Snowflake Setup
    • 24 Sep 2024
    • 3 Minutes to read
    • Dark
      Light
    • PDF

    Snowflake Setup

    • Dark
      Light
    • PDF

    Article summary

    Following is a set of prerequisites and instructions to support SaaS Authorization Management for Snowflake:

    Prerequisites

    Default PlainID User Role

    The user assigned to PlainID for connecting to Snowflake (referred to as the POP user) must have sufficient privileges to manage all Orchestration-related operations. We recommend creating a dedicated PLAINID role and assigning it as the default role for the POP user. This role will also act as the owner of all Snowflake policies created from PlainID when operating in Manage Mode.

    PlainID Role

    Ensure that the PLAINID role is the default role for the User.

    Required Privileges for LEARN Mode

    To use LEARN mode, users must be granted the following privileges in Snowflake:

    PrivilegePurpose
    APPLY MASKING POLICYGrants the ability to view Masking Policies
    APPLY ROW ACCESS POLICYGrants the ability to view Row Access Policies in certain accounts
    Integration: USAGEGrants visibility of the current IDP
    Database: USAGEGrants visibility of database objects like schemas or tags.
    * Required if granting the Schema: USAGE privilege
    Schema: USAGEGrants visibility of schema objects like tables or tags.
    * Required if granting the Table: SELECT privilege

    Privilege Options:
    - Option 1: Grant a privilege on individual schemas
    - Option 2: Grant privileges on all existing schemas in the database (recommended)
    Note: Usage can also be automated to grant privileges on every future schema created in the database.
    Table: SELECTGrants visibility of table columns

    Privilege Options:
    - Option 1: Grant privileges on individual tables
    - Option 2: Grant privileges on all existing tables in the database (recommended)
    Note: Usage can also be automated to grant privileges on every future table created in the database.
    Warehouse: USAGEGrants access to a warehouse to run queries.

    Additional Required Privileges for MANAGE Mode

    To use MANAGE mode, users must also be granted the following privileges in addition to LEARN mode privileges in Snowflake:

    PrivilegePurpose
    CREATE MASKING POLICY for each schemaGrants the ability to create Masking Policies.

    Privilege Options:
    - Option 1: Grant privileges to create Masking Policies on individual schemas.
    - Option 2: Grant privileges to create Masking Policies on all existing schemas in the database (recommended).
    CREATE ROW ACCESS POLICY for each schemaGrants the ability to create Row Access Policies.

    Privilege Options:
    - Option 1: Grant privileges to create Row Access Policies on individual schemas.
    - Option 2: Grant privileges to create Row Access Policies on all existing schemas in the database (recommended).

    Note: Ensure that you create a new Masking or Row Access Policy for every new/future schema.

    Policy Ownership

    To manage Policies in Snowflake, a user must have the Policy ownership role.
    To enable PlainID to manage existing, discovered policies, we recommend that existing Policy ownership roles are connected to the PlainID default Role, so that it inherits ownership. You also have the option to change the ownership of existing policies to the PlainID default role.

    Creating a Snowflake Policy Orchestration Point

    After setting up a user with all the required privileges for Snowflake, you can now create a Snowflake Policy Orchestration Point (POP).

    Authentication Requirements

    Before creating a Policy Orchestration Point (POP), ensure you have the necessary credentials for Snowflake authentication. For password-based authentication, make sure the following fields are properly filled out within the Snowflake interface:

    • Server
    • Port
    • Compute Warehouse
    • Username: The account must have the required permissions.
    • Role (optional unless privileges are granted through a role).

    Creating a Policy Orchestration Point (POP)

    Ensure that you have an Orchestration Workspace set up within the PlainID Platform before proceeding.

    Steps to create a POP:

    1. Open your Orchestration Workspace in the PlainID Platform.
    2. Click Add Policy Orchestration Point.
    3. Choose Snowflake from the available options.
    4. Under the General section:
      • Enter a unique Display Name for the POP.
      • Provide a Description. (Optional)
    5. In the Associated Workspaces section:
      • Use the dropdown menu to select the required Identity Workspace and Authorization Workspace to manage relevant objects discovered from the Snowflake tenant.
        • We recommend generating a designated Authorization Workspace to manage your Snowflake Policies.
    6. Enter the necessary Connection Settings to connect with Snowflake.
    7. Once all fields are completed, click Create in the bottom-left corner.
    Connection Testing

    You can test the connection to Snowflake directly from the PlainID Platform to ensure that the user has all the required privileges.


    Was this article helpful?