Skip to content

Snowflake Table Grants User Guide (Public Preview)

Snowflake table grants is a public preview feature of the Immuta Snowflake integration. Snowflake table grants greatly simplifies the management of privileges in Snowflake when using Immuta. With Snowflake table grants enabled, Immuta will manage privileges on your Snowflake tables and views according to the subscription policies on the corresponding Immuta data sources.

Using the Snowflake table grants feature, a user subscribed to a data source in Immuta will be able to view and query the Snowflake table, and similarly, users not subscribed to a data source will be unable to view or query the Snowflake table.

In Snowflake, table privileges are granted to roles, not to users. Therefore, in order to manage table grants via fine-grained access controls that consider the individual attributes of a given user, the Snowflake table grants feature creates a new Snowflake role for each Immuta user.

Enable Snowflake Table Grants

Follow these instructions to enable the Snowflake table grants feature in Immuta.

  1. Click Advanced Settings in the left panel, and scroll to the Preview Features section.
  2. Check the Snowflake Table Grants checkbox.
  3. Opt to change the Role Prefix. Note that Snowflake table grants creates a new Snowflake role for each Immuta user. To ensure these Snowflake role names do not collide with existing Snowflake roles, each Snowflake role created for Snowflake table grants requires a common prefix. When using multiple Immuta accounts within a single Snowflake account, the Snowflake Table Grants role prefix should be unique for each Immuta account. The prefix cannot be modified, but the Snowflake table grants feature can be disabled and re-enabled. The prefix must adhere to Snowflake identifier requirements.

  4. From here you can either set up a new Snowflake integration by clicking Save and continuing with the configuration tutorial or

    1. For any configured Snowflake integrations set up using the automatic setup, you will be prompted to enter connection information for a Snowflake user. Immuta will execute the migration to Snowflake table grants using a connection established with this Snowflake user. Note: The Snowflake user you provide here must have Snowflake privileges to run the privilege grants listed under Additional Snowflake Privileges Required for Snowflake Table Grants.
    2. For any configured Snowflake integrations set up using the manual setup, you will be shown a link to a migration script you must run in Snowflake and a link to a rollback script, for use in the event of a failed migration. Important: You must execute the migration script in Snowflake before clicking Save.

Additional Snowflake Privileges Required for Snowflake Table Grants

Enabling the Snowflake table grants feature grants the following privileges to the Immuta Snowflake role:

  • MANAGE GRANTS ON ACCOUNT, which allows the Immuta Snowflake role to grant and revoke SELECT privileges on Snowflake tables and views that have been added as data sources in Immuta.
  • CREATE ROLE ON ACCOUNT, which allows for the creation of a Snowflake role for each user in Immuta, enabling fine-grained, attribute-based access controls to determine which tables are available to which individuals.

Using Snowflake Table Grants

With the Snowflake table grants feature enabled, users will be granted access to each Snowflake table or view automatically when they are subscribed to the corresponding data source in Immuta. Snowflake table grants greatly simplifies the management of privileges in Snowflake when using Immuta.

Each Snowflake user with an Immuta account will be granted a role, which Immuta will manage. The naming convention for this role is IMMUTA_<username>, where IMMUTA is the prefix that you specified when enabling the feature on the App Settings page. When connecting to Snowflake, in order to query from Snowflake tables that are managed by Immuta, you can either

  • Use the role that Immuta manages for your user (i.e., USE ROLE IMMUTA_<username>). In this example, IMMUTA is the prefix you specified when enabling the feature on the App Settings page. Note: If choosing this option of using the current active primary role exclusively, you must ensure that USAGE on a Snowflake warehouse is granted to the Immuta-managed Snowflake role for each user.
  • USE SECONDARY ROLES ALL, which allows you to use the privileges from all roles that you have been granted, including IMMUTA_<username>, in addition to the current active primary role. In this example, IMMUTA is the prefix you specified when enabling the feature on the App Settings page. You may also set a value for DEFAULT_SECONDARY_ROLES as an object property on a Snowflake user. To learn more about primary roles and secondary roles in Snowflake, see Snowflake documentation.

Limitations

The Snowflake table grants feature currently has the following limitations:

  • The project workspaces feature is not supported when Snowflake table grants are enabled.

Known Issues

  • If an existing configured Snowflake integration is modified to enable impersonation, Immuta does not currently retroactively grant privileges to all data sources in Snowflake to the Snowflake role used for impersonation.

Migration

If you were using the Private Preview version of Table Grants, available before the 2022.3 release, you will need to migrate when you upgrade. You can do this migration pre-upgrade or post-upgrade.

Pre-Upgrade Migration Steps

  1. Navigate to the App Settings page.
  2. Click Advanced Settings in the left panel, and scroll to the Preview Features section.
  3. Uncheck the Snowflake Table Grants checkbox to disable the feature.
  4. Click Save and perform your Immuta version upgrade.
  5. Use the Enable Snowflake Table Grants tutorial to re-enable the feature.

Post-Upgrade Migration Steps

  1. Navigate to the App Settings page.
  2. Click Advanced Settings in the left panel, and scroll to the Preview Features section.
  3. Uncheck the Snowflake Table Grants checkbox to disable the feature.
  4. Click Save. Wait for about 1 minute per 1000 users. This gives time for Immuta to drop all the previously created user roles.
  5. Use the Enable Snowflake Table Grants tutorial to re-enable the feature.