Skip to content

Prerequisites

Before integrating Snowflake with Privacera, ensure that you have the necessary Snowflake warehouse, database, users and roles required by PolicySync Connector. Below are the prerequisites for setting up the Snowflake connector with Privacera.

Prerequisites Detail
JDBC URL Get the JDBC URL for the Snowflake cluster.
JDBC username and password Create a Snowflake user with admin privileges that will be used exclusively by the Privacera Connector to manage access permissions. You also have an option to use certificate instead of password also
Snowflake Role for Connector Create a Snowflake role for the connector with the necessary privileges to manage access policies in Snowflake.
Snowflake warehouse Create a Snowflake warehouse for the connector with the necessary privileges to manage access policies in Snowflake.
Database, schema and table names Specify the database and schema names to be managed. Initially, enable access management for a test schema with tables. Once you have tested all use cases, you can manage all objects in your Snowflake database cluster.
Users and groups to manage The Privacera users and groups whose permissions in Snowflake will be managed by the connector.
Ops Server Setup Refer
(For Self-Managed deployment only)		 Set up the Ops Server for Privacera. This step is required only for Self-Managed (Portal Configuration) deployments.

Recommendations to Create Snowflake Roles and Warehouses

For performing below steps, log in to Snowflake as a user with ACCOUNTADMIN privileges

Snowflake Role for Connector

The role created in this step will be used when configuring the Snowflake connector with Privacera. The suggested name for the role is PRIVACERA_POLICYSYNC_ROLE, but you can use a different name if preferred.

Since the Privacera connector manages access policies in Snowflake and can create roles in Snowflake, the role should have the necessary privileges to manage permissions for all tables and views in the database. Additionally, if Privacera is managing users and groups in Snowflake, the role should have the necessary privileges to create, update and delete users and roles in Snowflake.

Privilege Description
CREATE ROLE Allows the role to create roles. This is optional if Privacera is not creating and managing roles.
CREATE USER Allows the role to create users.
MANAGE GRANTS Allows the role to grant or revoke privileges across all Snowflake objects without requiring ownership.
APPLY MASKING POLICY Allows the role to create native masking policies.
APPLY ROW ACCESS POLICY Allows the role to create native row filter policies.
When CREATE ROLE and CREATE USER Permissions Are Required

The CREATE ROLE and CREATE USER privileges are required based on your user and role management approach:

Both CREATE ROLE and CREATE USER are required when:

  • You are managing users, groups, and roles via Privacera. In this case, Privacera needs to create both users and roles in Snowflake to synchronize your access management policies.

Only CREATE ROLE is required when:

  • You are not managing users in Privacera, but you manage User-to-role membership, or User-to-group membership.

    Snowflake supports only role-based grants. When a user is created in Privacera and added to a role or group, Privacera does not grant permissions directly to the Snowflake user. Instead, the Snowflake connector creates a user-mapped role named priv_user_ and assigns privileges to that role.

  • You are using user-based policies in Privacera.

    Snowflake supports only role-based grants. To support user-based policies via Privacera, the Snowflake connector creates roles prefixed with priv_user_ in Snowflake, which are treated as user roles. User-based policies are then granted on these user roles.

  • You are using role-based ABAC (Attribute-Based Access Control) policies.

    Role-based ABAC policies in Privacera are eventually converted to user-based policies. Since Snowflake supports only role-based grants, the Snowflake connector creates roles prefixed with priv_user_ in Snowflake to represent users, and the converted user-based policies are granted on these user roles.

Here are the steps to create the role and grant the necessary privileges to the role:

  1. Drop the role if it already exists.

    SQL
    1
    DROP ROLE IF EXISTS PRIVACERA_POLICYSYNC_ROLE;

  2. Create a new role.

    SQL
    1
    CREATE ROLE PRIVACERA_POLICYSYNC_ROLE;

  3. Grant the below privilege to the role allowing it to create, update, delete roles.

    SQL
    1
    GRANT CREATE ROLE ON ACCOUNT TO ROLE "PRIVACERA_POLICYSYNC_ROLE";

  4. Grant this privilege to the role, allowing them to provide grants/revokes privileges on user/roles to create warehouse/database on account.

    SQL
    1
    GRANT CREATE USER ON ACCOUNT TO ROLE "PRIVACERA_POLICYSYNC_ROLE";

  5. Grant the below privilege to the role allowing it to manage grants for Snowflake resources.

    SQL
    1
    GRANT MANAGE GRANTS ON ACCOUNT TO ROLE "PRIVACERA_POLICYSYNC_ROLE";

    Why MANAGE GRANTS privilege is required

    The MANAGE GRANTS privilege allows a role to grant or revoke privileges across all Snowflake objects without requiring ownership.

    Privacera’s PRIVACERA_POLICYSYNC_ROLE requires this privilege to grant and revoke permissions on behalf of the Snowflake connector. This enables PolicySync to synchronize privileges (e.g., SELECT, UPDATE) between Privacera and Snowflake roles.

    Example:
    When Privacera applies a SELECT policy on a Snowflake table, the following command is executed:

    SQL
    1
    GRANT SELECT ON TABLE "CUSTOMER_DATABASE"."CUSTOMER_SCHEMA"."CUSTOMER_DATA" TO ROLE "sales_role";
    Without the MANAGE GRANTS privilege, this operation would fail because the role is not the owner of the object.

  6. Grant the below privilege to the role allowing it to create native masking policies.

    SQL
    1
    GRANT APPLY MASKING POLICY ON ACCOUNT TO ROLE "PRIVACERA_POLICYSYNC_ROLE";

  7. Grant the below privilege to the role allowing it to create native row filter policies.

    SQL
    1
    GRANT APPLY ROW ACCESS POLICY ON ACCOUNT TO ROLE "PRIVACERA_POLICYSYNC_ROLE";

Snowflake Warehouse

Privacera's connector requires a warehouse to manage access policies in Snowflake and retrieve audit logs. The warehouse can be of the smallest size, as the connector does not perform any heavy operations. If there are any always-on warehouses, you can use them as well.

The recommended name for the warehouse is PRIVACERA_POLICYSYNC_WH, but you could use a different name if you prefer.

Below is a sample SQL to create a warehouse with the smallest size.

SQL
1
2
3
4
5
6
7
8
9
CREATE WAREHOUSE IF NOT EXISTS "PRIVACERA_POLICYSYNC_WH"
WITH
    WAREHOUSE_SIZE = 'XSMALL',
    WAREHOUSE_TYPE = 'STANDARD',
    AUTO_SUSPEND = 600,
    AUTO_RESUME = TRUE,
    MIN_CLUSTER_COUNT = 1,
    MAX_CLUSTER_COUNT = 1,
    SCALING_POLICY = 'ECONOMY';

Allow the Privacera role to use the warehouse

SQL
1
GRANT USAGE ON WAREHOUSE "PRIVACERA_POLICYSYNC_WH" TO ROLE "PRIVACERA_POLICYSYNC_ROLE";

Allow the Privacera role to change the state of the warehouse

SQL
1
GRANT OPERATE ON WAREHOUSE "PRIVACERA_POLICYSYNC_WH" TO ROLE "PRIVACERA_POLICYSYNC_ROLE";

Permission to Read Access Audits from Snowflake

Privacera's connector requires access to the access audits in Snowflake to retrieve the audit logs. The access audits are stored in the SNOWFLAKE database. Below are the steps to grant the necessary privileges to the role for reading the access audits.

SQL
1
GRANT IMPORTED PRIVILEGES ON DATABASE snowflake TO ROLE "PRIVACERA_POLICYSYNC_ROLE";

Database for Privacera Security Functions

For dynamic masking and row-level filtering, Privacera requires a database to store the UDFs. Below are the steps to create a database and grant the necessary privileges to the role to create UDFs in it.

The suggested name for the database is PRIVACERA_DB, but you could use a different name if you prefer.

SQL
1
CREATE DATABASE IF NOT EXISTS "PRIVACERA_DB";

Allow the Privacera service role PRIVACERA_POLICYSYNC_ROLE to use the database and the PUBLIC schema.

SQL
1
2
GRANT USAGE ON DATABASE "PRIVACERA_DB" TO ROLE "PRIVACERA_POLICYSYNC_ROLE";
GRANT USAGE ON SCHEMA "PRIVACERA_DB"."PUBLIC" TO ROLE "PRIVACERA_POLICYSYNC_ROLE"

Allow the Privacera service role PRIVACERA_POLICYSYNC_ROLE to create UDFs in the schema.

SQL
1
GRANT CREATE FUNCTION ON SCHEMA "PRIVACERA_DB"."PUBLIC" TO ROLE "PRIVACERA_POLICYSYNC_ROLE";

Database User for Privacera Connector

The Privacera connector requires a user to connect to Snowflake and manage access policies. The user should have the necessary privileges to manage access policies in Snowflake. The suggested name for the user is PRIVACERA_POLICYSYNC_USER, but you can use a different name if preferred. You need to create this database user and grant access to the role PRIVACERA_POLICYSYNC_ROLE.

SQL
1
2
3
4
5
CREATE USER IF NOT EXISTS "PRIVACERA_POLICYSYNC_USER"
PASSWORD='<PLEASE_CHANGE>'
MUST_CHANGE_PASSWORD=FALSE
DEFAULT_WAREHOUSE="PRIVACERA_POLICYSYNC_WH"
DEFAULT_ROLE="PRIVACERA_POLICYSYNC_ROLE";

Grant the role PRIVACERA_POLICYSYNC_ROLE to the user.

SQL
1
GRANT ROLE "PRIVACERA_POLICYSYNC_ROLE" TO USER "PRIVACERA_POLICYSYNC_USER";