Review details of TableGrants and LowRAP in Snowflake
PreviousSnowflake Minimum Permissions needed to run Immuta SQL script for the integrationNextReview Immuta policy objects created natively in Snowflake
Last updated
Last updated
Documentation details for the TableGrant feature.
Information about Immuta-Snowflake TableGrants and LowRAP(row access policy) feature.
Role Prefix: The default prefix value is IMMUTA and can be found in Section 4 of AppSettings. The user roles and policy roles created from TableGrants and LowRAP will follow the naming conventions prefix_USER_<immuta-username> and prefix_POLICY_<string>.
User Role Creation:
For each Immuta account username subscribed to data sources, SQL statements are sent to Snowflake to create new Snowflake roles if they do not already exist. These roles are named based on the Immuta account username (prefix_USER_<immuta-username>) and the prefix value.
Policy Role Creation:
With TableGrants and LowRAP, policy roles with the naming convention prefix_POLICY_<string> are created for subscription policies. This role is associated with Immuta global subscription policies but does not have a one-to-one mapping. The mapping depends on Immuta's policy logic, which optimizes the process to determine which global subscription policies correspond to which POLICY role in Snowflake.
User Role Privileges:
Privileges such as USAGE of databases, USAGE of schemas, and SELECT on tables/views are first granted to the prefix_POLICY_<string> role. This policy role is then assigned to the prefix_USER_<username> role, which is subsequently granted to the Snowflake user.
Role Hierarchy:
Policy roles (prefix_POLICY_<string>) are granted to user roles (prefix_USER_<immuta-username>), which are then granted to the Snowflake user associated with the Immuta username.
In Snowflake, run SHOW ROLES with prefix to pull all the USER and POLICY roles. Examples:
