Snowflake Project Workspaces Pre-Configuration Details
Audience: Project members
Content Summary: This page outlines prerequisites and provides an overview of the integration process for Snowflake project workspaces.
- Snowflake integration configured with workspaces enabled.
- Snowflake tables are registered in Immuta.
- External IDs have been connected with an IAM or manually mapped in for Snowflake.
- Data sources registered by Excepted Roles: Snowflake workspaces generate static views with the credentials used to register the table as an Immuta data source. Those tables must be registered in Immuta by an Excepted Role so that policies applied to the backing tables are not applied to the project workspace views.
Project Workspace Workflow
An Immuta User with the
CREATE_PROJECTpermission creates a new project with Snowflake data sources.
The Immuta Project Owner enables Project Equalization which balances every Project Members’ access to the data to be the same.
The Immuta Project Owner creates a Snowflake Project Workspace which automatically generates a subfolder in the root path specified by the Application Admin and remote database associated with the project.
Project members can access data sources within the project and use WRITE to create derived tables. To ensure equalization, users will only see data sources within their project as long as they are working in the Snowflake Context.
The CREATE_DATA_SOURCE_IN_PROJECT permission is given to specific users so they can expose their derived tables in the Immuta project; the derived tables will inherit the policies, and then the data can be shared outside the project.
If a project member leaves a project or a project is deleted, that Snowflake Context will be removed from the user's Snowflake account.
Root Directory Details
Immuta only supports a single root location, so all projects will write to a subdirectory under this single root location.
If an administrator changes the default directory, the Immuta user must have full access to that directory. Once any workspace is created, this directory can no longer be modified.