Snowflake configuration fields

Use the following table to understand some of the fields that are available for configuring the Snowflake data source in Data Access.

Note Column masks, row filters, tags, and usage history need Snowflake Enterprise Edition (or higher) accounts.
Field Description
Fetch Applications
  • Enabled (default): Includes Snowflake native applications in synchronization.
  • Disabled: Excludes Snowflake native applications from synchronization.
Include Columns/Masking Import
  • Enabled (default): Imports columns and their masking policies.
  • Disabled: Does not import columns and their masking policies.
Database Roles
  • Enabled: Imports both account roles and database roles from all databases that are in scope.
  • Disabled (default): Imports only account roles, ignoring database roles entirely.
Standard Edition Mode
  • Enabled: Disables features that require Snowflake Enterprise Edition or higher, such as column masking policies, row access policies, and tag imports.
  • Disabled (default): Enables all features, including those that require Snowflake Enterprise Edition or higher. If your Snowflake account is on Standard Edition and you leave this option disabled, synchronization operations that rely on Enterprise-only features fail.
Note Enable this option if your Snowflake account is on Standard Edition.
Tags Import
  • Enabled (default): Imports Snowflake tags that are associated with data objects and roles.
  • Disabled: Does not import Snowflake tags that are associated with data objects and roles.
Note If the Standard Edition Mode option is enabled, the tags are not imported, regardless of this field.
Configuration Database

The name of the Snowflake database where the Data Access connector stores its own metadata.

Exclude Databases (optional)

A list of databases to exclude from synchronization. You can use regular expressions (for example, TEST.*) to match multiple databases at once.

Note 
  • The SNOWFLAKE database is excluded by default.
  • The database specified in the Configuration Database field is always excluded, regardless of what appears in the Exclude Databases field. For example, if you changed the default configuration database (COLLIBRA), the Exclude Databases field still shows COLLIBRA, but the new configuration database is actually excluded. You do not need to manually add the new configuration database to this field, even if it shows COLLIBRA.
  • Exclusion takes priority over inclusion. If a database is specified in both the Exclude Databases and Include Databases fields, it is excluded from synchronization.
Exclude Roles (optional)

A list of roles to exclude from synchronization. You can use regular expressions (for example, TEST.*) to match multiple roles at once.

  • To exclude an account role, enter only the role name.
  • To exclude a database role, enter both the database and role names separated by a dot: database.role
Note 
  • The database roles in this field apply only if the Database Roles option is enabled.
  • If an excluded role is a member of a parent role, the parent role's hierarchy is imported as incomplete. The parent role is still synchronized, but its full membership chain cannot be represented.
  • Exclusion takes priority over inclusion. If a role is specified in both the Exclude Roles and Include Roles fields, it is excluded.
Exclude Schemas (optional)

A list of schemas to exclude from synchronization. You can use regular expressions (for example, TEST.*) to match multiple schemas at once.

  • To exclude a schema from a specific database, enter both the database and schema names separated by a dot: database.schema
  • To exclude a schema across all databases in scope, enter only the schema name.
Note 
  • INFORMATION_SCHEMA is always excluded.
  • Exclusion takes priority over inclusion. If a schema is specified in both the Exclude Schemas and Include Schemas fields, it is excluded.
Include Databases (optional)

A list of databases to include in synchronization. You can use regular expressions (for example, TEST.*) to match multiple databases at once.

Include Roles (optional)

A list of roles to include in synchronization. You can use regular expressions (for example, TEST.*) to match multiple roles at once.

  • To include an account role, enter only the role name.
  • To include a database role, enter both the database and role names separated by a dot: database.role
Note The database roles in this field apply only if the Database Roles option is enabled.
Include Schemas (optional)

A list of schemas to include in synchronization. You can use regular expressions (for example, TEST.*) to match multiple schemas at once.

  • To include a schema from a specific database, enter both the database and schema names, separated by a dot: database.schema
  • To include a schema across all databases in scope, enter only the schema name.
No Manage Grants Mode
  • Enabled: Does not use the MANAGE GRANTS ON ACCOUNT permission.
  • Disabled (default): Uses the MANAGE GRANTS ON ACCOUNT permission.
Note Enable this option if you removed the MANAGE GRANTS ON ACCOUNT permission when configuring Snowflake permissions.
Worker Pool Size

The number of concurrent workers that are used for parallel operations during synchronization. The default value is 10. Although increasing this value may improve the synchronization speed, it increases the load on your Snowflake account.

Custom Masking Functions (optional)

A list of Snowflake user-defined functions for custom masking methods.

Enter the fully qualified name of the function, separated by dots: database.schema.function

Custom masking functions allow you to use your organization's own data masking logic in Data Access, for example, masking an email address while preserving the domain for business analytics. The specified custom masking functions appear as selectable masking methods in column masks, alongside built-in options such as Hash (SHA-256), Email mask, Show first four characters, and Show last four characters.

By default, a custom masking function uses its fully qualified name in column masks (for example, MARKETING_DB.HELPERS.MASK_EMAIL_DOMAIN). To show a user-friendly name instead (for example, Email Domain Mask), add a display_name tag to the function in Snowflake. The function then uses the tag value as the display name in column masks.

A custom masking function is used as a masking method only if it meets all of the following criteria:

  • The function exists in Snowflake.
  • The sync role that is used for Data Access in Snowflake has the USAGE permission on the function, or it owns the function.
  • The function accepts exactly one input parameter.
  • The function returns the same data type that it receives. For example, a function applied to a VARCHAR column must return a VARCHAR.

If a function fails validation, it is skipped and the synchronization continues.

Decryption Tag Name (optional)

An existing Snowflake tag to use with the Custom Decryption Function field.

Enter the fully qualified name of the tag, separated by dots: database.schema.tag

Custom Decryption Function (optional)

A custom SQL function that is used to decrypt data during column masking.

Enter the fully qualified name of the function, separated by dots: database.schema.function

Note Ensure that the sync role that is used for Data Access in Snowflake has the USAGE permission on the function.
Link to External Identity Store Groups
  • Enabled: Partially locks externally managed roles in Data Access.
  • Disabled (default): Fully locks externally managed roles in Data Access.
External Identity Store Owners (optional)

A list of Snowflake role owners that are managed by external identity stores.

Role Hierarchy Exclusions (optional)

A list of regular expressions that identify the account roles that Data Access must never add to or remove from another role's membership. This field applies only to account roles.

In Snowflake, roles can be granted to other roles, forming a role hierarchy. By default, Data Access manages these role assignments during synchronization. However, you may have account roles that are managed manually by your Snowflake administrator or by tools outside of Data Access. You can use this field to protect such roles.

Example If you enter SYS.+, Data Access does not add or remove any matching system roles as members of any other role.

Data Access Owner Email Tag (optional)

An existing Snowflake tag to which Data Access writes the owners' email addresses for each role that it manages. This field makes ownership information visible within Snowflake, which is useful if your organization has auditing or reporting tools that read Snowflake object tags.

Enter the fully qualified name of the tag, separated by dots: database.schema.tag

In Data Access, a role can have one or more owners. This ownership information exists only within Data Access. You can use this field to write the ownership information back into Snowflake as a tag on the Snowflake role object. During synchronization, Data Access applies the specified tag to each Snowflake role that it manages.

Data Access Owner Group Tag (optional)

An existing Snowflake tag to which Data Access writes the owners' group names of each role that it manages. This field makes ownership information visible within Snowflake, which is useful if your organization has auditing or reporting tools that read Snowflake object tags.

Enter the fully qualified name of the tag, separated by dots: database.schema.tag

In Data Access, a role can have one or more owners, each of which may belong to a group. This ownership information exists only within Data Access. You can use this field to write the ownership information back into Snowflake as a tag on the Snowflake role object. During synchronization, Data Access applies the specified tag to each Snowflake role that it manages.

Tag overwrite key for owners (optional)

An existing Snowflake tag key on your data objects that automatically assigns ownership in Data Access.

If a tag on a data object has a key that matches the specified key, the tag's value is set as the owner of the data object in Data Access. If the data object already has an owner, the new value is added alongside the existing one.

Example If you enter the tag key data_steward in this field, and if a table in your data source has the tag data_steward:[email protected], [email protected] is set as the owner of the table in Data Access.

Tag key and value to flag user as a machine (optional)

An existing Snowflake tag key and tag value that determine whether an identity is classified as a machine user in Data Access.

Enter the tag key-value pair, separated by a colon: key:value

If a tag on a user has a key-value pair that matches the specified pair, the user is set as a machine user in Data Access, instead of a human user.

Example If you enter the tag key-value pair user_type:service_account in this field, any user in your data source that has the tag user_type:service_account is classified as a machine user in Data Access.

Related topics

Add Snowflake to Data Access