Skip to content

Manage Access Audits

Privacera supports access audits for the Snowflake connector, allowing you to fetch and manage access audit logs from Snowflake. This feature is valuable for tracking user access and ensuring compliance with data governance policies.

Configure

  1. Navigate to SettingsApplications in the Self-Managed Portal.

  2. From the list of Connected Applications, select Snowflake.

  3. Click on the application name or the icon to edit. Then, go to the Access Management tab.

  4. Under the BASIC tab, enable the following options to configure access audits:

    • Enable access audits: Enable to fetch access audits from the Snowflake connector.
    • Enable simple audits: Enables simple access audits queried on database.
    • Enable advance audits: Enables advanced access audits queried on database.

  5. Under ADVANCED tab, configure the following options:

    • Enable column access exception: Enable to display an access denied exception when a user attempts to access specific columns in a table without the necessary permissions.
    • Database name where masking function for column access control will be created: Specify the database where the masking function used for column-level access control will be created. This field is required when Enable column access exception is enabled.

  6. Click SAVE to apply the changes.

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to open the .yml file to be edited.

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/snowflake/instance1/vars.connector.snowflake.yml

  3. Enable access audits by setting the following properties to true:

    YAML
    1
2
3
    CONNECTOR_SNOWFLAKE_AUDIT_ENABLE: "true"
CONNECTOR_SNOWFLAKE_ENABLE_AUDIT_SOURCE_SIMPLE: "true"
CONNECTOR_SNOWFLAKE_ENABLE_AUDIT_SOURCE_ADVANCE: "true"

  4. Add or update the following property to enable column access exception:

    YAML
    1
    CONNECTOR_SNOWFLAKE_ENABLE_COLUMN_ACCESS_EXCEPTION: "true"

  5. (Optional) Configure audit sync interval settings:

    The following properties are optional and control the frequency of audit data synchronization:

    • CONNECTOR_SNOWFLAKE_AUDIT_SYNC_INTERVAL: Specifies the interval (in seconds) between audit sync operations. Defaults to 14400 seconds (4 hours). The default 4-hour audit sync interval is suitable for production environments.

    • CONNECTOR_SNOWFLAKE_AUDIT_INITIAL_PULL_MINUTES: Specifies the initial time window (in minutes) for pulling historical audit data when the connector first starts. Defaults to 30 minutes.

    Production vs Testing

    The default 4-hour audit sync interval is recommended for production environments. During testing, validation, or troubleshooting, you may temporarily reduce the audit sync interval to get faster access audit data.

    Example configuration for validation use cases (not recommended for production):

    YAML
    1
2
    CONNECTOR_SNOWFLAKE_AUDIT_SYNC_INTERVAL: "60"      # 60 seconds = 1 minutes
CONNECTOR_SNOWFLAKE_AUDIT_INITIAL_PULL_MINUTES: "1"

  6. Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - (Optional) Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on. This step is not required if you are updating only connector properties.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

  1. In PrivaceraCloud portal, navigate to Settings -> Applications.

  2. On the Connected Applications screen, select Snowflake.

  3. Click on the icon or the Account Name to modify the settings.

  4. On the Edit Application screen, go to Access Management.

  5. Under the BASIC tab, enable the following options to configure access audits:

    • Enable access audits: Enable to fetch access audits from the Snowflake connector.
    • Enable simple audits: Enables simple access audits queried on database.
    • Enable advance audits: Enables advanced access audits queried on database.
    • Database name where masking function for column access control will be created: Specify the database where the masking function used for column-level access control will be created. This field is required when Enable column access exception is enabled.

  6. Under ADVANCED tab, configure the following options:

    • Enable column access exception: Enable to display an access denied exception when a user attempts to access specific columns in a table without the necessary permissions.
    • Audit sync interval (optional): Specifies the interval (in seconds) between audit sync operations. Defaults to 14400 seconds (4 hours).

    • Audit initial pull window (optional): Specifies the initial time window (in minutes) for pulling historical audit data when access audits are first enabled. Defaults to 30 minutes.

    • To configure custom audit sync values, scroll to the Custom Properties section and add the following entries:

      • In the Add New Custom Properties field, enter:
        Text Only
        1
2
        ranger.policysync.connector.0.audit.interval.sec=60
ranger.policysync.connector.0.audit.initial.pull.min=1

    Testing and Validation Usage

    The default audit sync interval is recommended for production environments. For testing, validation, or troubleshooting, the audit sync interval can be temporarily reduced to receive access audit data faster. Shorter intervals increase load on the Snowflake connector and should not be used in production.

  7. Click SAVE to apply the changes.