Skip to content

Manage Resources List

You can configure the Snowflake connector to manage access control policies for specific warehouses, databases, schemas, tables/views, streams, functions, procedures, sequences, file formats, pipes, external stages and internal stages. You can specify lists to include and exclude resources. The connector manages access control policies for resources in the include list and ignores resources in the exclude list. If a resource is in the exclude list, the connector does not manage it, even if it is also in the include list.

Use the following properties to specify comma-separated warehouses, databases, schemas, tables/views, and functions whose access control should be managed by PolicySync. To manage all resources, do not specify these properties. You can use wildcard characters (*) to match multiple warehouses, databases, schemas, tables or functions.

Example:

  • Warehouses: test_warehouse1,test_warehouse2,sales_*
  • Databases: test_database1,test_database2,sales_*
  • Schemas: test_database1.schema1,test_database2*.sales*
  • Tables/Views: test_database1.schema1.table1,test_database2*.sales*.view*
  • Functions: test_database1.schema1.function1,test_database2*.sales*.func*

Configuration

Warning

  • Values are case-sensitive.
  • Provide fully qualified names for schemas, tables/views, and functions. E.g. catalog1.schema1.*
  • Replace the example values with your actual resource names.

  1. Navigate to SettingsApplications in the Self-Managed Portal.

  2. From the list of Connected Applications, select Snowflake.

  3. Click on the application name or the icon to edit. Then, go to the Access Management tab.

  4. In the BASIC tab, specify the following resources to include:

    • Warehouses to manage access control policies: test_warehouse1
    • Databases to manage access control policies: test_database1
    • Schemas to manage access control policies: test_database1.schema1
    • Tables to manage access control policies: test_database1.schema1.table1

  5. In the ADVANCED tab, specify the following resources to include:

    • Streams to manage access control policies: test_database1.schema1.stream1
    • Functions to manage access control policies: testdb1.schema1.function1
    • Procedures to manage access control policies: testdb1.schema1.procedure1
    • Sequences to manage access control policies: testdb1.schema1.sequence1
    • FileFormats to manage access control policies: testdb1.schema1.fileFormat1
    • Pipes to manage access control policies: testdb1.schema1.pipe1
    • ExternalStages to manage access control policies: testdb1.schema1.externalStage1
    • InternalStages to manage access control policies: testdb1.schema1.internalStage1

  6. For excluding resources, enter the following values in the ADVANCED tab:

    • Warehouses to ignore while setting access control policies: test_warehouse2
    • Databases to ignore while setting access control policies: test_database2
    • Schemas to ignore while setting access control policies: test_database2.schema2
    • Tables to ignore while setting access control policies: test_database2.schema2.table2
    • Streams to ignore while setting access control policies: test_database2.schema2.stream2
    • Functions to ignore while setting access control policies: test_database2.schema2.function2
    • Procedures to ignore while setting access control policies: test_database2.schema2.procedure2
    • Sequences to ignore while setting access control policies: test_database2.schema2.sequence2
    • FileFormats to ignore while setting access control policies: test_database2.schema2.fileFormat2
    • Pipes to ignore while setting access control policies: test_database2.schema2.pipe2
    • ExternalStages to ignore while setting access control policies: test_database2.schema2.externalStage2
    • InternalStages to ignore while setting access control policies: test_database2.schema2.internalStage2

  7. Click SAVE to apply the changes.

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to open the .yml file to be edited.

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/snowflake/instance1/vars.connector.snowflake.yml

  3. Set the following properties to enable the connector to manage the permissions for schemas, tables/views, and other resources in the Databricks Unity Catalog:

    YAML
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
    CONNECTOR_SNOWFLAKE_MANAGE_WAREHOUSE_LIST: "test_warehouse1"
CONNECTOR_SNOWFLAKE_MANAGE_DATABASE_LIST: "test_database1"
CONNECTOR_SNOWFLAKE_MANAGE_SCHEMA_LIST: "test_database1.schema1"
CONNECTOR_SNOWFLAKE_MANAGE_TABLE_LIST: "test_database1.schema1.table1"
CONNECTOR_SNOWFLAKE_MANAGE_VIEW_LIST: "test_database1.schema1.view1"
CONNECTOR_SNOWFLAKE_MANAGE_STREAM_LIST: "test_database1.schema1.stream1"
CONNECTOR_SNOWFLAKE_MANAGE_FUNCTION_LIST: "testdb1.schema1.function1"
CONNECTOR_SNOWFLAKE_MANAGE_PROCEDURE_LIST: "testdb1.schema1.procedure1"
CONNECTOR_SNOWFLAKE_MANAGE_SEQUENCE_LIST: "testdb1.schema1.sequence1"
CONNECTOR_SNOWFLAKE_MANAGE_FILE_FORMAT_LIST: "testdb1.schema1.fileFormat1"
CONNECTOR_SNOWFLAKE_MANAGE_PIPE_LIST: "testdb1.schema1.pipe1"
CONNECTOR_SNOWFLAKE_MANAGE_EXTERNAL_STAGE_LIST: "testdb1.schema1.externalStage1"
CONNECTOR_SNOWFLAKE_MANAGE_INTERNAL_STAGE_LIST: "testdb1.schema1.internalStage1"

  4. For excluding resources, set the following properties:

    YAML
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
    CONNECTOR_SNOWFLAKE_IGNORE_WAREHOUSE_LIST: "test_warehouse2"
CONNECTOR_SNOWFLAKE_IGNORE_DATABASE_LIST: "test_database2"
CONNECTOR_SNOWFLAKE_IGNORE_SCHEMA_LIST: "test_database2.schema2"
CONNECTOR_SNOWFLAKE_IGNORE_TABLE_LIST: "test_database2.schema2.table2"
CONNECTOR_SNOWFLAKE_IGNORE_VIEW_LIST: "test_database2.schema2.view2"
CONNECTOR_SNOWFLAKE_IGNORE_STREAM_LIST: "test_database2.schema2.stream2"
CONNECTOR_SNOWFLAKE_IGNORE_FUNCTION_LIST: "test_database2.schema2.function2"
CONNECTOR_SNOWFLAKE_IGNORE_PROCEDURE_LIST: "test_database2.schema2.procedure2"
CONNECTOR_SNOWFLAKE_IGNORE_SEQUENCE_LIST: "test_database2.schema2.sequence2"
CONNECTOR_SNOWFLAKE_IGNORE_FILE_FORMAT_LIST: "test_database2.schema2.fileFormat2"
CONNECTOR_SNOWFLAKE_IGNORE_PIPE_LIST: "test_database2.schema2.pipe2"
CONNECTOR_SNOWFLAKE_IGNORE_EXTERNAL_STAGE_LIST: "test_database2.schema2.externalStage2"
CONNECTOR_SNOWFLAKE_IGNORE_INTERNAL_STAGE_LIST: "test_database2.schema2.internalStage2"

  5. Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

  1. In PrivaceraCloud portal, navigate to Settings -> Applications.

  2. On the Connected Applications screen, select Snowflake.

  3. Click on the icon or the Account Name to modify the settings.

  4. On the Edit Application screen, go to Access Management.

  5. For including resources, enter the following values in the respective fields:

    • Warehouses to set access control policies: test_warehouse1
    • Databases to set access control policies: test_database1
    • Schemas to set access control policies: test_database1.schema1
    • Tables to set access control policies: test_database1.schema1.table1
    • Streams to set access control policies: test_database1.schema1.stream1
    • Functions to set access control policies: testdb1.schema1.function1
    • Procedures to set access control policies: testdb1.schema1.procedure1
    • Sequences to set access control policies: testdb1.schema1.sequence1
    • FileFormats to set access control policies: testdb1.schema1.fileFormat1
    • Pipes to set access control policies: testdb1.schema1.pipe1
    • ExternalStages to set access control policies: testdb1.schema1.externalStage1
    • InternalStages to set access control policies: testdb1.schema1.internalStage1

  6. For excluding resources, enter the following values in the respective fields:

    • Warehouses to ignore while setting access control policies: test_warehouse2
    • Databases to ignore while setting access control policies: test_database2
    • Schemas to ignore while setting access control policies: test_database2.schema2
    • Tables to ignore while setting access control policies: test_database2.schema2.table2
    • Streams to ignore while setting access control policies: test_database2.schema2.stream2
    • Functions to ignore while setting access control policies: test_database2.schema2.function2
    • Procedures to ignore while setting access control policies: test_database2.schema2.procedure2
    • Sequences to ignore while setting access control policies: test_database2.schema2.sequence2
    • FileFormats to ignore while setting access control policies: test_database2.schema2.fileFormat2
    • Pipes to ignore while setting access control policies: test_database2.schema2.pipe2
    • ExternalStages to ignore while setting access control policies: test_database2.schema2.externalStage2
    • InternalStages to ignore while setting access control policies: test_database2.schema2.internalStage2

  7. Click SAVE to apply the changes.

Comments