Snowflake Table Grants User Guide (Public Preview)
Snowflake table grants is a public preview feature of the Immuta Snowflake integration. Snowflake table grants greatly simplifies the management of privileges in Snowflake when using Immuta. With Snowflake table grants enabled, Immuta will manage privileges on your Snowflake tables and views according to the subscription policies on the corresponding Immuta data sources.
Using the Snowflake table grants feature, a user subscribed to a data source in Immuta will be able to view and query the Snowflake table, and similarly, users not subscribed to a data source will be unable to view or query the Snowflake table.
In Snowflake, table privileges are granted to roles, not to users. Therefore, in order to manage table grants via fine-grained access controls that consider the individual attributes of a given user, the Snowflake table grants feature creates a new Snowflake role for each Immuta user.
Enable Snowflake Table Grants
Follow these instructions to enable the Snowflake table grants feature in Immuta.
- Click Advanced Settings in the left panel, and scroll to the Preview Features section.
- Check the Snowflake Table Grants checkbox.
-
Opt to change the Role Prefix. Note that Snowflake table grants creates a new Snowflake role for each Immuta user. To ensure these Snowflake role names do not collide with existing Snowflake roles, each Snowflake role created for Snowflake table grants requires a common prefix. When using multiple Immuta accounts within a single Snowflake account, the Snowflake Table Grants role prefix should be unique for each Immuta account. The prefix cannot be modified, but the Snowflake table grants feature can be disabled and re-enabled. The prefix must adhere to Snowflake identifier requirements and be less than 50 characters.
-
From here you can either set up a new Snowflake integration by clicking Save and continuing with the configuration tutorial or
- For any configured Snowflake integrations set up using the automatic setup, you will be prompted to enter connection information for a Snowflake user. Immuta will execute the migration to Snowflake table grants using a connection established with this Snowflake user. Note: The Snowflake user you provide here must have Snowflake privileges to run the privilege grants listed under Additional Snowflake Privileges Required for Snowflake Table Grants.
- For any configured Snowflake integrations set up using the manual setup, you will be shown a link to a migration script you must run in Snowflake and a link to a rollback script, for use in the event of a failed migration. Important: You must execute the migration script in Snowflake before clicking Save.
Additional Snowflake Privileges Required for Snowflake Table Grants
Enabling the Snowflake table grants feature grants the following privileges to the Immuta Snowflake role:
MANAGE GRANTS ON ACCOUNT
, which allows the Immuta Snowflake role to grant and revokeSELECT
privileges on Snowflake tables and views that have been added as data sources in Immuta.CREATE ROLE ON ACCOUNT
, which allows for the creation of a Snowflake role for each user in Immuta, enabling fine-grained, attribute-based access controls to determine which tables are available to which individuals.
Table Grants Role
Since table privileges are granted to roles and not to users in Snowflake, Immuta's Snowflake table grants feature creates a new Snowflake role for each Immuta user. This design allows Immuta to manage table grants through fine-grained access controls that consider the individual attributes of users.
Each Snowflake user with an Immuta account will be granted a role that Immuta manages. The
naming convention for this role is <IMMUTA>_USER_<username>
, where
<IMMUTA>
is the prefix you specified when enabling the feature on the Immuta app settings page.<username>
is the user's Immuta username.
Querying Snowflake Tables Managed by Immuta
Users are granted access to each Snowflake table or view automatically when they are subscribed to the corresponding data source in Immuta.
Users have two options for querying Snowflake tables that are managed by Immuta:
- Use the role that Immuta creates and manages.
(For example,
USE ROLE IMMUTA_USER_<username>
. See the section above for details about the role and name conventions.) If the current active primary role is used to query tables,USAGE
on a Snowflake warehouse must be granted to the Immuta-managed Snowflake role for each user. USE SECONDARY ROLES ALL
, which allows users to use the privileges from all roles that they have been granted, includingIMMUTA_USER_<username>
, in addition to the current active primary role. Users may also set a value forDEFAULT_SECONDARY_ROLES
as an object property on a Snowflake user. To learn more about primary roles and secondary roles in Snowflake, see Snowflake documentation.
Limitations
- Project workspaces are not supported when Snowflake table grants is enabled.
- If an Immuta instance is connected to an external IAM and that external IAM has a username identical to another username in Immuta's built-in IAM, those users will have the same Snowflake role, leading both to see the same data.
Migration
If you were using the Private Preview version of Table Grants, available before the 2022.3 release, you will need to migrate when you upgrade. You can do this migration pre-upgrade or post-upgrade.
Pre-Upgrade Migration Steps
- Navigate to the App Settings page.
- Click Advanced Settings in the left panel, and scroll to the Preview Features section.
- Uncheck the Snowflake Table Grants checkbox to disable the feature.
- Click Save and perform your Immuta version upgrade.
- Use the Enable Snowflake Table Grants tutorial to re-enable the feature.
Post-Upgrade Migration Steps
- Navigate to the App Settings page.
- Click Advanced Settings in the left panel, and scroll to the Preview Features section.
- Uncheck the Snowflake Table Grants checkbox to disable the feature.
- Click Save. Wait for about 1 minute per 1000 users. This gives time for Immuta to drop all the previously created user roles.
- Use the Enable Snowflake Table Grants tutorial to re-enable the feature.