Skip to content

Snowflake Table Grants

Snowflake table grants simplifies the management of privileges in Snowflake when using Immuta. Instead of having to manually grant users access to tables registered in Immuta, you allow Immuta to manage privileges on your Snowflake tables and views according to subscription policies. Then, users subscribed to a data source in Immuta can view and query the Snowflake table, while users who are not subscribed to the data source cannot view or query the Snowflake table.

Snowflake privileges

Enabling Snowflake table grants gives the following privileges to the Immuta Snowflake role:

  • MANAGE GRANTS ON ACCOUNT allows the Immuta Snowflake role to grant and revoke SELECT privileges on Snowflake tables and views that have been added as data sources in Immuta.
  • CREATE ROLE ON ACCOUNT allows for the creation of a Snowflake role for each user in Immuta, enabling fine-grained, attribute-based access controls to determine which tables are available to which individuals.

Using Snowflake table grants

Since table privileges are granted to roles and not to users in Snowflake, Immuta's Snowflake table grants feature creates a new Snowflake role for each Immuta user. This design allows Immuta to manage table grants through fine-grained access controls that consider the individual attributes of users.

Each Snowflake user with an Immuta account will be granted a role that Immuta manages. The naming convention for this role is IMMUTA_<username>, where IMMUTA is the prefix you specified when enabling the feature on the Immuta app settings page.

Users will be granted access to each Snowflake table or view automatically when they are subscribed to the corresponding data source in Immuta.

You have two options to query from Snowflake tables that are managed by Immuta:

  • Use the role that Immuta manages for your user (i.e., USE ROLE IMMUTA_<username>). In this example, IMMUTA is the prefix you specified when enabling the feature on the Immuta app settings page. If choosing this option of using the current active primary role exclusively, you must ensure that USAGE on a Snowflake warehouse is granted to the Immuta-managed Snowflake role for each user.
  • USE SECONDARY ROLES ALL, which allows you to use the privileges from all roles that you have been granted, including IMMUTA_<username>, in addition to the current active primary role. In this example, IMMUTA is the prefix you specified when enabling the feature on the Immuta app settings page. You may also set a value for DEFAULT_SECONDARY_ROLES as an object property on a Snowflake user. To learn more about primary roles and secondary roles in Snowflake, see Snowflake documentation.

Limitations

  • Project workspaces are not supported when Snowflake table grants is enabled.
  • If an Immuta instance is connected to an external IAM and that external IAM has a username identical to another username in Immuta's built-in IAM, those users will have the same Snowflake role, leading both to see the same data.