Enables or disables a pseudonymisation rule, or adds and removes principals from its exempt list.
-- Toggle the rule on or off:
ALTER PSEUDONYMISATION RULE ON <table> (<column_pattern>) SET ENABLED|DISABLED
-- Manage the per-principal exempt list (principals who read raw values despite the rule):
ALTER PSEUDONYMISATION RULE ON <table> (<column_pattern>) ADD EXEMPT ROLE <role_name>
ALTER PSEUDONYMISATION RULE ON <table> (<column_pattern>) ADD EXEMPT USER <user_identifier>
ALTER PSEUDONYMISATION RULE ON <table> (<column_pattern>) REMOVE EXEMPT ROLE <role_name>
ALTER PSEUDONYMISATION RULE ON <table> (<column_pattern>) REMOVE EXEMPT USER <user_identifier>## Overview ALTER PSEUDONYMISATION RULE toggles a pseudonymisation rule between the ENABLED and DISABLED states without removing the rule definition from the catalog. A disabled rule remains visible in SHOW PSEUDONYMISATION RULES output (with enabled = false) but does not apply transforms during query execution. This is useful for temporary data access during auditing, debugging, or regulatory review scenarios where full PII visibility is needed without permanently dropping protection. Unlike DROP PSEUDONYMISATION RULE, which permanently removes the rule definition, ALTER preserves all rule metadata (transform type, scope, priority, parameters) so the rule can be re-enabled without recreation. ## Behavior - The command updates the enabled flag both in the catalog (via the CatalogRouter) and in the session-scoped in-memory rule store. Both stores must contain a matching rule for the update to succeed. - After updating, the executor sets the needs_catalog_sync flag to trigger re-registration of the affected table. When a rule is disabled, the PseudonymTableProvider wrapper excludes the disabled rule from its transform pipeline. When re-enabled, the rule resumes applying transforms. - If no rule is found matching the specified table name and column pattern, the command returns an error indicating the rule was not found. Both the table name and column pattern must match an existing rule exactly. - The column pattern must match the stored pattern string verbatim. For example, if a rule was created with pattern '*_ssn', the ALTER command must reference '*_ssn' and not a variant such as 'employee_ssn'. - Disabling a rule has immediate effect on subsequent queries after the catalog sync completes. In-flight queries that began before the ALTER are not affected. - ADD EXEMPT and REMOVE EXEMPT manage the rule's exempt list, the set of principals who read raw values for the matched column despite the rule being enabled. Both operations are idempotent: ADD on an already-exempt principal is a no-op, REMOVE on a non-exempt principal is a no-op. The rule itself is not enabled or disabled by these commands; use SET ENABLED / SET DISABLED for that. - The exempt list is stored as part of the rule on the catalog. The control plane embeds the current list into each permission token, and the compute node runs the cross-match (principal user_id and resolved roles vs the rule's exempt_users and exempt_roles) when wrapping the table provider. Exempt principals get the rule filtered out before wrapping, so the unmask path has no per-row overhead. ## Compatibility ALTER PSEUDONYMISATION RULE supports GDPR audit workflows where a Data Protection Officer must temporarily view unmasked data to verify compliance. The rule can be re-enabled immediately after the audit concludes, minimizing the window of unprotected access.
| Name | Type | Description |
|---|---|---|
table_name | Specify the fully qualified table name in zone.schema.table format. The name is matched case-insensitively against stored rules. | |
column_pattern | Specify the column pattern of the rule to alter. Provide the pattern in parentheses after the table name. The pattern must exactly match the column_pattern string used when the rule was created. | |
enabled | Set the rule state by appending SET ENABLED or SET DISABLED after the column pattern. ENABLED activates the rule so transforms are applied at query time. DISABLED suspends the rule so the column returns raw stored values without removing the rule definition. |
ALTER PSEUDONYMISATION RULE ON medical.patients (patient_name) SET DISABLED;ALTER PSEUDONYMISATION RULE ON medical.patients (patient_name) SET ENABLED;ALTER PSEUDONYMISATION RULE ON finance.accounts (account_number) SET DISABLED;ALTER PSEUDONYMISATION RULE ON hr.employees (*_ssn) SET ENABLED;ALTER PSEUDONYMISATION RULE ON insurance.claims (claimant_name) SET DISABLED;ALTER PSEUDONYMISATION RULE ON clinical.trial_participants (email) SET ENABLED;