Using Snowflake Data Sharing with Immuta
Audience: System Administrators, Governors, and Data Owners
Content Summary: This page describes the workflow of using Snowflake Data Sharing with Immuta project workspaces, how to use Snowflake Data Sharing with Immuta table grants, and how to migrate your current project workspace to secure views.
Workflow with Project Workspaces
As you follow this tutorial, these callouts will have examples centered around the same use case and will further explain the steps necessary to meet the following compliance requirement:
Compliance Requirement: Users can only see data from their country.
1 - Create Immuta Policies
Use Case: Create Policies
The Immuta user will create a global data policy that restricts the rows users can see based on their
attributes, which identify their country. In the example below, users with the attribute
would only see rows that have
JP as a value in the
CREDIT POINT OF SALE column.
Using an attribute based access control (ABAC) model, build Immuta data policies using Immuta attributes and groups to fit your organization's compliance requirements.
2 - Create an Immuta Project
Use Case: Create Project
The Immuta user will create a project for the data share. In the example below, the user creates a Japan Data Share project that will only be shared with data consumers in Japan.
3 - Prepare the Project to Share
Because data consumers have the attribute "Country.JP", this will be the equalized entitlement added to the project. The Immuta user editing the equalized entitlement must also have the attribute "Country.JP" to ensure they have access to the data they will share.
A user with the same attributes or groups as the data consumer must edit the equalized entitlements to represent the appropriate attributes and groups of the data consumer.
4 - Create the Snowflake Data Share
Create the Snowflake Data Share pointing to the project workspace using the schema and role in the Native Snowflake Access section of the project information. Repeat this step for each data source you want to share.
The commands run in Snowflake should look similar to this:
CREATE SHARE "WORKSPACE_SCHEMA"; GRANT USAGE ON DATABASE "WORKSPACE_DATABASE" TO SHARE "WORKSPACE_SCHEMA"; GRANT REFERENCE_USAGE ON DATABASE "WORKSPACE_DATABASE" TO SHARE "WORKSPACE_SCHEMA"; GRANT USAGE ON SCHEMA "WORKSPACE_DATABASE"."WORKSPACE_SCHEMA" TO SHARE "WORKSPACE_SCHEMA"; GRANT SELECT ON VIEW "WORKSPACE_DATABASE"."WORKSPACE_SCHEMA"."DATA_SOURCE" TO SHARE "WORKSPACE_SCHEMA";
Workflow with Immuta's Table Grants Feature Enabled (Public Preview)
1 - Create Immuta Policies to Protect the Data
Build Immuta data policies to fit your organization's compliance requirements.
2 - Register the Snowflake Data Consumer with Immuta
To register the Snowflake data consumer in Immuta,
- Create a new Immuta user.
- Update the Immuta user's Snowflake username
to match the account ID for the data consumer. This value is the output on the data consumer side when
SELECT CURRENT_ACCOUNT()is run in Snowflake.
- Give the Immuta user the appropriate attributes and groups for your organization's policies.
- Subscribe the Immuta user to the data sources.
3 - Create the Snowflake Data Share
Create a Snowflake Data Share of the Snowflake table that has been registered in Immuta.
Migrate Current Project Workspaces to Secure Views
If you had project workspaces that were created before Immuta 2022.1.0, you need to perform this migration.
- Navigate to the Policies tab of you project.
- Toggle the switch to disable the workspace, and choose from the purge options.
- Refresh the page.
- Toggle the switch the enable the workspace, and fill out the modal.