Snowflake Data Access Control Made Easy and Scalable

Data access control in Snowflake

Snowflake provides out-of-the-box granular access control features that enable you to manage who can access what data objects and what actions/operations can be done on those data objects.

Access control framework

Snowflake provides a foundational model of concepts and components over which one can build and manage access controls.

Snowflake supports these two most common data access models:

Role-based access control (RBAC): Assign permissions and privileges to a set of users grouped under a specific business role/function/domain.

Discretionary access control (DAC): Allows users/data owners to grant permissions and privileges to other users.

Learn more about RBAC and DAC.

Key components of Snowflake access control

The key concepts in managing access control are:

• Securable objects
• Privileges
• Roles
• Role hierarchy and privilege inheritance

In Snowflake, all securable objects have privileges, privileges are assigned to roles, and roles are then assigned to users (groups) and other roles.

Securable objects

The Securable Objects are the essential components (that follow a hierarchy) in Snowflake’s platform that users interact with. These include warehouses, databases, schema, roles, tables, columns, views, tasks, and stored procedures.

Privileges

Privileges are generally operations/actions that can be performed on a particular Snowflake object. The privileges in Snowflake are hierarchically grouped into thirty scope/categories such as:

• Global privileges: Permission to create users, roles, integrations, tasks, and monitor usage.
• Database privileges: Permission to create a schema, modify the database, and manage ownership.
• Schema privileges: Permission to modify the schema, create tables and views, set row access, and masking policies.
• Table privileges: Permission to execute SQL statements like SELECT, INSERT, DELETE, UPDATE.

Learn more: A complete list of Snowflake access control privileges.

Roles

Roles are used to grant and revoke access privileges to securable objects. Think of a role to be a package that contains permissions types/privileges rather than a role as a group of users. Roles are then assigned to users which enables them to operate on the data assets in a secure and compliant manner. A user can be assigned multiple roles and a user can switch roles based on the requirements.

Learn more about roles in Snowflake

Snowflake role based access control(RBAC). Source: Snowflake

Role hierarchy and privilege inheritance

In Snowflake a role (which has privileges) can inherit privileges from another role. This essentially allows users to combine privileges from multiple roles. The advantages of role hierarchy are it provides granular control, help reduce duplication of roles, encourages reusability of roles, and helps minimize access control complexities.

Learn more about role hierarchy in Snowflake

Snowflake role hierarchy and privilege inheritance. Source: Snowflake

Challenges in managing access control in Snowflake

1. Access control management for non-technical data stewards
2. Lack of user-interface layer for managing access
3. Absence of data lineage
4. Access control for data from multiple sources (non-Snowflake)
5. Challenging access request management

Access control management for non-technical data stewards

Snowflake access control management is done entirely by writing scripts. This makes it harder for non-technical data stewards to manage access.

Lack of user-interface layer for managing access

Managing access control at scale for large teams, across geographies and functions might be difficult without a user-interface layer. The UI layer simplifies access management tasks like creating roles, and groups, and handling requests for granting/revoking access controls.

Absence of data lineage

Apart from tracking the journey of the data asset from the source to the BI tools, lineage can also be leveraged to automatically propagate access policies downstream.

Access control for data from multiple sources (non-Snowflake)

Data (and metadata), especially on the cloud, proliferate across multiple data sources, tools, and processes ranging from ingestion, ETL, data quality, and business intelligence (BI). So the need for a centralized access control platform is a must-have to get a complete hold on governance.

Challenging access request management

As your team scales, you need a centralized and easy-to-use access control request management system. This gives you a complete picture and a snapshot of who has access to what data which is an essential requirement for compliance with data regulations.

A Guide to Building a Business Case for a Data Catalog

Download ebook

Snowflake access controls with Atlan: Flexible and scalable

As organizations are trying to transition from a controlling, bureaucratic form of data governance to a collaborative one, access control management has become one of the most important components of an effective data governance program.

With user groups, custom access policies, Personas, Purposes, and data lineage, Atlan makes access control for Snowflake easy at scale.

Let’s now look at the key access control capabilities of Atlan:

Access to Snowflake metadata and data is restricted by default in Atlan. Access granting/control in Atlan is achieved through the following 5 methods :

1. User Roles
2. Groups
3. Access Policies
4. Personas
5. Purposes

Selecting a method depends on the scale and granularity at which one wants to control access. We’ll discuss each of these methods in brief:

Roles

Roles are the most general and broad permissions a user can have within Atlan. There are three default roles in Atlan, they are:

• Admin who can set up and manage connections to Snowflake, manage users, classifications, and access policies.
• Member who can search, view, query, and update information about a data asset.
• Guest who can only search and view information about the data.

Learn more about the use of roles in Atlan.

Access Policies

Access policies help allow or restrict access to certain data and metadata in Snowflake. Access policies enable you to go granular with access control. There are three kinds of Access policies in Atlan, they are:

Metadata policies

Metadata policies control access and privileges to Snowflake metadata. Some of the privileges include: Updating descriptions, certifications, owners, classifications, and viewing an asset’s activity log, lineage, and SQL queries.

Learn more about how to access control Snowflake metadata in Atlan

Data policies

Data policies control access and privileges to Snowflake data. Some of the privileges include: Querying and previewing the data, and data masking.

Learn more about how to access control Snowflake data in Atlan

Glossary policies

Data glossary policies control privileges to glossary metadata. Some of the privileges include: Creating and updating glossary definitions, adding certifications and owners, associating related terms, and adding classifications

Learn more about data policies for business glossary

Casestudy: Why use Atlan for data discovery, governance, and access control?

How Atlan helps to scale Snowflake access control

One thing that Atlan really aces is how it helps automatically handle access control at scale when you bring in new users, teams, and data sources. This is done using:

• Personas
• Purposes

Personas

Personas are a way to control access to users who belong to a group/domain — Sales and marketing, data engineer, and data analyst. With Personas, you can handle scale by:

• Curating data assets relevant to the domain/team
• Controlling privileges/actions the users have on the asset (creating, updating, querying, etc)

Personas are a way to control access to users who belong to a group/domain. Source: Atlan

Purposes

Purposes are a way to control access to user groups who are tagged with a particular classification. Purposes add granularity to Personas. For example, a Persona might have permission to query and preview the Snowflake data, but the users in the Persona must not be able to access sensitive columns. This is controlled using a Purpose that tags all sensitive data assets as PII. So next time when you create a new persona, you don’t have to create a new access policy for sensitive data.

Learn more about Snowflake access control through Personas and Purposes.

Purposes are a way to control access to user groups who are tagged with a particular classification. Source: Atlan

Data Masking

Atlan protects sensitive data through data masking. Adding data masking to any access policy automatically propagates masking to any asset that has been tagged with that policy. Data masking methods supported in Atlan are: Show first/last, hash, nullify, and redact.

Learn more about data masking

Atlan protects sensitive data through data masking. Source: Atlan

Automatic classification propagation through data lineage

Atlan parses the SQL queries and creates lineage visualization for Snowflake data assets. Atlan leverages lineage to automatically propagate classifications to all derived assets downstream. Propagation combined with Purposes helps scale Snowflake data access management.

Learn more about automatic classification propagation

Automate PII classification through data lineage.

Managing requests

Atlan handles all change/update requests to Snowflake metadata in a centralized location. This helps streamline and track request approvals across multiple teams and data sources.

Learn more about data access requests

Manage change/update requests to Snowflake metadata in a centralized location. Source: Atlan

Atlan: A Snowflake Ready Technology Partner for data governance

If you are evaluating and looking to deploy best-in-class data access governance for Snowflake — without having to compromise on data democratization? Try Atlan!

Atlan is the first data catalog and metadata management solution approved by Snowflake Ready Technology Validation program.

Quoting, Bob Muglia, Former CEO of Snowflake,

“Atlan’s unique, collaboration-first approach for the modern data stack helps to break down organizational silos and empower cross-functional teams to work together to make better business decisions.”