Skip to content

Configuring Purpose Based Access Control behaviour for Snowflake Connector

Overview

Purpose-Based Access Control (PBAC) enables data access decisions based on a user's selected purpose (intent) at query time. PBAC works alongside role-based access so that the same user can select different purposes (e.g., MARKETING, FRAUD) and access different sets of data for each purpose. Follow the below steps to configure purpose based access control behaviour of privacera policies.

Refer to Purpose Based Access Control user guide for more information on PBAC.

Prerequisites

Before configuring Purpose Based Access Control for Snowflake connector, ensure that:

  1. OMNI is configured for Snowflake Connector.
  2. PBAC is configured for existing users in Snowflake.

OMNI Configuration

To configure OMNI for Snowflake Connector refer to the OMNI configuration guide for detailed steps.

PBAC Configuration for Existing Users

In order to enforce PBAC, the default secondary roles for existing users need to be updated to empty. When Create User with Empty DSR is enabled, a new user is created on Snowflake with default secondary roles as empty. For existing users, you need to manually update the default secondary roles to empty. There are two ways to update the default secondary roles for existing users:

  1. Single User Update
  2. Bulk User Update

Single User Update

You can update the default secondary roles for a single user using the ALTER USER command. Use the following SQL command:

SQL
1
ALTER USER <user_name> SET DEFAULT_SECONDARY_ROLES = ();
Refer to Snowflake ALTER USER documentation for detailed instructions.

Bulk User Update

You can also perform bulk user update by updating the default secondary roles for users in a Snowflake account using a stored procedure. Refer to Snowflake default secondary roles all overview and additional explanations for detailed instructions.

Configuration Properties

Note

If Masking or Row filter policies that include policy conditions were created before enabling the PBAC properties, they will continue to operate in a non-PBAC mode. There are two ways to enforce PBAC behavior on these existing policies:

  1. Disable the policy and then re-enable it after the PBAC properties are configured. This reactivation ensures that the policy conditions are re-evaluated and enforced according to the PBAC rules.
  2. Perform these steps to Cleanup the Connector PVC. Configure the below properties and restart the connector so that the mask and row filter UDFs are recreated enforcing PBAC.
Feature Property Description Default Value Possible Values
Create User with Empty DSR Create a user on Snowflake with default secondary roles as empty. false true, false
Enable Role Based Masking Condition Enable role based masking condition to enforce PBAC when Policy conditions are included in the policy. false true, false
Enable Role Based Row Filter Condition Enable role based row filter condition to enforce PBAC when Policy conditions are included in the policy. false true, false
Strict Row Filter Role Matching Evaluation Enabled Enforces PBAC by evaluating row filter policies only against the roles explicitly defined in a policy item, ignoring any additional roles assigned to the user. false true, false
Use Policy Groups for Row Filter Evaluation Enforces PBAC by evaluating row filter policies only against the groups explicitly defined in a policy item, ignoring any additional groups assigned to the user. false true, false

Setup

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to open the .yml file to be edited.

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/snowflake/instance1/vars.connector.snowflake.yml

  3. Set the following property to true:

    YAML
    1
2
3
4
5
    CONNECTOR_SNOWFLAKE_CREATE_USER_WITH_EMPTY_DSR: "true"
CONNECTOR_SNOWFLAKE_ENABLE_ROLE_BASED_MASKING_CONDITION: "true"
CONNECTOR_SNOWFLAKE_ENABLE_ROLE_BASED_ROW_FILTER_CONDITION: "true"
CONNECTOR_SNOWFLAKE_STRICT_ROW_FILTER_ROLE_MATCHING_EVALUATION_ENABLED: "true"
CONNECTOR_SNOWFLAKE_USE_POLICY_GROUPS_FOR_ROW_FILTER_EVALUATION: "true"

  4. Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - (Optional) Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on. This step is not required if you are updating only connector properties.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install