To add to Deepak's excellent explanation: 1. Hive Row Level Filter and Column Masking policies do not grant users/ groups the access to resources. You need an access level policy granting at least 'select' privilege to the required user/ group on the resources which will be used in Row Level/ Column Masking policies. 2. In a row level filter policy for a certain DB and table, there might be 2 filters set for a user 'user1' - one explicitly with user='user1' and one implicitly with group = 'public' which user1 is part of. Both the filters will NOT get applied to user1. The filter which appears first will be the one to get applied. So if there is a policy which has filter for a group, and if there are certain users in group which the filters should not apply to -> there should be filter rows for those users containing NO Row Level Filter, BEFORE the group filter row. "While determining the filter to apply for a table, Apache Ranger policy engine evaluates the policy-items in the order listed in the policy. The filter specified in the first policy-item that matches the access-request (i.e. user/groups) will be used in the query." 3. Under column masking policies flow: For each column that needs a masking condition, you will need to create a separate policy, even for same user/ group. All of these will be applied for a user/ group when select request comes in. 4. Row level and Column masking policies both work in tandem, they are not mutually exclusive to each other. ... View more