In this article, the requirement is to have simple tag names that will be applied to attributes in a Hive table. Here, tags such as “Hashed” and “Masked” will be used in many tables. Different groups may need access to the data in the clear, while others will not be granted access. The opposite may apply for a different table.   Table name atlas_tag_test has the columns ssn that will be shown for hr_users and masked for power_users.   The value will be a comma-separated list of groups, in this case, we only have a single group. Now in Ranger, we have a policy for masked. For each group we are adding a condition, we check if power_users are set in the group's attribute like the following: if ( ctx.getAttributeValue("Masked","groups").indexOf("power_users") !== -1 ) { ctx.result = false; } else { ctx.result = true; }     If it is, the data will be available to the user to see in the clear. It is not, the users will not be able to see the data.   We will add another row for hr_users like the following: if ( ctx.getAttributeValue("Masked","groups").indexOf("hr_users") !== -1 ) { ctx.result = false; } else { ctx.result = true; }   When selecting the data with a power_users, the data is masked: When executing with hr_users, the data is displayed as un-masked: We can see for the power_users that the masked policy was applied to matching number 85:    To dig deeper into it what additional functions are available you could also review the source code in GIT. RangerScriptExecutionContext.java RangerScriptConditionEvaluator.java ... View more