Configure Snowflake permissions

Before you set up the Snowflake data source for Data Access, configure the underlying data source with the required permissions to allow Data Access to synchronize data objects, accounts, and access controls.

To connect Data Access to Snowflake, you must configure a user with permissions to read, create, and update access controls. You should also create a dedicated configuration database for Data Access. Data Access requires a database in your Snowflake account to store configuration information. If you do not create a configuration database, you must grant the Snowflake sync role the permission to create any database. To avoid over-provisioning the sync role with such broad database creation privileges just for a one-time setup operation, we highly recommend that you create a configuration database.

Operating modes

Data Access supports two modes for connecting to Snowflake. The mode that you use depends on whether your organization's security policies allow the MANAGE GRANTS ON ACCOUNT permission to be granted to the sync role.

The Manage Grants mode

In the Manage Grants mode, the sync role is granted the MANAGE GRANTS ON ACCOUNT permission. Data Access reads identities and access controls by using the SHOW USERS and SHOW GRANTS statements.

Use the Manage Grants mode if your organization permits the MANAGE GRANTS ON ACCOUNT permission, or if you need to have near real-time visibility into identity and access changes in Snowflake.

The No Manage Grants mode

In the No Manage Grants mode, the sync role is not granted the MANAGE GRANTS ON ACCOUNT permission. Data Access reads identities and access controls from Snowflake's ACCOUNT_USAGE schema views.

Tip The No Manage Grants mode is enabled by using the No Manage Grants Mode option when you configure Snowflake in Data Access.

When No Manage Grants mode is enabled, Data Access assumes that the sync role already owns the databases that Data Access needs to manage. Because Data Access does not verify this assumption, you must set it up correctly.

Use the No Manage Grants mode if your organization's security policies prohibit granting the MANAGE GRANTS ON ACCOUNT permission to the sync role.

Constraints

Snowflake's ACCOUNT_USAGE schema views are updated asynchronously, typically with a lag of 45 minutes to 3 hours. As a result, with the No Manage Grants mode:

However, access controls that are managed directly in Data Access are unaffected; they are pushed to Snowflake immediately and are not subject to this delay.

Snowflake Native Apps

When the Fetch Applications option is enabled in Data Access, Data Access uses the SHOW GRANTS OF APPLICATION ROLE statement to import grants for Snowflake Native Apps. This statement does not have an ACCOUNT_USAGE equivalent, so it is unaffected by the No Manage Grants mode. Although the statement does not require the MANAGE GRANTS ON ACCOUNT permission, it does require the Snowflake sync role to be the application administrator (that is, a role that installed the application, or one with equivalent rights).

Therefore, when the No Manage Grants Mode option is enabled in Data Access:

Steps

The following steps include both operating modes.

  1. Create a configuration database.
    In the script, you can replace COLLIBRA with a database name that suits your organization. If you use a different name, you must update the Configuration Database field when you configure Snowflake in Data Access.
    Copy
    CREATE DATABASE IF NOT EXISTS COLLIBRA;
  2. Create a sync role with the required permissions.
    In the script, you can replace COLLIBRA_SYNC with a role name that suits your organization. If you use a warehouse other than COMPUTE_WH, update the warehouse name in the script accordingly.
    Important If you have chosen the No Manage Grants mode, remove the GRANT MANAGE GRANTS ON ACCOUNT TO ROLE COLLIBRA_SYNC; line from the following script.
    Copy
    CREATE OR REPLACE ROLE COLLIBRA_SYNC;
    GRANT CREATE ROLE ON ACCOUNT TO ROLE COLLIBRA_SYNC;
    GRANT MANAGE GRANTS ON ACCOUNT TO ROLE COLLIBRA_SYNC;
    GRANT APPLY MASKING POLICY ON ACCOUNT TO ROLE COLLIBRA_SYNC;
    GRANT APPLY ROW ACCESS POLICY ON ACCOUNT TO ROLE COLLIBRA_SYNC;
    GRANT IMPORT SHARE ON ACCOUNT TO ROLE COLLIBRA_SYNC;
    GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE COLLIBRA_SYNC;
    GRANT USAGE ON WAREHOUSE COMPUTE_WH TO ROLE COLLIBRA_SYNC;
    GRANT MONITOR USAGE ON ACCOUNT TO ROLE COLLIBRA_SYNC;
    GRANT APPLY TAG ON ACCOUNT TO ROLE COLLIBRA_SYNC;
  3. Create a user, and then assign the sync role to the user.
    If you changed the sync role and warehouse names earlier, update the ROLE and DEFAULT_WAREHOUSE names in the script accordingly. You can change the USER and PASSWORD values as needed. Although the script uses password authentication for simplicity, we highly recommend that you use key-pair authentication for production environments to help ensure higher security.
    Copy
    CREATE USER collibra PASSWORD='<your_secure_password>' DEFAULT_WAREHOUSE=COMPUTE_WH;
    GRANT ROLE COLLIBRA_SYNC TO USER collibra;
  4. If you have chosen the No Manage Grants mode, that is, if you removed the GRANT MANAGE GRANTS ON ACCOUNT TO ROLE COLLIBRA_SYNC; line from the script earlier:
    1. Grant the sync role ownership of any databases that Data Access needs to manage.
      Tip When you transfer the ownership of a database from one role to another in Snowflake by using GRANT OWNERSHIP, you can use Snowflake's COPY CURRENT GRANTS option to preserve the existing permissions on the database.
    2. When you configure Snowflake in Data Access, ensure the following:
      1. The No Manage Grants Mode option is enabled.
      2. If you do not use Snowflake native applications, the Fetch Applications option is disabled.

What's next

Create Edge connection for Snowflake