Skip to main content

Privacera Documentation

Configure Snowflake resource policies

Snowflake supports access, masking, and row level filter policies.

  • Warehouse: Specify the warehouse name of Snowflake.

    When you select warehouse, the following warehouse permissions will be displayed in the Allow Conditions > Permissions section.

    • Operate

    • UseWarehouse

    • Monitor

    • Modify

  • Database: Specify the database name.

    When you select database, the following database permissions will be displayed in the Allow Conditions > Permissions section.

    • CreateSchema

    • UseDB

  • Schema: Specify the schema name.

    When you select schema along with database, the following schema permissions will be displayed in the Allow Conditions > Permissions section.

    • CreateTmpTable

    • CreateTable

    • UseSchema

    • CreateStream

    • CreateFunction

    • CreateProcedure

    • CreateSequence

    • CreatePipe

    • CreateFileFormat

    • CreateStage

    • CreateExternalTable

  • Table: Specify the table name.

    When you select table along with database and schema, the following table permissions will be displayed in the Allow Conditions > Permissions section.

    • Select

    • Insert

    • Update

    • Delete

    • Truncate

    • References

  • Stream: Specify the stream that you have created over standard tables.

    When you select stream along with database and schema, the following stream permission will be displayed in the Allow Conditions > Permissions section.

    • Select

  • Function: Specify the function.

    When you select function along with database and schema, the following function permission will be displayed in the Allow Conditions > Permissions section.

    • Usage

  • Procedure: Specify Snowflake stored procedure.

    When you select procedure along with database and schema, the following procedure permission will be displayed in the Allow Conditions > Permissions section.

    • Usage

  • File_Format: Specify the file format for SQL statement.

    When you select file_format along with database and schema, the following file_format permission will be displayed in the Allow Conditions > Permissions section.

    • Usage

  • Pipe: Specify pipe objects that are created and managed to load data using Snowpipe.

    When you select pipe along with database and schema, the following pipe permissions will be displayed in the Allow Conditions > Permissions section.

    • Operate

    • Monitor

  • External_stage: Specify external storage, which is the object storage of the cloud platform.

    When you select external_stage along with database and schema, the following external_stage permission will be displayed in the Allow Conditions > Permissions section.

    • Usage

  • Internal_stage: Specify internal storage, which is the database storage.

    When you select internal_stage along with database and schema, the following Internal_stage permissions will be displayed in the Allow Conditions > Permissions section.

    • Read

    • Write

  • Sequence: Specify Snowflake sequence objects.

    When you select sequence along with database and schema, the following sequence permission will be displayed in the Allow Conditions > Permissions section.

    • Usage

  • Column: Specify the column name.

    When you select column along with database, schema and table, the following column permissions will be displayed in the Allow Conditions > Permissions section.

    • Select

    • Insert

    • Update

    • Delete

    • Truncate

    • References

  • Global: Specify the snowflake account name. To get the snowflake account name, connect with Snowflake environment and run this query: select current_account() as account

    When you select global, the following global permissions will be displayed in the Allow Conditions > Permissions section.

    • CreateWarehouse

    • CreateDatabase

  • Delegate Admin: Select the Delegate Admin checkbox to assign administrator rights to the roles, groups, or users specified in the policy. The administrator can edit or delete the policy, and can also create child policies based on the original policy.

Note

When you create a policy for a table with UPDATE and DELETE permissions granted to a user/group/role, you must choose the SELECT permission along with it.

Configure Snowflake masking policies

  • Database: Specify the database name.

  • Schema: Specify the schema name.

  • Table/View: Specify the table or view name.

  • Column: Specify the column name.

  • Masking Conditions:

    • Permissions: Tick the permission as 'Select'. At present, only 'Select' permission is available.

    • Select Masking Option: If a masking option is applied to a data type that is not supported, then the default masking value is applied. You are allowed to select only one masking option from the following list:

      • Default: This option masks column with default value specified by its datatype's property.

        The following are the default data type property values:

        • SNOWFLAKE_MASKED_NUMBER_VALUE=0

        • SNOWFLAKE_MASKED_DOUBLE_VALUE=0

        • SNOWFLAKE_MASKED_TEXT_VALUE='{{MASKED}}'

      • Hash: Returns a hex-encoded string containing the N-bit SHA-2 of the volume in the column, where N is the specified output digest size.

        Internal Function: SHA2({col})

        Supported Data Type: Text

        For more information see SHA2, SHA2_HEX.

      • Nullify: This option replaces all the characters with NULL value.

        Supported Data Type: All Data Types

      • Unmasked (retain original value): This option is used when no masking is required.

        Supported Data Type: All Data Types

      • Regular expression:

        Internal Function: regexp_replace({col},'{value_or_expr}','{replace_value}')

        Supported Data Type: Text

        For more information see REGEX_REPLACE.

      • Literal mask: This option replaces entire cell value with given character.

        Supported Data Type: Text

      • Partial mask: show last 4 - This option shows only the last four characters.

        Internal Function: regexp_replace({col},'(..)(.{4})(.)','***\2')

        Supported Data Type: Text

        For more information see REGEX_REPLACE.

      • Partial mask: show first 4 - This option shows only the first four characters.

        Internal Function: regexp_replace({col},'.','*','5')

        Supported Data Type: Text

        For more information see REGEX_REPLACE.

      • Protect:

        Supported Data Type: Text

        For more information see /protect with encryption scheme.

      • Unprotect:

        Supported Data Type: Text

        For more information see /unprotect without presentation scheme.

      • Custom: Using this option you need to mention a custom masked value or expression.

Configure Snowflake row level filter policies

  • Database: Specify the database name.

  • Schema: Specify the schema name.

  • Table: Specify the table name.

  • Row Level Conditions:

    • Permissions: Click the Add Permissions and tick as 'Select'. At present, only 'Select' permission is available.

    • Row Level Filter: Click the Add Row Filter and enter the valid SQL predicate for whom the policy will be applied based on selected role/groups/users. Note: Row level filtering works by adding the predicate to the query. If the query is not valid, it will fail.