Unified Policy Enforcement¶

This document provides guidelines for creating policies in the Snowflake policy repository to ensure proper unified policy enforcement. The key principle is that more restrictive policy items must be placed at the top of the policy.

Overview¶

Unified Policy Enforcement in Snowflake Connector requires careful ordering of policy items within a policy. The policy evaluation engine processes policy items from top to bottom, and the first matching condition determines the access level or masking behavior.

Critical Rule

More restrictive policy items must always be placed at the top of the policy. This ensures that stricter access controls take precedence over more permissive ones.

Policy Item Ordering Principles¶

1. Restrictiveness Hierarchy¶

Policy items should be ordered from most restrictive to least restrictive:

Most Restrictive: DENY or NULL masking
Moderately Restrictive: Specific masking functions (e.g., redact, hash)
Least Restrictive: ALLOW or no masking

Masking Policy Examples¶

✅ Correct Approach¶

YAML
Resource: Column {Customers.ssn}
Policy Items:
  1. Policy Item 1:
     Role: intern
     Masking Type: null
  2. Policy Item 2:
     Role: director
     Masking Type: redact4

Why this is correct: The intern role (more restrictive with null masking) is placed before the director role (less restrictive with redact4 masking).

❌ Wrong Approach¶

YAML
Resource: Column {Customers.ssn}
Policy Items:
  1. Policy Item 1:
     Role: director
     Masking Type: redact4
  2. Policy Item 2:
     Role: intern
     Masking Type: null

Why this is wrong: The director role is processed first, and if an intern also has director privileges, they would get redact4 masking instead of the intended null masking.

Best Practice

Most restrictive policy items are at the top
Policy items are ordered by decreasing restrictiveness

Prev Connector Guide