Review Immuta policy objects created natively in Snowflake

  • The SQL code block below can review all policy objects created within the Immuta database. First, identify the Immuta SYSTEM role and grant it to a Snowflake user account to explore Immuta policy objects. By default, the naming convention for the SYSTEM role is <Immuta_db_name>_SYSTEM. Next, navigate to the Immuta database and policy schema in Snowflake, and then run a show row or show masking policies.

use role accountadmin;
grant role <IMMUTA_DB>_SYSTEM to <your user>;
use role <IMMUTA_DB>_SYSTEM;
use database <IMMUTA_DB>;
use schema <IMMUTA_DB>."IMMUTA_POLICIES";

show row access policies;
describe row access policy <IMMUTA_DB>."IMMUTA_POLICIES"."RLS_xx_xxxxxxxxxxxxxx";
-- RLS is row level security; the _xx_ after is the Immuta datasource ID.

show masking policies;
describe masking policy <IMMUTA_DB>."IMMUTA_POLICIES"."xx_CREDIT_CARD_NUMBER_xxxxxxxxxxxxxx";
-- The first two 'xx' is the Immuta datasource ID, then follow the column name, then a hash string.

  • Find policy objects have been ADD or SET in tables or views. The code block makes use of the Snowflake policy_references().

use role accountadmin;
use database <data_database>;
use schema <data_database>.<schema name>;
SELECT * FROM TABLE(information_schema.policy_references(ref_entity_name =>'"<data_database>"."<schema name>"."<table name>"', ref_entity_domain => 'TABLE'));

  • Find out where the policy objects have been ADD or SET.

PreviousReview details of TableGrants and LowRAP in SnowflakeNextManually remove and clean up Immuta policy objects in Snowflake

Last updated