Primary Role based Policy Enforcement¶

This configuration allows you to enable primary role based policy enforcement, which disables the unified policy enforcement behavior. This is useful for backward compatibility when you want to maintain the traditional single-role evaluation model.

Overview¶

By default, Snowflake Connector uses Unified Policy Enforcement, where policies are evaluated against all roles granted to a user regardless of which role they're currently using. This ensures that the most restrictive policy always applies.

Primary role based policy enforcement reverts to the traditional behavior where only the currently selected role is considered for policy evaluation.

Prerequisites¶

Configuration Steps¶

Step 1: Create Session Policy¶

Execute the following SQL commands in your Snowflake environment:

1
2
3

-- Create session policy to block secondary roles
CREATE SESSION POLICY PRIVACERA_DB.PUBLIC.BLOCK_SECONDARY_ROLES
ALLOWED_SECONDARY_ROLES=();

Step 2: Apply Session Policy to Account¶

1
2

-- Apply the session policy to the entire Snowflake account
ALTER ACCOUNT SET SESSION POLICY PRIVACERA_DB.PUBLIC.BLOCK_SECONDARY_ROLES;

Behavior Comparison¶

With Unified Policy Enforcement (Default)¶

1
2
3
4
5
6
7

User: john (roles: director, intern)
Policy Order:
  1. intern → SSN: null (most restrictive)
  2. director → SSN: redact4 (less restrictive)

Result regardless of selected role:
- SSN column is always nullified (most restrictive policy applies)

With Primary Role Policy Enforcement (This Configuration)¶

1
2
3
4
5
6

User: john (roles: director, intern)
Policy Order: (same as above)

Results based on selected role:
- Selects "director" role → SSN: redact4
- Selects "intern" role → SSN: null

Impact on Security¶

Related Documentation¶

• Unified Policy Enforcement
• Snowflake Session Policies Documentation

Comments