Skip to content

Creating and Managing Principals in Snowflake Connector

This section describes how to create and manage principals in Snowflake.

The Snowflake Connector allows you to create and manage principals in Snowflake. Principals are users, groups and roles in the Snowflake that can be granted permissions to access resources in the Snowflake. This feature is optional and can be configured to manage only users, only groups, only roles or all three types of principals in the Snowflake.

Setup

The default setting for creating and managing principals in Snowflake is true. However, it is recommended to explicitly set this value to either true or false in the connector configuration file. Doing so ensures that the connector behavior remains consistent even if the default value changes in future releases. These configuration properties determine whether the Privacera Snowflake connector is allowed to create users and groups in Snowflake.

  • Set the value to true to allow the connector to create the corresponding principal if it does not already exist.

By default, principal names are converted to lowercase when they are created. However, the connector provides configuration options to control case sensitivity and normalization.

Persist Case Sensitivity:

  • When case sensitivity is retained (true): The principal names (users, groups, roles) are stored and managed exactly as provided, preserving uppercase and lowercase letters.
  • When case sensitivity is not retained (false, default behavior): Principal names are automatically converted to lowercase in the Snowflake.

Case Conversion Options:

  • lower (default): Principal names (users, groups, roles) are converted to lowercase.
  • upper: Principal names are converted to uppercase.
  • none: Principal names are preserved as-is, without any case conversion.
Case conversion properties apply only when case sensitivity is not persisted:
  • Self Managed (Portal Configuration) deployments:

    • Disable the following in Access Management → ADVANCED tab of the Snowflake application:
      • Persist case sensitivity of user names
      • Persist case sensitivity of group names
      • Persist case sensitivity of role names
  • Self Managed (YAML Configuration) deployments:

    • CONNECTOR_SNOWFLAKE_USER_NAME_PERSIST_CASE_SENSITIVITY
    • CONNECTOR_SNOWFLAKE_GROUP_NAME_PERSIST_CASE_SENSITIVITY
    • CONNECTOR_SNOWFLAKE_ROLE_NAME_PERSIST_CASE_SENSITIVITY
  • PrivaceraCloud deployments:

    • Disable the following in Access Management → ADVANCED tab of the Snowflake application:
      • Persist case sensitivity of user names
      • Persist case sensitivity of group names
      • Persist case sensitivity of role names

Warning

  • Replace the example values with your actual values.
  1. Navigate to SettingsApplications in the Self-Managed Portal.

  2. From the list of Connected Applications, select Snowflake.

  3. Click on the application name or the icon to edit. Then, go to the Access Management tab and select the ADVANCED tab.

  4. Enable to use email id as login name while creating new user in Snowflake:

    • Enable use of email as login for snowflake
  5. To allow PolicySync to automatically create local Snowflake users and corresponding user roles for each user created in the portal, enable the following options:

    • Create users in snowflake by policysync
    • Create user roles in snowflake by policysync
  6. To customize the role name prefix, provide values using the following fields.

    • Prefix of snowflake roles for portal users: priv_user_dev
    • Prefix of snowflake roles for portal groups: priv_group_dev
    • Prefix of snowflake roles for portal roles: priv_role_dev
  7. To retain the case of the principal names, enable the following options:

    • Persist case sensitivity of user names
    • Persist case sensitivity of group names
    • Persist case sensitivity of role names
  8. To use the case conversion, add the following properties under Add New Custom Properties section:

    Bash
    1
    2
    3
    ranger.policysync.connector.0.user.name.case.conversion=upper
    ranger.policysync.connector.0.group.name.case.conversion=upper
    ranger.policysync.connector.0.role.name.case.conversion=none
    
  9. Click SAVE to apply the changes.

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to open the .yml file to be edited.

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

    Bash
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/snowflake/instance1/vars.connector.snowflake.yml
    
  3. To allow PolicySync to use email as login name while creating new user in Snowflake, set the following property:

    YAML
    CONNECTOR_SNOWFLAKE_USER_LOGIN_NAME_USE_EMAIL: "true"
    

  4. Set the following properties to allow PolicySync to create a Snowflake user and a corresponding user role for each user fetched from the portal:

    YAML
    CONNECTOR_SNOWFLAKE_CREATE_USER: "true"
    CONNECTOR_SNOWFLAKE_CREATE_USER_ROLE: "true"
    

  5. To customize the role name prefix, set the following properties:

    YAML
    1
    2
    3
    CONNECTOR_SNOWFLAKE_USER_ROLE_PREFIX: "priv_user_dev"
    CONNECTOR_SNOWFLAKE_GROUP_ROLE_PREFIX: "priv_group_dev"
    CONNECTOR_SNOWFLAKE_ROLE_ROLE_PREFIX: "priv_role_dev"
    

  6. To retain the case of the principal names, set the following properties:

    YAML
    1
    2
    3
    CONNECTOR_SNOWFLAKE_USER_NAME_PERSIST_CASE_SENSITIVITY: "true"
    CONNECTOR_SNOWFLAKE_GROUP_NAME_PERSIST_CASE_SENSITIVITY: "true"
    CONNECTOR_SNOWFLAKE_ROLE_NAME_PERSIST_CASE_SENSITIVITY: "true"
    

  7. To use the case conversion, set the following properties:

    YAML
    1
    2
    3
    CONNECTOR_SNOWFLAKE_USER_NAME_CASE_CONVERSION: "upper"
    CONNECTOR_SNOWFLAKE_GROUP_NAME_CASE_CONVERSION: "upper"
    CONNECTOR_SNOWFLAKE_ROLE_NAME_CASE_CONVERSION: "none"
    

  8. Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    cd ~/privacera/privacera-manager
    ./privacera-manager.sh setup
    
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    cd ~/privacera/privacera-manager
    ./pm_with_helm.sh upgrade
    
    Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

    Bash
    cd ~/privacera/privacera-manager
    ./privacera-manager.sh post-install
    
  1. In PrivaceraCloud portal, navigate to Settings -> Applications.

  2. On the Connected Applications screen, select Snowflake.

  3. Click on the icon or the Account Name to modify the settings.

  4. On the Edit Application screen, go to Access Management -> ADVANCED tab

  5. Enable to use email id as login name while creating new user in Snowflake:

    • Enable use of email as login for snowflake
  6. To allow PolicySync to automatically create local Snowflake users and corresponding user roles for each user created in the portal, enable the following options:

    • Create users in snowflake by policysync
    • Create user roles in snowflake by policysync
  7. To customize the role name prefix, enter values using the following fields.

    • Prefix of snowflake roles for portal users: priv_user_dev
    • Prefix of snowflake roles for portal groups: priv_group_dev
    • Prefix of snowflake roles for portal roles: priv_role_dev
  8. To retain the case of the principal names, enable the following options:

    • Persist case sensitivity of user names
    • Persist case sensitivity of group names
    • Persist case sensitivity of role names
  9. To use the case conversion, add the following properties under Add New Custom Properties section:

    Bash
    1
    2
    3
    ranger.policysync.connector.0.user.name.case.conversion=upper
    ranger.policysync.connector.0.group.name.case.conversion=upper
    ranger.policysync.connector.0.role.name.case.conversion=none
    
  10. Click SAVE to apply the changes.

Comments