Snowflake configuration fields
Use the following table to understand some of the fields that are available for configuring the Snowflake data source in Data Access.
| Field | Description |
|---|---|
| Fetch Applications |
|
| Include Columns/Masking Import |
|
| Database Roles |
|
| Standard Edition Mode |
Note Enable this option if your Snowflake account is on Standard Edition.
|
| Tags Import |
Note If the Standard Edition Mode option is enabled, the tags are not imported, regardless of this field.
|
| Configuration Database |
The name of the Snowflake database where the Data Access connector stores its own metadata. |
| Exclude Databases (optional) |
A list of databases to exclude from synchronization. You can use regular expressions (for example, Note
|
| Exclude Roles (optional) |
A list of roles to exclude from synchronization. You can use regular expressions (for example,
Note
|
| Exclude Schemas (optional) |
A list of schemas to exclude from synchronization. You can use regular expressions (for example,
Note
|
| Include Databases (optional) |
A list of databases to include in synchronization. You can use regular expressions (for example, |
| Include Roles (optional) |
A list of roles to include in synchronization. You can use regular expressions (for example,
Note The database roles in this field apply only if the Database Roles option is enabled.
|
| Include Schemas (optional) |
A list of schemas to include in synchronization. You can use regular expressions (for example,
|
| No Manage Grants Mode |
Note Enable this option if you removed the
MANAGE GRANTS ON ACCOUNT permission when configuring Snowflake permissions. |
| Worker Pool Size |
The number of concurrent workers that are used for parallel operations during synchronization. The default value is 10. Although increasing this value may improve the synchronization speed, it increases the load on your Snowflake account. |
| Custom Masking Functions (optional) |
A list of Snowflake user-defined functions for custom masking methods. Enter the fully qualified name of the function, separated by dots: Custom masking functions allow you to use your organization's own data masking logic in Data Access, for example, masking an email address while preserving the domain for business analytics. The specified custom masking functions appear as selectable masking methods in column masks, alongside built-in options such as Hash (SHA-256), Email mask, Show first four characters, and Show last four characters. By default, a custom masking function uses its fully qualified name in column masks (for example, A custom masking function is used as a masking method only if it meets all of the following criteria:
If a function fails validation, it is skipped and the synchronization continues. |
| Decryption Tag Name (optional) |
An existing Snowflake tag to use with the Custom Decryption Function field. Enter the fully qualified name of the tag, separated by dots: |
| Custom Decryption Function (optional) |
A custom SQL function that is used to decrypt data during column masking. Enter the fully qualified name of the function, separated by dots: Note Ensure that the sync role that is used for Data Access in Snowflake has the
USAGE permission on the function. |
| Link to External Identity Store Groups |
|
| External Identity Store Owners (optional) |
A list of Snowflake role owners that are managed by external identity stores. |
| Role Hierarchy Exclusions (optional) |
A list of regular expressions that identify the account roles that Data Access must never add to or remove from another role's membership. This field applies only to account roles. In Snowflake, roles can be granted to other roles, forming a role hierarchy. By default, Data Access manages these role assignments during synchronization. However, you may have account roles that are managed manually by your Snowflake administrator or by tools outside of Data Access. You can use this field to protect such roles. Example If you enter |
| Data Access Owner Email Tag (optional) |
An existing Snowflake tag to which Data Access writes the owners' email addresses for each role that it manages. This field makes ownership information visible within Snowflake, which is useful if your organization has auditing or reporting tools that read Snowflake object tags. Enter the fully qualified name of the tag, separated by dots: In Data Access, a role can have one or more owners. This ownership information exists only within Data Access. You can use this field to write the ownership information back into Snowflake as a tag on the Snowflake role object. During synchronization, Data Access applies the specified tag to each Snowflake role that it manages. |
| Data Access Owner Group Tag (optional) |
An existing Snowflake tag to which Data Access writes the owners' group names of each role that it manages. This field makes ownership information visible within Snowflake, which is useful if your organization has auditing or reporting tools that read Snowflake object tags. Enter the fully qualified name of the tag, separated by dots: In Data Access, a role can have one or more owners, each of which may belong to a group. This ownership information exists only within Data Access. You can use this field to write the ownership information back into Snowflake as a tag on the Snowflake role object. During synchronization, Data Access applies the specified tag to each Snowflake role that it manages. |
| Tag overwrite key for owners (optional) |
An existing Snowflake tag key on your data objects that automatically assigns ownership in Data Access. If a tag on a data object has a key that matches the specified key, the tag's value is set as the owner of the data object in Data Access. If the data object already has an owner, the new value is added alongside the existing one. Example If you enter the tag key |
| Tag key and value to flag user as a machine (optional) |
An existing Snowflake tag key and tag value that determine whether an identity is classified as a machine user in Data Access. Enter the tag key-value pair, separated by a colon: If a tag on a user has a key-value pair that matches the specified pair, the user is set as a machine user in Data Access, instead of a human user. Example If you enter the tag key-value pair |