Users, Groups, and Roles Management¶

Privacera's Snowflake connector includes an option to restrict which users, groups, and roles are managed in Snowflake. This is achieved by explicitly specifying which entities should be managed or ignored by the connector.

This section provides details on how to configure the connector to manage them.

Managing Users, Groups, and Roles¶

These properties determine whether users, groups, and roles fetched from Ranger should be managed in Snowflake. When enabled, Privacera can create, update, and delete these entities within Snowflake.

Manage Users, Groups, and Roles:
Specifies whether the Privacera Snowflake connector should manage users, groups, and roles in Snowflake.
- When enabled (true), the connector automatically manages the creation, update, and deletion of principals.
- It also grants and revokes privileges based on policies retrieved from Ranger.
- This setting is enabled by default to support automated access and identity management.
Filter Specific Users, Groups, and Roles:
Use these properties to selectively manage specific identities—users, groups, and roles—in Snowflake.
- Provide a comma-separated list of exact names or wildcard prefixes (e.g., group_prefix*, role_prefix*) to target specific principals.
- To manage all principals, leave the property empty or set it to *.
These filter properties only apply if general management is enabled:
- Self Managed (Portal Configuration) deployments:
  - Enable the following in Access Management → ADVANCED tab of the Snowflake application:
    - Manage users from portal
    - Manage groups from portal
    - Manage roles from portal
- Self Managed (YAML Configuration) deployments:
  - CONNECTOR_SNOWFLAKE_MANAGE_USERS
  - CONNECTOR_SNOWFLAKE_MANAGE_GROUPS
  - CONNECTOR_SNOWFLAKE_MANAGE_ROLES
- PrivaceraCloud deployments:
  - Enable the following in Access Management → ADVANCED tab of the Snowflake application:
    - Manage users from portal
    - Manage groups from portal
    - Manage roles from portal
Ignore Specific Identities:
- Use this property to exclude specific users, groups, or roles from being managed by the Privacera Snowflake connector.
- Ignored identities take precedence over any included or managed identities.
User Filtering Based on Groups or Roles:
- This option allows you to restrict which users are managed by the connector based on their group or role membership.
- Only users who belong to the configured groups or roles are considered for user management.
Do not enable both group-based and role-based user filters

Enabling both user filters at the same time can prevent Snowflake user provisioning from working correctly.

Possible issues include:
- Users are not created in Snowflake.
- User updates or synchronization changes are not applied correctly.
If you want to manage users based only on managed roles, disable the group-based filter and enable the role-based filter.

For example:
- Self Managed (Portal Configuration) and PrivaceraCloud:
  - Set access control policies only on the users from managed groups: Off (false)
  - Set access control policies only on the users/groups from managed roles: On (true)
- Self Managed (YAML Configuration) and Data Plane (vars.connector.snowflake.yml):
  YAML
  1 2
  CONNECTOR_SNOWFLAKE_MANAGE_USER_FILTERBY_GROUP: "false" CONNECTOR_SNOWFLAKE_MANAGE_USER_FILTERBY_ROLE: "true"
- Ranger PolicySync / connector custom properties (replace 0 with your connector index if it is not the first connector):
  Bash
  1 2
  ranger.policysync.connector.0.manage.user.filterby.group=false ranger.policysync.connector.0.manage.user.filterby.role=true

Self Managed (Portal Configuration)Self Managed (YAML Configuration) and Data PlanePrivaceraCloud

Navigate to Settings → Applications in the Self-Managed Portal.
From the list of Connected Applications, select Snowflake.
Click on the application name or the icon to edit. Then, go to the Access Management tab and select the ADVANCED tab.
Set the following properties:
- Manage users from portal
- Manage groups from portal
- Manage roles from portal
If you want to manage only specific users, groups, and roles, specify them in the corresponding properties below.
- Users to manage access control policies: user1, user2
- Groups to manage access control policies: group1, group2, group_prefix*
- Roles to manage access control policies: role1, role2, role_prefix*
To exclude specific users, groups, and roles from the Snowflake, set the following properties.
- Users to be ignored by access control policies: user_a, user_b
- Groups be ignored by access control policies: group_a, group_b, group_prefix*
- Roles be ignored by access control policies: role_a, role_b, role_prefix*
To further filter users based on the groups and roles they belong to, use the following properties:
- Set access control policies only on the users from managed groups: Enable if you want to manage only users who belongs to the groups defined in Groups to manage access control policies.
- Set access control policies only on the users/groups from managed roles: Enable if you want to manage only users who belongs to the roles defined in Roles to manage access control policies.
- Do not enable both options at the same time if you rely on Snowflake user creation. For more information, see the warning under User Filtering Based on Groups or Roles above.
If you need to restrict managed users by roles only, disable the group-based filter and enable the role-based filter.
Click SAVE to apply the changes.

SSH to the instance where Privacera Manager is installed.
Run the following command to open the .yml file to be edited.

If you have multiple connectors, then replace instance1 with the appropriate connector instance name.
Bash
1
vi ~/privacera/privacera-manager/config/custom-vars/connectors/snowflake/instance1/vars.connector.snowflake.yml

Set the following properties:

YAML
CONNECTOR_SNOWFLAKE_MANAGE_USERS: "true"
CONNECTOR_SNOWFLAKE_MANAGE_GROUPS: "true"
CONNECTOR_SNOWFLAKE_MANAGE_ROLES: "true"

If you want to manage only specific users, groups, and roles, specify them in the corresponding properties below.

YAML
CONNECTOR_SNOWFLAKE_MANAGE_USER_LIST: "user1, user2"
CONNECTOR_SNOWFLAKE_MANAGE_GROUP_LIST: "group1, group2, group_prefix*"
CONNECTOR_SNOWFLAKE_MANAGE_ROLE_LIST: "role1, role2, role_prefix*"

To exclude specific users, groups, and roles from the Snowflake, set the following properties.

YAML
CONNECTOR_SNOWFLAKE_IGNORE_USER_LIST: "user_a, user_b"
CONNECTOR_SNOWFLAKE_IGNORE_GROUP_LIST: "group_a, group_b, group_prefix*"
CONNECTOR_SNOWFLAKE_IGNORE_ROLE_LIST: "role_a, role_b, role_prefix*"

To further filter users based on the groups and roles they belong to, use the following properties:

YAML
# Enable to manage only users belonging to the specified groups in the managed groups list.
CONNECTOR_SNOWFLAKE_MANAGE_USER_FILTERBY_GROUP: "false"

# Enable to manage only users belonging to the specified roles in the managed roles list.
CONNECTOR_SNOWFLAKE_MANAGE_USER_FILTERBY_ROLE: "false"

If both properties are set to "true", Snowflake user creation may not work correctly.

If you want to restrict managed users by roles only, set:

CONNECTOR_SNOWFLAKE_MANAGE_USER_FILTERBY_GROUP to "false"
CONNECTOR_SNOWFLAKE_MANAGE_USER_FILTERBY_ROLE to "true"

For more information, see the warning under User Filtering Based on Groups or Roles.

Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

Step 1 - Setup which generates the helm charts. This step usually takes few minutes.
Bash
1 2
cd ~/privacera/privacera-manager ./privacera-manager.sh setup
Step 2 - Apply the Privacera Manager helm charts.
Bash
1 2
cd ~/privacera/privacera-manager ./pm_with_helm.sh upgrade
Step 3 - (Optional) Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on. This step is not required if you are updating only connector properties.
Bash
1 2
cd ~/privacera/privacera-manager ./privacera-manager.sh post-install

In PrivaceraCloud portal, navigate to Settings -> Applications.
On the Connected Applications screen, select Snowflake.
Click on the icon or the Account Name to modify the settings.
On the Edit Application screen, go to Access Management -> ADVANCED tab.
Enable the following options:
- Manage users from portal
- Manage groups from portal
- Manage roles from portal
For including specific users, groups, and roles, enter the values in:
- Users to set access control policies: user1, user2
- Groups to set access control policies: group1, group2, group_prefix*
- Roles to set access control policies: role1, role2, role_prefix*
For excluding specific users, groups, and roles:
- Users to ignore while setting access control policies: user_a, user_b
- Groups to ignore while setting access control policies: group_a, group_b, group_prefix*
- Roles to ignore while setting access control policies: role_a, role_b, role_prefix*
Additional filtering options:
- Set access control policies only on the users from managed groups: Enable if you want to manage only users who belong to the groups defined in Groups to set access control policies.
- Set access control policies only on the users/groups from managed roles: Enable if you want to manage only users who belong to the roles defined in Roles to set access control policies.
- Do not enable both options at the same time if Snowflake user creation must succeed. For more information, see the warning under User Filtering Based on Groups or Roles above.
Click SAVE to apply the changes.

Name Replacement for Users, Groups, and Roles¶

Replace Name from Regex¶

This property allows you to find and replace specific characters in user, group, or role names using a regular expression (regex). If left blank, no replacement is performed.
Default value:
Text Only
1
[~`$&+:;=?@#|'<>.\\s^*()_%\\[\\]!\\-\\/\\\\{}]
This regex matches special characters such as spaces, punctuation, and symbols, ensuring that user, group, and role names comply with Snowflake naming conventions.

Self Managed (Portal Configuration)Self Managed (YAML Configuration) and Data PlanePrivaceraCloud

Navigate to Settings → Applications in the Self-Managed Portal.
From the list of Connected Applications, select Snowflake.
Click on the application name or the icon to edit. Then, go to the Access Management tab and select the ADVANCED tab.
Set the following properties:
- Regex to find special characters in user names: Enter a regex pattern to identify special characters in user names. These characters will be replaced based on the value specified in the String to replace with the special characters found in user names field.
- Regex to find special characters in group names: Enter a regex pattern to identify special characters in group names. These characters will be replaced based on the value specified in the String to replace with the special characters found in group names field.
- Regex to find special characters in role names: Enter a regex pattern to identify special characters in role names. These characters will be replaced based on the value specified in the String to replace with the special characters found in role names field.
Click SAVE to apply the changes.

SSH to the instance where Privacera Manager is installed.
Run the following command to open the .yml file to be edited.

If you have multiple connectors, then replace instance1 with the appropriate connector instance name.
Bash
1
vi ~/privacera/privacera-manager/config/custom-vars/connectors/snowflake/instance1/vars.connector.snowflake.yml

Set the following properties:

YAML
CONNECTOR_SNOWFLAKE_USER_NAME_REPLACE_FROM_REGEX: "[~`$&+:;=?@#|'<>.\\s^*()_%\\[\\]!\\-\\/\\\\{}]"
CONNECTOR_SNOWFLAKE_GROUP_NAME_REPLACE_FROM_REGEX: "[~`$&+:;=?@#|'<>.\\s^*()_%\\[\\]!\\-\\/\\\\{}]"
CONNECTOR_SNOWFLAKE_ROLE_NAME_REPLACE_FROM_REGEX: "[~`$&+:;=?@#|'<>.\\s^*()_%\\[\\]!\\-\\/\\\\{}]"

Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

Step 1 - Setup which generates the helm charts. This step usually takes few minutes.
Bash
1 2
cd ~/privacera/privacera-manager ./privacera-manager.sh setup
Step 2 - Apply the Privacera Manager helm charts.
Bash
1 2
cd ~/privacera/privacera-manager ./pm_with_helm.sh upgrade
Step 3 - (Optional) Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on. This step is not required if you are updating only connector properties.
Bash
1 2
cd ~/privacera/privacera-manager ./privacera-manager.sh post-install

In PrivaceraCloud portal, navigate to Settings -> Applications.
On the Connected Applications screen, select Snowflake.
Click on the icon or the Account Name to modify the settings.
On the Edit Application screen, go to Access Management -> ADVANCED tab.
Enter the values in the following fields:
- Regex to find special characters in user names: Enter a regex pattern to identify special characters in user names. These characters will be replaced based on the value specified in the String to replace with the special characters found in user names field.
- Regex to find special characters in group names: Enter a regex pattern to identify special characters in group names. These characters will be replaced based on the value specified in the String to replace with the special characters found in group names field.
- Regex to find special characters in role names: Enter a regex pattern to identify special characters in role names. These characters will be replaced based on the value specified in the String to replace with the special characters found in role names field.
Click SAVE to apply the changes.

Replace to String¶

This property specifies the replacement characters for the regex matches. If left blank, no find and replace operation is performed. Default value is _.

Self Managed (Portal Configuration)Self Managed (YAML Configuration) and Data PlanePrivaceraCloud

Navigate to Settings → Applications in the Self-Managed Portal.
From the list of Connected Applications, select Snowflake.
Click on the application name or the icon to edit. Then, go to the Access Management tab and select the ADVANCED tab.
Set the following properties:
- String to replace with the special characters found in user names: String used to replace the characters found by the regex specified in Regex to find special characters in user names.
- String to replace with the special characters found in group names: String used to replace the characters found by the regex specified in Regex to find special characters in group names.
- String to replace with the special characters found in role names: String used to replace the characters found by the regex specified in Regex to find special characters in role names.
Click SAVE to apply the changes.

SSH to the instance where Privacera Manager is installed.
Run the following command to open the .yml file to be edited.

If you have multiple connectors, then replace instance1 with the appropriate connector instance name.
Bash
1
vi ~/privacera/privacera-manager/config/custom-vars/connectors/snowflake/instance1/vars.connector.snowflake.yml

Set the following properties:

YAML
CONNECTOR_SNOWFLAKE_USER_NAME_REPLACE_TO_STRING: "_"
CONNECTOR_SNOWFLAKE_GROUP_NAME_REPLACE_TO_STRING: "_"
CONNECTOR_SNOWFLAKE_ROLE_NAME_REPLACE_TO_STRING: "_"

Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

Step 1 - Setup which generates the helm charts. This step usually takes few minutes.
Bash
1 2
cd ~/privacera/privacera-manager ./privacera-manager.sh setup
Step 2 - Apply the Privacera Manager helm charts.
Bash
1 2
cd ~/privacera/privacera-manager ./pm_with_helm.sh upgrade
Step 3 - (Optional) Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on. This step is not required if you are updating only connector properties.
Bash
1 2
cd ~/privacera/privacera-manager ./privacera-manager.sh post-install

In PrivaceraCloud portal, navigate to Settings -> Applications.
On the Connected Applications screen, select Snowflake.
Click on the icon or the Account Name to modify the settings.
On the Edit Application screen, go to Access Management -> ADVANCED tab.
Enter the values in the following fields:
- String to replace with the special characters found in user names: String used to replace the characters found by the regex specified in Regex to find special characters in user names.
- String to replace with the special characters found in group names: String used to replace the characters found by the regex specified in Regex to find special characters in group names.
- String to replace with the special characters found in role names: String used to replace the characters found by the regex specified in Regex to find special characters in role names.
Click SAVE to apply the changes.

Prev topic: Advanced Configuration