Snowflake Low Row Access Policy Mode

The Snowflake low row access policy mode improves query performance in Immuta's Snowflake integration by decreasing the number of Snowflake row access policies Immuta creates and by using table grants to manage user access.

Immuta manages access to Snowflake tables by administering Snowflake row access policies and column masking policies on those tables, allowing users to query them directly in Snowflake while policies are enforced.

Without Snowflake low row access policy mode enabled, row access policies are created and administered by Immuta in the following scenarios:

Table grants are disabled and a subscription policy that does not automatically subscribe everyone to the data source is applied. Immuta administers Snowflake row access policies to filter out all the rows to restrict access to the entire table when the user doesn't have privileges to query it. However, if table grants are disabled and a subscription policy is applied that grants everyone access to the data source automatically, Immuta does not create a row access policy in Snowflake. See the subscription policies page for details about these policy types.
is applied to a data source. A row access policy filters out all the rows of the table if users aren't acting under the purpose specified in the policy when they query the table.
is applied to a data source. A row access policy filters out rows querying users don't have access to.
User impersonation is enabled. A row access policy is created for every Snowflake table registered in Immuta.

Deprecation notice

Support for using the Snowflake integration with low row access policy mode disabled has been deprecated. You must enable this feature and table grants for your integration to continue working in future releases. See the for EOL dates.

Reducing row access policies

Snowflake low row access policy mode is enabled by default to reduce the number of row access policies Immuta creates and improve query performance. Snowflake low row access policy mode requires

table grants to be enabled.
user impersonation to be disabled. User impersonation diminishes the performance of interactive queries because of the number of row access policies Immuta creates when it's enabled.

Requirements

Project-scoped purpose exceptions for Snowflake with low row access policy mode enabled

Public preview: This feature is available to select accounts. Reach out to your Immuta representative to enable this feature.

Project-scoped purpose exceptions for Snowflake integrations allow you to apply purpose-based policies to Snowflake data sources in a project. As a result, users can only access that data when they are working within that specific project.

Limitations and considerations

Project workspaces are not compatible with this feature.
Impersonation is not supported when the Snowflake low row access policy mode is enabled.
When a project member acts under a project's purposes, any matching purpose exceptions on tables will be honored, even if those tables exist outside the project. Project managers cannot assume approving a purpose means that the purposes of that project are limited to the tables in the project. Enable the project-scoped purpose exceptions feature to remove this limitation.
Project owners cannot limit masked joins to a single project. Turning masked joins on in a single project in Immuta enables masked joins across all of a subscriber's data sources, regardless of which projects the data sources belong to.

PreviousSnowflake Lineage Tag Propagation NextSnowflake Table Grants

Last updated 8 months ago

Was this helpful?

Reducing row access policies

Snowflake low row access policy mode is enabled by default to reduce the number of row access policies Immuta creates and improve query performance. Snowflake low row access policy mode requires

table grants to be enabled.

user impersonation to be disabled. User impersonation diminishes the performance of interactive queries because of the number of row access policies Immuta creates when it's enabled.

Project-scoped purpose exceptions for Snowflake with low row access policy mode enabled

Public preview: This feature is available to select accounts. Reach out to your Immuta representative to enable this feature.

Limitations and considerations

Project workspaces are not compatible with this feature.

Impersonation is not supported when the Snowflake low row access policy mode is enabled.

When a project member acts under a project's purposes, any matching purpose exceptions on tables will be honored, even if those tables exist outside the project. Project managers cannot assume approving a purpose means that the purposes of that project are limited to the tables in the project. Enable the project-scoped purpose exceptions feature to remove this limitation.

Project owners cannot limit masked joins to a single project. Turning masked joins on in a single project in Immuta enables masked joins across all of a subscriber's data sources, regardless of which projects the data sources belong to.