Configure Snowflake permissions

Note Column masks, row filters, tags, and usage history need Snowflake Enterprise Edition (or higher) accounts.

Before setting up the Snowflake data source for Data Access, configure the underlying data source with the required permissions (also called privileges in Snowflake) to allow Data Access to synchronize data objects, accounts, and access controls.

Tip To understand why and when a specific permission is required, go to Snowflake permissions.

To connect Data Access to Snowflake, you must configure a user with permissions to read, create, and update access controls. You should also create a dedicated configuration database for Data Access. Data Access requires a database in your Snowflake account to store configuration information. If you do not create a configuration database, you must grant the Snowflake sync role the permission to create any database. To avoid over-provisioning the sync role with such broad database creation privileges just for a one-time setup operation, we highly recommend that you create a configuration database.

Operating modes

Data Access supports two modes for connecting to Snowflake: Manage Grants and No Manage Grants. The mode that you use depends on whether your organization's security policies allow the MANAGE GRANTS ON ACCOUNT permission to be granted to the sync role.

Use the following table to understand how the two modes work and to help you choose the right mode.

Aspect Manage Grants mode No Manage Grants mode
How it works

You grant the MANAGE GRANTS ON ACCOUNT permission to the sync role. Data Access reads identities and access controls by using the SHOW USERS and SHOW GRANTS statements, providing you with near-real-time visibility into identity and access control changes in Snowflake.

You do not grant the MANAGE GRANTS ON ACCOUNT permission to the sync role. Data Access reads identities and access controls from Snowflake's ACCOUNT_USAGE schema views.

Tip The No Manage Grants mode is enabled by using the No Manage Grants Mode option when adding the Snowflake data source to Data Access.

When the No Manage Grants mode is enabled, Data Access assumes that the sync role already owns the databases that Data Access needs to manage. Because Data Access does not verify this assumption, you must set it up correctly.

When to choose
  • Your organization's security policies allow granting the MANAGE GRANTS ON ACCOUNT permission to the sync role.
  • You want the changes made in Snowflake to appear in Data Access as quickly as possible.
  • Your organization's security policies prohibit granting the MANAGE GRANTS ON ACCOUNT permission to the sync role.
  • You want to minimize the connector's privileges.
  • You can accept a delay of up to a few hours before the changes made in Snowflake appear in Data Access.
Constraint None.

Synchronization delay. Snowflake's ACCOUNT_USAGE schema views are updated asynchronously, typically with a lag of 45 minutes to 3 hours. As a result, with the No Manage Grants mode:

  • A user or access control added in Snowflake does not appear in Data Access until the relevant ACCOUNT_USAGE view is updated.
  • A newly configured Snowflake account that uses the No Manage Grants mode does not return results until the initial Snowflake replication synchronization finishes.

However, access controls that are managed directly in Data Access are unaffected; they are pushed to Snowflake immediately and are not subject to this delay.

Snowflake native applications

When the Fetch Applications option is enabled in Data Access, Data Access uses the SHOW GRANTS OF APPLICATION ROLE statement to import grants for Snowflake native applications. This statement does not have an ACCOUNT_USAGE equivalent, so it is unaffected by the No Manage Grants mode. Although the statement does not require the MANAGE GRANTS ON ACCOUNT permission, it requires the Snowflake sync role to be the application administrator (that is, a role that installed the application, or one with equivalent rights). Therefore, when the No Manage Grants Mode option is enabled in Data Access:

  • If you use Snowflake native applications, designate the sync role as the application administrator for each application that you want to synchronize.
  • If you do not use Snowflake native applications, disable the Fetch Applications option. If this option remains enabled, Data Access will still attempt the SHOW GRANTS OF APPLICATION ROLE statement and may return incomplete results or fail for applications where the sync role is not the application administrator.

Steps

To configure Snowflake permissions for Data Access:

  1. Create a configuration database.
    In the script, you can replace COLLIBRA with a database name that suits your organization. If you use a different name, you must update the Configuration Database field when adding the Snowflake data source to Data Access.
    Copy
    CREATE DATABASE IF NOT EXISTS COLLIBRA;
  2. Create a sync role with the required permissions.
    In the script, you can replace COLLIBRA_SYNC with a role name that suits your organization. If you use a warehouse other than COMPUTE_WH, update the warehouse name in the script accordingly.
    Important If you have chosen the No Manage Grants mode, remove the GRANT MANAGE GRANTS ON ACCOUNT TO ROLE COLLIBRA_SYNC; line from the following script.
    Copy
    CREATE OR REPLACE ROLE COLLIBRA_SYNC;
    GRANT CREATE ROLE ON ACCOUNT TO ROLE COLLIBRA_SYNC;
    GRANT MANAGE GRANTS ON ACCOUNT TO ROLE COLLIBRA_SYNC;
    GRANT APPLY MASKING POLICY ON ACCOUNT TO ROLE COLLIBRA_SYNC;
    GRANT APPLY ROW ACCESS POLICY ON ACCOUNT TO ROLE COLLIBRA_SYNC;
    GRANT IMPORT SHARE ON ACCOUNT TO ROLE COLLIBRA_SYNC;
    GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE COLLIBRA_SYNC;
    GRANT USAGE ON WAREHOUSE COMPUTE_WH TO ROLE COLLIBRA_SYNC;
    GRANT MONITOR USAGE ON ACCOUNT TO ROLE COLLIBRA_SYNC;
    GRANT APPLY TAG ON ACCOUNT TO ROLE COLLIBRA_SYNC;
  3. Create a user, and then assign the sync role to the user.
    If you changed the sync role and warehouse names earlier, update the ROLE and DEFAULT_WAREHOUSE names in the script accordingly. You can change the USER and PASSWORD values as needed. Although the script uses password authentication for simplicity, we highly recommend that you use key-pair authentication for production environments to help ensure higher security.
    Copy
    CREATE USER collibra PASSWORD='<your_secure_password>' DEFAULT_WAREHOUSE=COMPUTE_WH;
    GRANT ROLE COLLIBRA_SYNC TO USER collibra;
  4. If you have chosen the No Manage Grants mode, that is, if you removed the GRANT MANAGE GRANTS ON ACCOUNT TO ROLE COLLIBRA_SYNC; line from the script earlier:
    1. Grant the sync role ownership of any databases that Data Access needs to manage.
      Tip When you transfer the ownership of a database from one role to another in Snowflake by using GRANT OWNERSHIP, you can use Snowflake's COPY CURRENT GRANTS option to preserve the existing permissions on the database.
    2. When adding the Snowflake data source to Data Access, ensure the following:
      1. The No Manage Grants Mode option is enabled.
      2. If you do not use Snowflake native applications, the Fetch Applications option is disabled.

Related topics

Snowflake permissions

What's next

Create Snowflake connection