Snowflake Minimum Permissions needed to run Immuta SQL script for the integration
If you are setting up the Immuta-Snowflake integration manually or the Enhanced Onboarding integration, you will need a user and a role with a specific level of permission privileges to successfully execute all the SQL in the Immuta bootstrap SQL script. This script creates the framework necessary to continue with the integration setup. The framework includes the creation of the following elements (which may vary depending on features and Immuta versions):
An Immuta database that will house all integration objects and elements in Snowflake
A dedicated Immuta user(e.g.,
db_SYSTEM_ACCOUNT) and role(e.g.,db_SYSTEM)for Immuta to manage the integration moving forward.The
IMMUTA_SYSTEMschema inside the Immuta database in Snowflake and will include the following tables:ALLOW_LIST(e.g., 'Excepted Users/Roles'),PROFILES(e.g., Snowflake username mapped with the Immuta username),VERSION, etc...(depending on versions and features)The
IMMUTA_POLICIESschema, which will house all Snowflake policy objects(including both row-access and column masking policy objects)Both
IMMUTA_PROCEDURESandIMMUTA_FUNCTIONSschemas, which will house functions and procedures required to manage the integration.
The user executing this script needs to have the following privileges:
CREATE DATABASE ON ACCOUNT WITH GRANT OPTIONCREATE ROLE ON ACCOUNT WITH GRANT OPTIONCREATE USER ON ACCOUNT WITH GRANT OPTIONMANAGE GRANTS ON ACCOUNT
Below are most of the SQL statements from the bootstrap script:
SYSADMIN
CREATE DATABASE "BCIMMUTA_DB";
CREATE SCHEMA IF NOT EXISTS "BCIMMUTA_DB".immuta_procedures;
CREATE SCHEMA IF NOT EXISTS "BCIMMUTA_DB".immuta_functions;
USERADMIN (the impersonation role SQL may appear depending version and features)
CREATE ROLE IF NOT EXISTS "BCIMMUTA_DB_SYSTEM";
CREATE USER IF NOT EXISTS "BCIMMUTA_DB_SYSTEM_ACCOUNT" default_role="BCIMMUTA_DB_SYSTEM" login_name="BCIMMUTA_DB_SYSTEM_ACCOUNT" default_namespace="BCIMMUTA_DB" password="OZaLBGWrH0dMF6DR+gXOLlE3LOKfKNdAuVjGsgRAokA=" type=LEGACY_SERVICE;
GRANT ROLE "BCIMMUTA_DB_SYSTEM" TO USER "BCIMMUTA_DB_SYSTEM_ACCOUNT";
ALTER USER "BCIMMUTA_DB_SYSTEM_ACCOUNT" SET default_role="BCIMMUTA_DB_SYSTEM";
ALTER USER "BCIMMUTA_DB_SYSTEM_ACCOUNT" SET default_namespace="BCIMMUTA_DB";
SECURITYADMIN
GRANT ALL PRIVILEGES ON DATABASE "BCIMMUTA_DB" TO ROLE "BCIMMUTA_DB_SYSTEM" WITH GRANT OPTION;
GRANT ALL PRIVILEGES ON ALL SCHEMAS IN DATABASE "BCIMMUTA_DB" TO ROLE "BCIMMUTA_DB_SYSTEM" WITH GRANT OPTION;
GRANT USAGE ON FUTURE PROCEDURES IN SCHEMA "BCIMMUTA_DB".immuta_procedures TO ROLE "BCIMMUTA_DB_SYSTEM" WITH GRANT OPTION;
GRANT USAGE ON WAREHOUSE "DEMO_WH" TO ROLE "BCIMMUTA_DB_SYSTEM";
SECURITYADMIN (this SQL is for native query audit feature)
GRANT IMPORTED PRIVILEGES ON DATABASE snowflake TO ROLE "BCIMMUTA_DB_SYSTEM";
ACCOUNTADMIN (create and manage Snowflake row and column policy objects)
GRANT APPLY MASKING POLICY ON ACCOUNT TO ROLE "BCIMMUTA_DB_SYSTEM";
GRANT APPLY ROW ACCESS POLICY ON ACCOUNT TO ROLE "BCIMMUTA_DB_SYSTEM";
ACCOUNTADMIN (Snowflake tag ingestion, depending on versions and features)
GRANT APPLY TAG ON ACCOUNT TO "BCIMMUTA_DB_SYSTEM";
SYSADMIN
CREATE SCHEMA IF NOT EXISTS "BCIMMUTA_DB".immuta_policies;
SECURITYADMIN
GRANT OWNERSHIP ON SCHEMA "BCIMMUTA_DB".immuta_policies TO ROLE "BCIMMUTA_DB_SYSTEM" COPY CURRENT GRANTS;
SYSADMIN
— For any CREATE OR REPLACE PROCEDURE which supports project workspace features
SECURITYADMIN
GRANT MANAGE GRANTS ON ACCOUNT TO ROLE "BCIMMUTA_DB_SYSTEM";
GRANT CREATE ROLE ON ACCOUNT TO ROLE "BCIMMUTA_DB_SYSTEM";
GRANT OWNERSHIP ON SCHEMA "BCIMMUTA_DB".immuta_procedures TO ROLE "BCIMMUTA_DB_SYSTEM" COPY CURRENT GRANTS;
GRANT OWNERSHIP ON SCHEMA "BCIMMUTA_DB".immuta_functions TO ROLE "BCIMMUTA_DB_SYSTEM" COPY CURRENT GRANTS;
GRANT OWNERSHIP ON SCHEMA "BCIMMUTA_DB".public TO ROLE "BCIMMUTA_DB_SYSTEM" COPY CURRENT GRANTS;
GRANT ROLE "BC_DSIA_SUSER" TO USER "BCIMMUTA_DB_SYSTEM_ACCOUNT";
Last updated