Snowflae Datashare examples with Immuta

Common use-cases for Snowflake datashare:

• Snowflake cross-region collaboration between different Snowflake accounts.

• Data monetization - data are shared with external partners for monetization purpose while ensuring compliance and security

• Vendor-customer collaboration - where vendor, customer, and partner can collaborate on shared datasets for mutual benefits

Snowflake data in a datashare protected through Immuta integration and fine-grained access control

The process involves the following:

• Associate an Immuta user to the consumer-account ID by updating the Immuta-Snowflake username in reference to match the data consumer-account ID

• Assign appropriate attributes and groups to this Immuta user for organization policies.

• Subscribe this Immuta user with the reference of the consumer-account ID to the relevant data sources on the producer-account through Immuta subscription policies.

• Share outbound datashare object with Immuta policy-protect table(s) to consumer-account; be sure to GRANT REFERENCE_USAGE on the Immuta database to the datashare object.

Example 1 : Snowflake datashare with Immuta users

• same region and same cloud provider

• datashare object will be received by either the consumer-account or a reader-account

• user@consumer-account will have the same acess level as Immuta does not know these users; they are different from users@producer-account

Example 2: Create views of datashare and have Immuta apply control on views

• same region and same cloud provider - if not, data needs to be replicated to same region and same cloud provider

• atashare object will be received by either the consumer-account or a reader-account

• control can be on consumer-account or on producer-account.

• users@consumer-account will have the same access level to datashare-database but views created from tables in the datashare-database can have fine-grained access control policy objects via Immuta integration

• users@consumer-account are different from users@producer-account, however, with integration to both consumer and producer accounts, the Immuta users in reference to Snowflake users can apply to both consumer and producer accounts. If users coming from the same IdProvider to both Snowflake accounts and Immuta, then these users can access to whichever data they are authorized through Immuta policies.

Example 3: Policy applied on both produce and consumer accounts through views.

• Same region and same cloud provider, if not, then data needs to be replicated to the same region and same cloud provider first

• Datashare object will be received by either the consumer-account or the reader-account.

• users@consumer-account are different from users@producer-account