an ALTR object — it is just a raw string referenced at policy-creation time. There is no connect_tag step, no tag_group_id, and it will never appear in get_tags. The string you pass here is what gets stored on the policy.

Snowflake: The tag param must be the UPPERCASE tag name as returned by get_tags. The tag MUST already be connected to ALTR via connect_tag before creating a policy. Do NOT pass database_ids for Snowflake — the API will reject it.

Databricks: The tag param is any raw tag name string (e.g., "pac_access_level") — case-insensitive, no connection step required. Do NOT call connect_tag and do NOT look the tag up in get_tags; Databricks tags will not be there. You MUST set policy_type to "PUSHDOWN" — the API rejects "TAG" for Databricks metastores. You MUST also pass database_ids as a list of ALTR database IDs for the target Databricks metastore(s) (from get_databases). database_ids is required for Databricks, and it is ALWAYS a list — even when targeting a single database, wrap the ID in a list (e.g., database_ids=[2167], not database_ids=2167). Omitting database_ids will be rejected by the API.

Available masking levels:

• 10000: No mask (show raw value)

• 10001: Full mask (replace with * matching data length)

• 10002: Email mask (show domain only)

• 10003: Show last four

• 10004: Constant mask (1 for numbers,

  • for strings, 1/1/2000 for dates)

• 10005: Null (replace with NULL)

• 10006: Full mask hash (replace with hashed value)

• 10007: Email hash (show domain, hash local part)

• 10008: Show last four hash (hash prefix, show last 4)

• 10009: Constant date (replace with 12/31/9999)

Add one or more masking rules to a policy in a single batch request.

Each rule specifies: which role, which tag value, and what masking level they should see. A policy must already exist for the tag (see create_policy). Accepts up to 99 rules per batch; if more than 99 are provided they are automatically split into multiple batches.

Each rule in the list must be a dict with these keys:

• masking_policy: int — masking level (10000-10009)

• role: str — target user group / role name from get_roles

• tag_value: str — exact tag value this rule applies to (case-sensitive)

Delete a masking policy and all its rules.

Use with caution - this removes all masking rules associated with the policy. Consider reviewing rules with get_rules first to understand what will be deleted.

Update an existing masking rule's properties without deleting and recreating it.

Only the fields you provide will be updated; omitted fields remain unchanged. Use get_rules first to find the rule_id and see current values.

Masking levels reference:

• 10000: No mask (show raw value)

• 10001: Full mask (replace with * matching data length)

• 10002: Email mask (show domain only)

• 10003: Show last four

• 10004: Constant mask (1 for numbers,

  • for strings, 1/1/2000 for dates)

• 10005: Null (replace with NULL)

• 10006: Full mask hash (replace with hashed value)

• 10007: Email hash (show domain, hash local part)

• 10008: Show last four hash (hash prefix, show last 4)

• 10009: Constant date (replace with 12/31/9999)

Remove a specific masking rule from a policy.

Allows fine-grained removal of individual rules without deleting the entire policy. Use get_rules first to identify the rule_id you want to remove.

List all ALTR roles (user groups) available in your organization.

Role names are used in add_rules to define which user groups see what level of data masking.

List all Snowflake tags connected to ALTR (available for use in policies).

SNOWFLAKE ONLY. Databricks tags are NOT first-class objects in ALTR — they are raw string references used at policy-creation time only — so they will never appear in this list. Do not call get_tags to discover Databricks tags; pass the raw tag name directly to create_policy instead.

For Snowflake, only tags that have been connected to ALTR via connect_tag appear here. Tags created in Snowflake but never connected will not be listed and cannot be used in a policy.

Delete a connected Snowflake tag from ALTR.

SNOWFLAKE ONLY. Databricks tags are not ALTR objects (they are raw strings referenced at policy-creation time), so there is nothing to delete here for Databricks — to stop masking a Databricks column tag, remove the policy with delete_policy instead.

All policies on the tag must be removed first, or the deletion will fail.

List all allowed values configured for a specific tag.

SNOWFLAKE ONLY. Databricks tags are raw strings, not ALTR-managed objects, so they have no stored allowed-values list here — use whatever tag values exist in the Databricks catalog directly.

These values are referenced when creating masking rules with add_rules.

Get full details for a specific connected tag by its group ID.

SNOWFLAKE ONLY. tag_group_id only exists for connected Snowflake tags; Databricks tags are raw strings and have no group ID.

Returns masking configuration, status, database info, and timestamps. Use get_tags first to find the tag_group_id.

Get full details for a specific tag masking by database, tag, and schema.

SNOWFLAKE ONLY. Databricks tags are not stored as ALTR objects, so they have no detail record to fetch.

Returns masking configuration, status, and timestamps. Use when you know the exact database/schema/tag but not the tag_group_id.

Update an existing tag connection's masking configuration.

SNOWFLAKE ONLY. Databricks tags are not ALTR-managed objects, so there is no Databricks tag configuration to update — change Databricks masking by editing the policy or its rules instead.

Use get_tags to find the tag_group_id of the tag you want to update. To connect a new tag, use connect_tag instead.

Delete a tag masking by database, schema, and tag name.

SNOWFLAKE ONLY. Databricks tags are not ALTR objects; to stop masking a Databricks column, delete the policy with delete_policy instead.

Alternative to delete_tag when you don't have the tag_group_id but know the database/schema/tag details.

Connect a Snowflake tag to ALTR so it can be used in masking policies.

SNOWFLAKE ONLY — do NOT use for Databricks. There is no Databricks equivalent of this tool: Databricks tags are not stored as ALTR objects, they are just raw strings referenced at policy-creation time. Skip connect_tag entirely for Databricks and pass the raw tag name string directly to create_policy.

For Snowflake, this call registers an existing Snowflake tag as a first-class ALTR tag object — it gets a tag_group_id, masking configuration, etc. The tag must already exist in Snowflake. Once connected, it appears in get_tags, can be inspected with get_tag_details*, edited with update_tag, and used in create_policy.

The tool automatically resolves the friendly name to the actual Snowflake database name for the API call.

List all available data classifiers (pattern-based detectors) in ALTR.

Classifiers automatically detect sensitive data types like SSNs, emails, and phone numbers. Includes both ALTR-managed and custom classifiers.

Create a custom data classifier for detecting specific data patterns.

Use when ALTR's built-in classifiers don't cover your data types. Custom classifiers can be added to collections and used in classification jobs.

Remove a custom classifier you created.

Cannot delete ALTR managed classifiers. Only use for classifiers you created with create_classifier.

List classifier collections (groups of classifiers used for classification jobs).

A collection is required when creating a classification job with create_job. Check for existing collections (e.g., "ALTR Managed") before creating new ones.

Create a classifier collection to use for automated data discovery.

Collections group classifiers together for classification jobs. After creating a collection, you can run a classification job to automatically scan your database columns and identify which contain sensitive data patterns.

Typical workflow: Create a collection (or use existing "ALTR Managed"), then use it in create_job to scan your database. Review results with get_classification_report to see which columns were detected.

Delete a classifier collection.

Cannot delete collections that are in use by active or recent jobs. Only delete collections you created that are no longer needed.

Add classifiers to an existing collection.

All classifiers must already exist and not already be in the collection. ALTR managed collections cannot have classifiers appended.

Remove classifiers from a collection.

Check the status of classification jobs you've run.

Classification jobs run asynchronously and can take 10-30+ minutes to complete depending on your database size. Use this to check if a job has finished after waiting an appropriate amount of time.

Once a job shows status COMPLETED, you can fetch its detailed report with get_classification_report. If status is still RUNNING, wait longer before checking again.

Typical workflow: After creating a job with create_job, wait 15-30+ minutes, then use this function to check status. When status is COMPLETED, use the job_id with get_classification_report to view results.

Run an automated classification scan to discover sensitive data in your database.

Scans database columns using classifiers in the specified collection to identify columns containing PII, financial data, etc.

Classification jobs run asynchronously and can take 10-30+ minutes depending on database size. After creating a job, use get_jobs to poll for completion, then get_classification_report to view results.

Control a running classification job (pause, cancel, or resume).

Use to manage long-running classification jobs. Status options: PAUSED, CANCELLED, or RUNNING.

Run a GDLP classification scan on a Databricks database.

Scans the Databricks catalog to identify sensitive data columns using ALTR's built-in GDLP classifiers. Runs asynchronously — after creating the job, use get_jobs to poll for completion, then get_classification_report to view results.

Get detailed results from a completed classification job.

Returns which columns were detected as containing sensitive data along with confidence scores. Only call after the job status is COMPLETED (verify with get_jobs).

After reviewing results, check if the needed Snowflake tags exist using get_tags. If tags are missing, they must be created in Snowflake first before connecting with connect_tag.

Discover which Snowflake databases are connected to ALTR.

Returns connection metadata including database names and IDs. Use get_database_id to get the numeric ID required for classification jobs.

Get the ALTR database ID for a database name.

Required before creating classification jobs. The database ID is a numeric identifier that ALTR uses internally to reference your Snowflake database.

Typical workflow: After identifying your database with get_databases, call this to get the ID needed for create_job.

List Snowflake service users available for database connections.

Returns service user IDs needed for create_database when using keypair authentication (the recommended approach for Snowflake).

Connect a new data source to the ALTR platform.

Supports two authentication modes:

1. Service user (keypair auth — recommended for Snowflake): Provide service_user_id from get_service_users. No password, hostname, or port needed.

2. Password auth: Provide database_username, database_password, hostname, and database_port.

After creation, use get_databases to confirm the connection.

Connect a Databricks workspace to the ALTR platform.

Supports two authentication modes:

1. Service user (token auth — recommended): Provide service_user_id from get_service_users.

2. Password auth: Provide database_username and database_password.

After creation, use get_databases to confirm the connection.

Update a database connection's properties.

Only the fields you provide will be updated; omitted fields remain unchanged.

Trigger a database status sync.

Sets the database to "in progress" until the status check completes. Use get_databases afterward to see the updated status.

Disconnect and remove a database from ALTR.

Permanently removes the database connection. This does not affect the actual database — only the ALTR connection to it.

Create an access management policy for a Snowflake datasource.

Defines which roles can access which databases, schemas, or tables with read or write permissions. Policies are enforced by ALTR and checked on a schedule.

Each rule in the list must contain:

• actors: list of dicts with 'type' ("role"), 'condition' ("equals"|"starts_with"|"ends_with"), and 'identifiers' (list of str).

• objects: list of dicts with 'type' ("database"|"schema"|"table"), 'condition' ("equals"|"starts_with"|"ends_with"| "fully_qualified"), and 'identifiers' (list of str) or 'fully_qualified_identifiers' (list of dicts with database/schema/table/view keys).

• access: list of dicts with 'name' ("read"|"write").

Optionally, rules may include 'tagged_objects' for tag-based targeting:

• tagged_objects: list of dicts with 'check_against' (list of "databases"|"schemas"|"tables"|"views"), 'tagged_with' (list of dicts with database/schema/name/value keys), and 'tag_condition' ("or"|"and").

Create an access management policy for an OLTP datasource.

Each rule in the list must contain:

• type: "read"

• actors: list of dicts with 'type' ("idp_user"|"idp_group"), 'condition' ("equals"), and 'identifiers' (list of str).

• objects: list of dicts with 'type' ("column") and 'identifiers' (list of dicts with database/schema/table/column keys, each having 'name' (str) and 'wildcard' (bool)).

Update an existing Snowflake access management policy.

Replaces the policy's name, description, and rules. See create_snowflake_access_policy for the rule format.

Trigger a manual compliance check for a grant/access management policy.

Runs the policy check immediately instead of waiting for the next scheduled run.

Create a new access request for data access approval.

Submits a request that must be approved before access is granted. Use get_access_requests to check status after creation.

Each rule follows the same format as access management policy rules:

• actors: list with 'type' ("role"), 'condition', and 'identifiers'.

• objects: list with 'type' ("database"|"schema"|"table"|"view"), 'condition', and 'identifiers' or 'fully_qualified_identifiers'.

• access: list with 'name' ("read"|"write").

List access requests in your ALTR organization.

Get details for a specific access request.

Approve a pending access request.

Deny a pending access request.

Cancel an access request you created.

List running instances for a specific ALTR agent.

Get details for a specific agent instance.

Delete an agent instance.

Get task telemetry for a specific agent.

Returns task status, messages, and metadata for tasks assigned to this agent.

List running instances for a specific sidecar.

Get details for a specific sidecar instance.

Delete a sidecar instance.

Get telemetry for a specific task by its ID.

Delete telemetry for a specific task.

Search sidecar query audits with filters.

Triggers an async search and returns a search_uuid (valid 30 days). Use get_audit_results with the search_uuid to retrieve results. All filters are combined with AND logic.

Get results from a previously triggered audit search.

Results may not be immediately available — a 202 response means the search is still processing. Retry after a short wait.

Search ALTR platform system audits.

Starts an async query against system audit logs. Returns a token to retrieve results with get_system_audit_results. If wait is set, the API may return results directly (200) or a token for later retrieval (202).

The from and to time range may be at most one week.

Get results from a system audit query.

Use the token returned by search_system_audits. If the response has moreData: true, use the new token to fetch the next page.

Search Snowflake query audits (tag and column masking).

Triggers an async search and returns a search_uuid (valid 30 days). Use get_query_audit_results with the search_uuid to retrieve results. All filters are combined with AND logic.

Use this for Snowflake tag-based or column-based masking audits. For sidecar proxy audits, use search_audits instead.

Get results from a previously triggered query audit search.

Results may not be immediately available — a 202 response means the search is still processing. Retry after a short wait.

Use this to retrieve results from search_query_audits. For sidecar audit results, use get_audit_results instead.

List audit report definitions.

Returns paginated definitions ordered by creation time descending. Use cursor to page through results.

Create a new audit report definition.

Defines what data is included, how it is scheduled, and where it is delivered. After creating, use trigger_report_definition to generate a report on demand.

Get a single audit report definition by ID.

Update an existing audit report definition (full replacement).

Replaces the definition's configuration entirely. All fields that should be preserved must be included.

Archive (soft-delete) an audit report definition.

Archived definitions are hidden from normal listings but can be restored with restore_report_definition.

Restore an archived audit report definition.

Trigger an on-demand audit report for a definition.

Generates a report instance immediately outside of the normal schedule. Rate-limited to one trigger per definition per 5 minutes.

List report instances for a given definition.

Each instance represents one generated report. Instances are returned newest-first.

Get a single report instance by ID.

Get a download URL for a report instance.

Returns a pre-signed URL to download the report file.

List comments on a report instance.

Pinned comments appear first, followed by the rest in chronological order.

Add a comment to a report instance.

Pin a comment on a report instance.

Only one comment per instance can be pinned at a time. Pinning is allowed after the instance has been signed off.

Unpin the currently pinned comment on a report instance.

Get the current user's sign-off for a report instance.

Returns null/empty if the current user has not yet signed off.

Sign off on a report instance.

Records the current user's approval of the report. After signing off, comments can be pinned on the instance.

List all sign-offs for a report instance.

Returns sign-offs from all users who have reviewed the instance.

List ALTR agents (SIS or CLASSIFIER) in your organization.

Create a new ALTR agent.

Get details for a specific agent.

Update an existing agent. Only provided fields are changed.

Delete an agent. Agent must have task_count of 0.

List tasks assigned to an agent.

Create a task for an agent.

A task runs against a specific repo on a schedule. Configuration depends on agent type (check with get_sc_agent first).

CLASSIFIER agent configuration:

• classification_type: must be 5

• sample_strategy: "ROWS" or "PERCENT"

• collection_name: classifier collection name Do NOT include SIS fields (service_name, audit_file_path, etc.) for classifier agents.

SIS (audit) agent configuration varies by DB:

• Oracle: optional 'initial_audit_timestamp', 'service_name'

• MSSQL: 'audit_file_path' (required, absolute path)

• PostgreSQL: 'audit_file_path', 'audit_file_type' (log/csv/json), optional 'log_line_prefix'

• MySQL: either 'table_name' or 'audit_file_path' Do NOT include classifier fields for SIS agents.

Schedule: 'type' ("CRON"), 'value' (cron expression), optional 'max_duration' (ISO 8601), optional 'timezone' (e.g. "America/New_York").

Update an agent task. Only provided fields change.

Configuration update rules vary by database type. See create_sc_agent_task for details.

Delete an agent task.

Atomically removes the task and decrements the agent's and service user's task counts.

List database repositories configured for sidecar proxying.

Create a new database repository for sidecar proxying.

Get details for a specific repository.

Update a repository's description.

Delete a repository. Must have no users or bindings.

List users configured for a repository.

Create a repo user with credential reference.

Provide exactly one of aws_secrets_manager or azure_key_vault.

Get details for a specific repo user.

Update a repo user's credential reference.

Delete a repo user.

List service users. Optionally filter by repo.

Create a service user for a repository.

Provide exactly one of aws_secrets_manager or azure_key_vault.