Immuta WRITE policy feature in Snowflake - private preview

The status of this feature in private preview as of this document DEC 2024.

Feature flag needed in Immuta 2024.2+

featureFlags:
  writePolicies: true

For SaaS customers, please submit a request to enable this feature.

Policy impacts subscription policies

The writePolicies feature impacts subscription policies, both local and global. Below is the Immuta Subscription Policy Builder with WRITE

Enabling WRITE will review different access pmierssion on the WRITE vs READ subscription policies:

The WRITE permission grants the following in Snowflake:

Documentation details here.

How does WRITE subscription policy work in Snowflake?:

The WRITE policy does not add row-access objects to the tables. Instead, the WRITE policy creates a prefix_POLICY_xxxx role in Snowflake and then grants that role to the prefix_USER_username role. The Immuta-Snowflake mapped users are subsequently granted their respective prefix_USER_username role. For example:

A user user9@email.com is subscribed to a datasource in Immuta through a subscription policy.
A BCIMM_USER_user9@email.com role is created with the prefix BCIMM, and it is granted to the user9@email.com Snowflake user.
A SQL statement as such, SHOW GRANTS TO ROLE "BCIMM_USER_user9@email.com"; , will show the Immuta prefix_POLICY_xxxx roles granted to this user role.
To identify more details of an Immuta prefix_POLICY_xxxx role, a SHOW GRANTS SQL statement to the role will reveal the additional grants to SELECT, such as DELETE, INSERT, TRUNCATE, and UPDATE. For example:

PreviousImmuta Actions and Activities: Snowflake SQL references

Last updated 1 month ago