1 of 4

How-to Guides

Register a Snowflake Host

This feature is being gradually rolled out to customers and may not be available to your account yet.

Requirements:

Immuta permission CREATE_DATA_SOURCE
USAGE Snowflake privilege on the schema and database to register data sources
REFERENCES Snowflake privilege on all tables
No Snowflake integrations configured in Immuta. If your Snowflake integration is already configured on the app settings page, register your data sources using the legacy method.

To register a Snowflake host with all its schemas and data sources, follow the instructions below.

Click Data and select the Infrastructure tab in the navigation menu.
Click the + Add Host button.
Select the Snowflake data platform tile.
Enter the host connection information:
- Host: The URL of your Snowflake account.
- Port: Your Snowflake port.
- Warehouse: The warehouse the Immuta system account user will use to run queries and perform Snowflake operations.
- Immuta Database: The new, empty database for Immuta to manage. This is where system views, user entitlements, row access policies, column-level policies, procedures, and functions managed by Immuta will be created and stored.
- Role: The default Snowflake role for the Immuta system account user.
- Connection Key: A unique name for your host. This connection key will be used to create data source names for this host.
Click Next.
Select an authentication method from the dropdown menu. This authentication information will be included in the script populated later on the page.
1. Username and password: Choose one of the following options.
  1. Select Immuta Generated to have Immuta populate the system account name and password.
  2. Select User Provided to enter your own name and password for the Immuta system account.
2. Snowflake External OAuth:
  1. Fill out the Token Endpoint, which is where the generated token is sent. It is also known as aud (audience) and iss (issuer).
  2. Fill out the Client ID, which is the subject of the generated token. It is also known as sub (subject).
  3. Opt to fill out the Resource field with a URI of the resource where the requested token will be used.
  4. Enter the x509 Certificate Thumbprint. This identifies the corresponding key to the token and is often abbreviated as x5t or is called kid (key identifier).
  5. Upload the PEM Certificate, which is the client certificate that is used to sign the authorization request.
3. Key Pair Authentication:
  1. Complete the Username field. This username will be used to connect to the remote database and retrieve records for this data source.
  2. If using a private key, enter the Private Key Password.
  3. Click Select a File, and upload a Snowflake key pair file.
The Role is prepopulated from the entry on the previous page.
Copy the provided script and run it in Snowflake with the following Snowflake permissions:
- CREATE DATABASE ON ACCOUNT WITH GRANT OPTION
- CREATE ROLE ON ACCOUNT WITH GRANT OPTION
- CREATE USER ON ACCOUNT WITH GRANT OPTION
- MANAGE GRANTS ON ACCOUNT WITH GRANT OPTION
- APPLY MASKING POLICY ON ACCOUNT WITH GRANT OPTION
- APPLY ROW ACCESS POLICY ON ACCOUNT WITH GRANT OPTION
Click Test Connection.
If the connection is successful, click Next. If there are any errors, check the connection details and credentials to ensure they are correct and try again.
Ensure all the details are correct in the summary and click Complete Setup.

Register a Databricks Unity Catalog Host

This feature is being gradually rolled out to customers and may not be available to your account yet.

Requirement

No Databricks Unity Catalog integrations can already be configured in Immuta. If your Databricks Unity Catalog integration is already configured on the app settings page, register your data sources using the legacy method.

Permissions

Several different accounts are used to set up and maintain the Databricks Unity Catalog integration. The permissions required for each are outlined below.

Immuta account (required): This user configures the integration and registers the host. This user needs the following permission:
- CREATE_DATA_SOURCE Immuta permission
Databricks service principal (required): This service principal is used continuously by Immuta to orchestrate Unity Catalog policies and maintain state between Immuta and Databricks. This service principal needs the following Databricks privileges:
- OWNER permission on the Immuta catalog you configure.
- OWNER privilege on one of the securables below so that Immuta can administer Unity Catalog row-level and column-level security controls.
  - on catalogs with schemas and tables registered as Immuta data sources. This permission could also be applied by granting OWNER on a catalog to a Databricks group that includes the Immuta service principal to allow for multiple owners.
  - on schemas with tables registered as Immuta data sources.
  - on all tables registered as Immuta data sources - if the OWNER permission cannot be applied at the catalog- or schema-level. In this case, each table registered as an Immuta data source must individually have the OWNER permission granted to the Immuta service principal.
- USE CATALOG and USE SCHEMA on parent catalogs and schemas of tables registered as Immuta data sources so that the Immuta service principal can SELECT and MODIFY securables within the parent catalog and schema.
- SELECT and MODIFY on all tables registered as Immuta data sources so that the Immuta service principal can grant and revoke access to tables and apply Unity Catalog row- and column-level security controls.
Databricks account (required): This user account can manually configure the integration in Databricks to create the Immuta-managed catalog. To do so, this account requires the following Databricks privileges:
- CREATE CATALOG on the Unity Catalog metastore
- ACCOUNT ADMIN on the Unity Catalog metastore for native query audit (optional)

Register a host

Click Data and select the Infrastructure tab in the navigation menu.
Click the + Add Host button.
Select the Databricks data platform tile.
Enter the host connection information:
- Host: The hostname of your Databricks workspace.
- Port: Your Databricks port.
- HTTP Path: The HTTP path of your Databricks cluster or SQL warehouse.
- Immuta Catalog: The name of the catalog Immuta will create to store internal entitlements and other user data specific to Immuta. This catalog will only be readable for the Immuta service principal and should not be granted to other users. The catalog name may only contain letters, numbers, and underscores and cannot start with a number.
- Connection Key: A unique name for your host. This connection key will be used to create data source names for this host.
Click Next.
Select Access Token authentication method from the dropdown menu.
Enter the Access Token in the Immuta System Account Credentials section. This is the access token for the Immuta service principal. This service principal must have the metastore privileges listed in the requirements section at the top of this page for the metastore associated with the Databricks workspace. If this token is configured to expire, update this field regularly for the integration to continue to function. This authentication information will be included in the script populated later on the page.
Copy the provided script and run it in Databricks as a user with the CREATE CATALOG privilege on the Unity Catalog metastore.
Click Validate Connection.
If the connection is successful, click Next. If there are any errors, check the connection details and credentials to ensure they are correct and try again.
Ensure all the details are correct in the summary and click Complete Setup.

Manually Crawl a Host or Object

This feature is being gradually rolled out to customers and may not be available to your account yet.

Requirement: Immuta permission CREATE_DATA_SOURCE

Prerequisite: Host registered using the enhanced onboarding and data registration workflow for Snowflake or Databricks Unity Catalog

Crawl a host

Click Data and select the Infrastructure tab in the navigation menu.
Select the host.
Click the user action menu and select Re-crawl Host.

Crawl a database

Click Data and select the Infrastructure tab in the navigation menu.
Select the host.
Click the menu icon in the Action column for the database you want to crawl and select Re-crawl Database.

Crawl a schema

Click Data and select the Infrastructure tab in the navigation menu.
Select the host.
Select the database in the data objects table.
Click the menu icon in the Action column for the schema you want to crawl and select Re-crawl Schema.

Crawl a table

Click Data and select the Infrastructure tab in the navigation menu.
Select the host.
Select the database and then the schema in the data objects table.
Click the menu icon in the Action column for the table you want to crawl and select Re-crawl Table.

Register a Snowflake Host

This feature is being gradually rolled out to customers and may not be available to your account yet.

Requirements:

Immuta permission CREATE_DATA_SOURCE
USAGE Snowflake privilege on the schema and database to register data sources
REFERENCES Snowflake privilege on all tables
No Snowflake integrations configured in Immuta. If your Snowflake integration is already configured on the app settings page, register your data sources using the legacy method.

To register a Snowflake host with all its schemas and data sources, follow the instructions below.

Click Data and select the Infrastructure tab in the navigation menu.
Click the + Add Host button.
Select the Snowflake data platform tile.
Enter the host connection information:
- Host: The URL of your Snowflake account.
- Port: Your Snowflake port.
- Warehouse: The warehouse the Immuta system account user will use to run queries and perform Snowflake operations.
- Immuta Database: The new, empty database for Immuta to manage. This is where system views, user entitlements, row access policies, column-level policies, procedures, and functions managed by Immuta will be created and stored.
- Role: The default Snowflake role for the Immuta system account user.
- Connection Key: A unique name for your host. This connection key will be used to create data source names for this host.
Click Next.
Select an authentication method from the dropdown menu. This authentication information will be included in the script populated later on the page.
1. Username and password: Choose one of the following options.
  1. Select Immuta Generated to have Immuta populate the system account name and password.
  2. Select User Provided to enter your own name and password for the Immuta system account.
2. Snowflake External OAuth:
  1. Fill out the Token Endpoint, which is where the generated token is sent. It is also known as aud (audience) and iss (issuer).
  2. Fill out the Client ID, which is the subject of the generated token. It is also known as sub (subject).
  3. Opt to fill out the Resource field with a URI of the resource where the requested token will be used.
  4. Enter the x509 Certificate Thumbprint. This identifies the corresponding key to the token and is often abbreviated as x5t or is called kid (key identifier).
  5. Upload the PEM Certificate, which is the client certificate that is used to sign the authorization request.
3. Key Pair Authentication:
  1. Complete the Username field. This username will be used to connect to the remote database and retrieve records for this data source.
  2. If using a private key, enter the Private Key Password.
  3. Click Select a File, and upload a Snowflake key pair file.
The Role is prepopulated from the entry on the previous page.
Copy the provided script and run it in Snowflake with the following Snowflake permissions:
- CREATE DATABASE ON ACCOUNT WITH GRANT OPTION
- CREATE ROLE ON ACCOUNT WITH GRANT OPTION
- CREATE USER ON ACCOUNT WITH GRANT OPTION
- MANAGE GRANTS ON ACCOUNT WITH GRANT OPTION
- APPLY MASKING POLICY ON ACCOUNT WITH GRANT OPTION
- APPLY ROW ACCESS POLICY ON ACCOUNT WITH GRANT OPTION
Click Test Connection.
If the connection is successful, click Next. If there are any errors, check the connection details and credentials to ensure they are correct and try again.
Ensure all the details are correct in the summary and click Complete Setup.

Register a Databricks Unity Catalog Host

This feature is being gradually rolled out to customers and may not be available to your account yet.

Requirement

Permissions

Several different accounts are used to set up and maintain the Databricks Unity Catalog integration. The permissions required for each are outlined below.

Immuta account (required): This user configures the integration and registers the host. This user needs the following permission:
- CREATE_DATA_SOURCE Immuta permission
Databricks service principal (required): This service principal is used continuously by Immuta to orchestrate Unity Catalog policies and maintain state between Immuta and Databricks. This service principal needs the following Databricks privileges:
- OWNER permission on the Immuta catalog you configure.
- OWNER privilege on one of the securables below so that Immuta can administer Unity Catalog row-level and column-level security controls.
  - on catalogs with schemas and tables registered as Immuta data sources. This permission could also be applied by granting OWNER on a catalog to a Databricks group that includes the Immuta service principal to allow for multiple owners.
  - on schemas with tables registered as Immuta data sources.
  - on all tables registered as Immuta data sources - if the OWNER permission cannot be applied at the catalog- or schema-level. In this case, each table registered as an Immuta data source must individually have the OWNER permission granted to the Immuta service principal.
- USE CATALOG and USE SCHEMA on parent catalogs and schemas of tables registered as Immuta data sources so that the Immuta service principal can SELECT and MODIFY securables within the parent catalog and schema.
- SELECT and MODIFY on all tables registered as Immuta data sources so that the Immuta service principal can grant and revoke access to tables and apply Unity Catalog row- and column-level security controls.
Databricks account (required): This user account can manually configure the integration in Databricks to create the Immuta-managed catalog. To do so, this account requires the following Databricks privileges:
- CREATE CATALOG on the Unity Catalog metastore
- ACCOUNT ADMIN on the Unity Catalog metastore for native query audit (optional)

Register a host

Click Data and select the Infrastructure tab in the navigation menu.
Click the + Add Host button.
Select the Databricks data platform tile.
Enter the host connection information:
- Host: The hostname of your Databricks workspace.
- Port: Your Databricks port.
- HTTP Path: The HTTP path of your Databricks cluster or SQL warehouse.
- Immuta Catalog: The name of the catalog Immuta will create to store internal entitlements and other user data specific to Immuta. This catalog will only be readable for the Immuta service principal and should not be granted to other users. The catalog name may only contain letters, numbers, and underscores and cannot start with a number.
- Connection Key: A unique name for your host. This connection key will be used to create data source names for this host.
Click Next.
Select Access Token authentication method from the dropdown menu.
Enter the Access Token in the Immuta System Account Credentials section. This is the access token for the Immuta service principal. This service principal must have the metastore privileges listed in the requirements section at the top of this page for the metastore associated with the Databricks workspace. If this token is configured to expire, update this field regularly for the integration to continue to function. This authentication information will be included in the script populated later on the page.
Copy the provided script and run it in Databricks as a user with the CREATE CATALOG privilege on the Unity Catalog metastore.
Click Validate Connection.
If the connection is successful, click Next. If there are any errors, check the connection details and credentials to ensure they are correct and try again.
Ensure all the details are correct in the summary and click Complete Setup.