Immuta is compatible with Snowflake Secure Data Sharing. Using both Immuta and Snowflake, organizations can share the policy-protected data of their Snowflake database with other Snowflake accounts with Immuta policies enforced in real time. This integration gives data consumers a live connection to the data and relieves data providers of the legal and technical burden of creating static data copies that leave their Snowflake environment.
There are two options to use Snowflake Data Sharing with Immuta:
Snowflake Data Shares with Immuta Users (Public Preview): This option utilizes Snowflake table grants and requires the data viewer to be registered as an Immuta user.
Snowflake Data Shares with Non-Immuta Users: This option utilizes Snowflake project workspaces to share policy-protected data without data viewers being registered as Immuta users.
This method allows data providers to share policy-enforced data with data consumers registered in Immuta.
The data consumer will register in Immuta as a user with the appropriate Immuta attributes and groups. Once that user has subscribed to the data source, they will be able to see the policy-protected data of a Snowflake data share.
For a tutorial on this workflow, see the Using Snowflake Data Sharing page.
Snowflake Enterprise Edition or higher
Immuta's table grants feature
Using Immuta users with Snowflake Data Sharing allows the sharer to
Only need limited knowledge of the context or goals of the existing policies in place: Because the sharer is not editing or creating policies to share their data, they only need a limited knowledge of how the policies work. Their main responsibility is making sure they properly represent the attributes of the data consumer.
Leave policies untouched.
In this method, Immuta projects can be used to protect and share data with data consumers, even without those users being registered in Immuta.
Using Immuta projects, organizations can create projects and then adjust the equalized entitlements of the project to represent attributes and groups of the data consumer. This allows the project to function as a user, with the data being protected for a particular set of attributes and groups. Once the entitlements have been set, the project owner can enable a project workspace that will create a Snowflake secure view of that policy-protected data that is ready to share with the data consumer. Because of the Immuta project, equalized entitlements, and workspace, the data is restricted to data consumers who possess the relevant attributes and groups.
For a tutorial on this workflow, see the Using Snowflake Data Sharing page.
Any Snowflake integration
Immuta attribute based access control (ABAC) data policies
Using Immuta project workspaces with Snowflake Data Sharing allows the sharer to
Only need limited knowledge of the context or goals of the existing policies in place: Because the sharer is not editing or creating policies to share their data, they only need a limited knowledge of how the policies work. Their main responsibility is making sure they properly represent the attributes of the data consumer.
Leave policies untouched.
Only share data that the sharer is allowed to see: Users who can create data shares shouldn’t necessarily be the same users who can make policy changes.
Let Immuta create the policy-enforced secure view, ready to share.
Project workspaces are generally recommended to allow WRITE access; however, Snowflake's Data Sharing feature does not support WRITE access to shared data.
Actions of the data consumer after the data has been shared are not audited when using project workspaces.