Skip to content

Snowflake Table Grants User Guide (Private Preview)

Audience: System Administrators, Data Owners, and Data Users

Content Summary: This page describes the Snowflake table grants feature.

Overview

Snowflake table grants is a private preview feature of the Immuta Snowflake integration. Snowflake table grants greatly simplifies the management of privileges in Snowflake when using Immuta. With Snowflake table grants enabled, Immuta will manage privileges on your Snowflake tables and views according to the subscription policies on the corresponding Immuta data sources.

Using the Snowflake table grants feature, a user subscribed to a data source in Immuta will be able to view and query the Snowflake table, and similarly, users not subscribed to a data source will be unable to view or query the Snowflake table.

In Snowflake, table privileges are granted to roles, not to users. Therefore, in order to manage table grants via fine-grained access controls that consider the individual attributes of a given user, the Snowflake table grants feature creates a new Snowflake role for each Immuta user.

Enable Snowflake Table Grants

Follow these instructions to enable the Snowflake table grants feature in Immuta.

  1. Expand the Advanced Settings section on the App Settings page and add the following YAML to the Advanced Configuration:

    featureFlags:
      snowflakeTableGrantsAvailable: true
    
  2. Click Save.

  3. After the page reloads, navigate to Preview Features. Enable Native Snowflake Table Grants should be checked automatically, but if it is not, click Enable Native Snowflake Table Grants and click Save. If you have existing configured Snowflake integrations, there is a small migration step (see: Additional Snowflake privileges required for Snowflake table grants) required before clicking Save:

    1. For any configured Snowflake integrations set up using the automatic setup, you will be prompted to enter connection information for a Snowflake user. Immuta will execute the migration to Snowflake table grants using a connection established with this Snowflake user. Note: The Snowflake user you provide here must have Snowflake privileges to run the privilege grants listed under Additional Snowflake Privileges Required for Snowflake Table Grants.
    2. For any configured Snowflake integrations set up using the manual setup, you will be shown a link to a migration script you must run in Snowflake and a link to a rollback script, for use in the event of a failed migration. Important: You must execute the migration script in Snowflake before clicking Save.

Additional Snowflake Privileges Required for Snowflake Table Grants

Enabling the Snowflake table grants feature grants the following privileges to the Immuta Snowflake role:

  • MANAGE GRANTS ON ACCOUNT, which allows the Immuta Snowflake role to grant and revoke SELECT privileges on Snowflake tables and views that have been added as data sources in Immuta.
  • CREATE ROLE ON ACCOUNT, which allows for the creation of a Snowflake role for each user in Immuta, enabling fine-grained, attribute-based access controls to determine which tables are available to which individuals.

Using Snowflake Table Grants

With the Snowflake table grants feature enabled, users will be granted access to each Snowflake table or view automatically when they are subscribed to the corresponding data source in Immuta. Snowflake table grants greatly simplifies the management of privileges in Snowflake when using Immuta.

Each Snowflake user with an Immuta account will be granted a role, which Immuta will manage. The naming convention for this role is IMMUTA_<username>. When connecting to Snowflake, in order to query from Snowflake tables that are managed by Immuta, you can either

  • Use the role that Immuta manages for your user, i.e. USE ROLE IMMUTA_<username>. Note: If choosing this option of using the current active primary role exclusively, you must ensure that USAGE on a Snowflake warehouse is granted to the Immuta-managed Snowflake role for each user.
  • USE SECONDARY ROLES ALL, which allows you to use the privileges from all roles that you have been granted, including IMMUTA_<username>, in addition to the current active primary role. You may also set a value for DEFAULT_SECONDARY_ROLES as an object property on a Snowflake user. To learn more about primary roles and secondary roles in Snowflake, see Snowflake documentation.

Limitations

The Snowflake table grants feature currently has the following limitations:

  • The project workspaces feature is not supported when Snowflake table grants are enabled.
  • Performance. With Snowflake table grants enabled, handling of new or modified automatic subscription policies in Immuta, especially global policies, may require the execution of many SQL statements in Snowflake. The upper bounds on the number of SQL statements is on the order of number of users x number of data sources, and these statements each take a few hundred milliseconds to complete. As a result, at moderate scale, some policy changes may take hours, or even days, to fully propagate to Snowflake. Optimizations to reduce the number of queries required to manage privileges in Snowflake are currently in development and will be released as part of public preview. During private preview, before creating or modifying a subscription policy, consider how many users and data sources will be affected.

Known Issues

  • The table grants feature only works with one Snowflake integration in your Immuta. If you configure more than one Snowflake integration, table grants will only work for the integration you configured first. This will be fixed for public preview.
  • If an existing configured Snowflake integration is modified to enable impersonation, we do not currently retroactively grant privileges to all data sources in Snowflake to the Snowflake role used for impersonation.