Skip to content

You are viewing documentation for Immuta version 2022.2.

For the latest version, view our documentation for Immuta SaaS or the latest self-hosted version.

Snowflake Data Sharing Overview

Audience: System Administrators, Governors, Data Owners, and Data Users

Content Summary: This page describes the process of using Snowflake Data Sharing with Immuta project workspaces.

Overview

Immuta is now compatible with Snowflake Secure Data Sharing. Using both Immuta and Snowflake, organizations can share the policy-protected data of their Snowflake database with other Snowflake accounts with Immuta policies enforced in real time. This integration gives data consumers a live connection to the data and relieves data providers of the legal and technical burden of creating static data copies that leave their Snowflake environment.

Snowflake Data Shares with Project Workspaces

In this method, Immuta projects can be used to protect and share data with data consumers, even without those users being registered in Immuta.

Using Immuta projects, organizations can create projects and then adjust the equalized entitlements of the project to represent attributes and groups of the data consumer. This allows the project to function as a user, with the data being protected for a particular set of attributes and groups. Once the entitlements have been set, the project owner can enable a project workspace that will create a Snowflake secure view of that policy-protected data that is ready to share with the data consumer. Because of the Immuta project, equalized entitlements, and workspace, the data is restricted to data consumers who possess the relevant attributes and groups.

For a tutorial on this workflow, see the Using Snowflake Data Sharing page.

Requirements

  • Any Snowflake integration
  • Immuta attribute based access control (ABAC) data policies

Benefits

Using Immuta project workspaces with Snowflake Data Sharing allows the sharer to

  • Only need limited knowledge of the context or goals of the existing policies in place: Because the sharer is not editing or creating policies to share their data, they only need a limited knowledge of how the policies work. Their main responsibility is making sure they properly represent the attributes of the data consumer.
  • Leave policies untouched.
  • Only share data that the sharer is allowed to see: Users who can create data shares shouldn’t necessarily be the same users who can make policy changes.
  • Let Immuta create the policy-enforced secure view, ready to share.

Limitations

  • Project workspaces are generally recommended to allow WRITE access; however, Snowflake's Data Sharing feature does not support WRITE access to shared data.
  • Actions of the data consumer after the data has been shared are not audited when using project workspaces.