Configure Snowflake permissions
Before setting up the Snowflake data source for Data Access, configure the underlying data source with the required permissions (also called privileges in Snowflake) to allow Data Access to synchronize data objects, accounts, and access controls.
To connect Data Access to Snowflake, you must configure a user with permissions to read, create, and update access controls. You should also create a dedicated configuration database for Data Access. Data Access requires a database in your Snowflake account to store configuration information. If you do not create a configuration database, you must grant the Snowflake sync role the permission to create any database. To avoid over-provisioning the sync role with such broad database creation privileges just for a one-time setup operation, we highly recommend that you create a configuration database.
Operating modes
Data Access supports two modes for connecting to Snowflake: Manage Grants and No Manage Grants. The mode that you use depends on whether your organization's security policies allow the MANAGE GRANTS ON ACCOUNT permission to be granted to the sync role.
Use the following table to understand how the two modes work and to help you choose the right mode.
| Aspect | Manage Grants mode | No Manage Grants mode |
|---|---|---|
| How it works |
You grant the |
You do not grant the Tip The No Manage Grants mode is enabled by using the No Manage Grants Mode option when adding the Snowflake data source to Data Access.
When the No Manage Grants mode is enabled, Data Access assumes that the sync role already owns the databases that Data Access needs to manage. Because Data Access does not verify this assumption, you must set it up correctly. |
| When to choose |
|
|
| Constraint | None. |
Synchronization delay. Snowflake's
However, access controls that are managed directly in Data Access are unaffected; they are pushed to Snowflake immediately and are not subject to this delay. |
Snowflake native applications
When the Fetch Applications option is enabled in Data Access, Data Access uses the SHOW GRANTS OF APPLICATION ROLE statement to import grants for Snowflake native applications. This statement does not have an ACCOUNT_USAGE equivalent, so it is unaffected by the No Manage Grants mode. Although the statement does not require the MANAGE GRANTS ON ACCOUNT permission, it requires the Snowflake sync role to be the application administrator (that is, a role that installed the application, or one with equivalent rights). Therefore, when the No Manage Grants Mode option is enabled in Data Access:
- If you use Snowflake native applications, designate the sync role as the application administrator for each application that you want to synchronize.
- If you do not use Snowflake native applications, disable the Fetch Applications option. If this option remains enabled, Data Access will still attempt the
SHOW GRANTS OF APPLICATION ROLEstatement and may return incomplete results or fail for applications where the sync role is not the application administrator.
Steps
To configure Snowflake permissions for Data Access:
- Create a configuration database.
In the script, you can replaceCOLLIBRAwith a database name that suits your organization. If you use a different name, you must update the Configuration Database field when adding the Snowflake data source to Data Access.CopyCREATE DATABASE IF NOT EXISTS COLLIBRA; - Create a sync role with the required permissions.
In the script, you can replaceCOLLIBRA_SYNCwith a role name that suits your organization. If you use a warehouse other thanCOMPUTE_WH, update the warehouse name in the script accordingly.Important If you have chosen the No Manage Grants mode, remove theGRANT MANAGE GRANTS ON ACCOUNT TO ROLE COLLIBRA_SYNC;line from the following script.CopyCREATE OR REPLACE ROLE COLLIBRA_SYNC;
GRANT CREATE ROLE ON ACCOUNT TO ROLE COLLIBRA_SYNC;
GRANT MANAGE GRANTS ON ACCOUNT TO ROLE COLLIBRA_SYNC;
GRANT APPLY MASKING POLICY ON ACCOUNT TO ROLE COLLIBRA_SYNC;
GRANT APPLY ROW ACCESS POLICY ON ACCOUNT TO ROLE COLLIBRA_SYNC;
GRANT IMPORT SHARE ON ACCOUNT TO ROLE COLLIBRA_SYNC;
GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE COLLIBRA_SYNC;
GRANT USAGE ON WAREHOUSE COMPUTE_WH TO ROLE COLLIBRA_SYNC;
GRANT MONITOR USAGE ON ACCOUNT TO ROLE COLLIBRA_SYNC;
GRANT APPLY TAG ON ACCOUNT TO ROLE COLLIBRA_SYNC; - Create a user, and then assign the sync role to the user.
If you changed the sync role and warehouse names earlier, update theROLEandDEFAULT_WAREHOUSEnames in the script accordingly. You can change theUSERandPASSWORDvalues as needed. Although the script uses password authentication for simplicity, we highly recommend that you use key-pair authentication for production environments to help ensure higher security.CopyCREATE USER collibra PASSWORD='<your_secure_password>' DEFAULT_WAREHOUSE=COMPUTE_WH;
GRANT ROLE COLLIBRA_SYNC TO USER collibra; - If you have chosen the No Manage Grants mode, that is, if you removed the
GRANT MANAGE GRANTS ON ACCOUNT TO ROLE COLLIBRA_SYNC;line from the script earlier:- Grant the sync role ownership of any databases that Data Access needs to manage. Tip When you transfer the ownership of a database from one role to another in Snowflake by using
GRANT OWNERSHIP, you can use Snowflake'sCOPY CURRENT GRANTSoption to preserve the existing permissions on the database. - When adding the Snowflake data source to Data Access, ensure the following:
- The No Manage Grants Mode option is enabled.
- If you do not use Snowflake native applications, the Fetch Applications option is disabled.
- Grant the sync role ownership of any databases that Data Access needs to manage.