Skip to content

Purpose-Based Access Control (PBAC)

Purpose-Based Access Control (PBAC) enables data access decisions based on a user's selected purpose (intent) at query time. PBAC works alongside role-based access so that the same user can select different purposes (e.g., MARKETING, FRAUD) and access different sets of data for each purpose.

What is PBAC

  • Purpose: An intent selected by the user prior to running a SQL query or job using their identity. The user's current purpose determines which data is accessible.
  • Example:
    • A user with a data_engineer purpose may see all rows in a table.
    • The same user with a data_science or MARKETING purpose may only see rows for customers who have consented to analytics.
    • A FRAUD purpose might allow viewing all rows for fraud investigation.

Use Case Example: PBAC for a Data Product (Marketing Analyst vs. Fraud Investigator)

Note: This example demonstrates PBAC using data products. For more information about data products, see Data Products Overview.

Requirement

Marketing team should only analyze customer records where the customer has explicitly agreed to receive marketing updates. This ensures campaign analysis, segmentation, and reporting are done only on consented data.

Fraud detection requires complete visibility to identify patterns, anomalies, and potential abuse across all transactions and customers. The fraud team must be able to query the full dataset to support investigations and regulatory obligations.

  • Roles: MARKETING_ANALYST, FRAUD_INVESTIGATOR
  • Data Product: Sales Data Product. For steps to create a data product, see Creating a Data Product.
    • Asset: sales_data table
  • Columns: customer_id, email, product_id, consent_for_marketing_updates, customer_region

Tag-Based Policy Configuration

YAML
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
Access Policy:
  Tags: SALES_DATA_PRODUCT_PDP
  Access: Select
  Role:
    - FRAUD_INVESTIGATOR
    - MARKETING_ANALYST

Row Filter Policy:
  Tags: SALES_DATA_PRODUCT_PDP
  Row Filter Expression: consent_for_marketing_updates = 'true'
  Role:
    - MARKETING_ANALYST

Outcome

As MARKETING_ANALYST

  • In the Snowflake UI, set the Current Role to MARKETING_ANALYST.

  • Execute the following query:

    SQL
    1
    SELECT customer_id, email, product_id, consent_for_marketing_updates, customer_region FROM sales_data;

  • Expected: Only rows where consent_for_marketing_updates = 'true'.

As FRAUD_INVESTIGATOR

  • In the Snowflake UI, set the Current Role to FRAUD_INVESTIGATOR.

  • Execute the following query:

    SQL
    1
    SELECT customer_id, email, product_id, consent_for_marketing_updates, customer_region FROM sales_data;

  • Expected: All rows (no row filter applied for this role).