mask_unless_access_grants

Syntax
Properties
Examples

Defines a list of access grants for the dimension that determine whether values should be masked. When a user doesn’t satisfy the specified access grants, dimension values are replaced with an MD5 hash. Unlike required_access_grants, which blocks access to the field entirely, this parameter allows users to see masked values. This parameter is useful when you want to:

Allow users to perform aggregations and analysis on sensitive data without exposing the actual values
Enable joins and grouping on sensitive fields while protecting personally identifiable information (PII)
Maintain data structure and relationships in queries while masking sensitive information

Syntax

<dimension_name>:
  mask_unless_access_grants: [<grants_and_conditions>]

Properties

dimension_name

object[]

The name of the dimension.

Hide dimension_name properties

mask_unless_access_grants

string[]

An array of access grant names that control data masking for the dimension. Each value must match an access grant defined in the model file. When the user doesn’t satisfy the access grants, values are replaced with an MD5 hash.Use | for OR conditions and & for AND conditions within the same array element.

Examples

Mask data unless user has marketing access

customer_email:
  mask_unless_access_grants: [marketing]

Mask data unless user has marketing OR sales access

customer_email:
  mask_unless_access_grants: [marketing|sales]

Mask data unless user has marketing OR (sales AND product) access

customer_email:
  mask_unless_access_grants: [marketing|sales&product]

links

order_by_field

⌘I

Getting started

Manage content

Analyze data

Deliver content

Visualize & present

Model data

Manage integrations

AI

mask_unless_access_grants

Syntax

Properties

Examples

Getting started

Manage content

Analyze data

Deliver content

Visualize & present

Model data

Manage integrations

AI

​Syntax

​Properties

​Examples

Syntax

Properties

Examples