Following is a set of prerequisites and instructions to support SaaS Authorization Management for Snowflake:
Prerequisites
Default PlainID User Role
The user assigned to PlainID for connecting to Snowflake (referred to as the POP user) must have sufficient privileges to manage all Orchestration-related operations. We recommend creating a dedicated PLAINID role and assigning it as the default role for the POP user. This role will also act as the owner of all Snowflake policies created from PlainID when operating in Manage Mode.
Ensure that the PLAINID role is the default role for the User.
Required Privileges for LEARN Mode
To use LEARN mode, users must be granted the following privileges in Snowflake:
| Privilege | Purpose |
|---|---|
APPLY MASKING POLICY |
Grants the ability to view Masking Policies |
APPLY ROW ACCESS POLICY |
Grants the ability to view Row Access Policies |
| Integration | Grants visibility of the current IDP USAGE: When IDP is using SCIMOWNERSHIP: When IDP is using SAML2 or Oauth |
Database: USAGE |
Grants visibility of database objects like schemas or tags. * Required if granting the Schema: USAGE privilege |
Schema: USAGE |
Grants visibility of schema objects like tables or tags. * Required if granting the Table: SELECT privilege Privilege Options: - Option 1: Grant a privilege on individual schemas - Option 2: Grant privileges on all existing schemas in the database (recommended) Note: Usage can also be automated to grant privileges on every future schema created in the database. |
Function: USAGE |
Optional If you want to manage a Policy using UDF, the USAGE privileges must be granted for that specific function. |
EVOLVE SCHEMA |
Grants visibility for tables and columns within the schema, including future tables. The schema must contain at least one table or View. Note: In cases when a table or View is used with a select expression in the Policy, the SELECT table/View privilege must be granted for that specific table/View. Example: Table/View contains additional identity information. |
Warehouse: USAGE |
Grants access to a warehouse to run queries. |
Additional Required Privileges for MANAGE Mode
To use MANAGE mode, users must also be granted the following privileges in addition to LEARN mode privileges in Snowflake:
| Privilege | Purpose |
|---|---|
CREATE MASKING POLICY |
Grants the ability to create Masking Policies. Privilege Options: - Option 1: Grant privileges to create Masking Policies on individual schemas. - Option 2: Grant privileges to create Masking Policies on all existing schemas in the database (recommended). |
CREATE ROW ACCESS POLICY |
Grants the ability to create Row Access Policies. Privilege Options: - Option 1: Grant privileges to create Row Access Policies on individual schemas. - Option 2: Grant privileges to create Row Access Policies on all existing schemas in the database (recommended). |
Note: Ensure that you create a new Masking or Row Access Policy for at least one schema.
To manage Policies in Snowflake, a user must have the Policy ownership role.
To enable PlainID to manage existing, discovered policies, we recommend that existing Policy ownership roles are connected to the PlainID default Role, so that it inherits ownership. You also have the option to change the ownership of existing policies to the PlainID default role.
Creating a Snowflake Policy Orchestration Point
After setting up a user with all the required privileges for Snowflake, you can now create a Snowflake Policy Orchestration Point (POP).
Ensure that you have an Orchestration Workspace before continuing. You can learn how to create a Snowflake POP in Managing POPs and how to switch between modes in Orchestration Workspace.
Snowflake Connection Settings
Snowflake credentials are used to connect to Snowflake resources through a Policy Orchestration Point (POP).
To connect Snowflake with PlainID, enter the following Connection Fields:
| Connection Field | Description |
|---|---|
| Discover Views | If you wish to Discover Views, enable Discover Views to include Views along with Tables in the discovery process. (Default is false) |
| Authentication Method | Use Basic Authentication or Key Pair (recommended) for Snowflake integration. |
| Compute Warehouse | The name of the Snowflake warehouse used for policy evaluation. |
| Username | The Snowflake account username with access to the warehouse and associated objects. |
| Password | If using Basic Authentication: The password for the above Snowflake user. If using Key Pair: Refer to the Authentication Methods section for more information. |
| Port | The port used to connect to Snowflake (typically 443). |
| Server | The full Snowflake server address (e.g., xy12345.us-central-1.snowflakecomputing.com). |
You can test the connection to Snowflake directly from the PlainID Platform to ensure that the user has all the required privileges.
Authentication Methods
Using Key Pair Authentication
Key pair authentication is a method used to verify identity in a secure manner by using public-key cryptography. Refer to the Snowflake documentation on Using key-pair authentication for information.
If using key-pair authentication, the password field is swapped for a Private Key section with a button to Import Secret Key. Ensure that the key is uploaded before testing the connection.
Note: Passphrase is not supported.
PlainID currently supports Private Keys with the extensions .key, .pem, .txt, and .p8. Reach out to PlainID support if you require additional extensions.