Skip to content

You are viewing documentation for Immuta version 2022.5.

For the latest version, view our documentation for Immuta SaaS or the latest self-hosted version.

cancel

Using Snowflake Data Sharing with Immuta

Immuta is compatible with Snowflake Secure Data Sharing. Using both Immuta and Snowflake, organizations can share the policy-protected data of their Snowflake database with other Snowflake accounts with Immuta policies enforced in real time. See below for instructions on using Snowflake Data Sharing with Immuta Users using Immuta's table grants feature and Snowflake Data Sharing with non-Immuta users using Immuta's project workspaces.

Workflow with Immuta Users (Public Preview)

Prerequisites:

1 - Create Immuta Policies to Protect the Data

Required Permission:

  • Immuta: GOVERNANCE

Build Immuta data policies to fit your organization's compliance requirements.

2 - Register the Snowflake Data Consumer with Immuta

Required Permission:

  • Immuta: USER_ADMIN

To register the Snowflake data consumer in Immuta,

  1. Create a new Immuta user.
  2. Update the Immuta user's Snowflake username to match the account ID for the data consumer. This value is the output on the data consumer side when SELECT CURRENT_ACCOUNT() is run in Snowflake.
  3. Give the Immuta user the appropriate attributes and groups for your organization's policies.
  4. Subscribe the Immuta user to the data sources.

3 - Create the Snowflake Data Share

Required Permission:

  • Snowflake: ACCOUNTADMIN

To share the policy-protected data source,

  1. Create a Snowflake Data Share of the Snowflake table that has been registered in Immuta.

  2. Grant reference usage on the Immuta database to the share you created:

    GRANT REFERENCE_USAGE ON DATABASE "<Immuta database of the provider account>" TO SHARE "<DATA_SHARE>";
    Replace the content in angle brackets above with the name of your Immuta database and Snowflake data share.

Workflow with Non-Immuta Users

Prerequisites:

Use Case

As you follow this tutorial, these callouts will have examples centered around the same use case and will further explain the steps necessary to meet the following compliance requirement:

Compliance Requirement: Users can only see data from their country.

1 - Create Immuta Policies

Use Case: Create Policies

The Immuta user will create a global data policy that restricts the rows users can see based on their attributes, which identify their country. In the example below, users with the attribute Country.JP would only see rows that have JP as a value in the CREDIT POINT OF SALE column.

Use Case: Global Policy

Required Permission:

  • Immuta: GOVERNANCE

Using an attribute based access control (ABAC) model, build Immuta data policies using Immuta attributes and groups to fit your organization's compliance requirements.

2 - Create an Immuta Project

Use Case: Create Project

The Immuta user will create a project for the data share. In the example below, the user creates a Japan Data Share project that will only be shared with data consumers in Japan.

Use Case: Project

Required Permission:

  • Immuta: CREATE_PROJECT

Create an Immuta project with the data sources that you will be sharing, a Snowflake workspace, and project equalization enabled.

3 - Prepare the Project to Share

Use Case

Because data consumers have the attribute "Country.JP", this will be the equalized entitlement added to the project. The Immuta user editing the equalized entitlement must also have the attribute "Country.JP" to ensure they have access to the data they will share.

Use Case: Entitlements

Required Permission:

  • Immuta: CREATE_PROJECT or PROJECT_MANAGEMENT

A user with the same attributes or groups as the data consumer must edit the equalized entitlements to represent the appropriate attributes and groups of the data consumer.

4 - Create the Snowflake Data Share

Required Permission:

  • Snowflake: ACCOUNTADMIN

Create the Snowflake Data Share pointing to the project workspace using the schema and role in the Native Snowflake Access section of the project information. Repeat this step for each data source you want to share.

Workspace Connection Information

The commands run in Snowflake should look similar to this:

CREATE SHARE "WORKSPACE_SCHEMA";
GRANT USAGE ON DATABASE "WORKSPACE_DATABASE" TO SHARE "WORKSPACE_SCHEMA";
GRANT REFERENCE_USAGE ON DATABASE "WORKSPACE_DATABASE" TO SHARE "WORKSPACE_SCHEMA";
GRANT USAGE ON SCHEMA "WORKSPACE_DATABASE"."WORKSPACE_SCHEMA" TO SHARE "WORKSPACE_SCHEMA";
GRANT SELECT ON VIEW "WORKSPACE_DATABASE"."WORKSPACE_SCHEMA"."DATA_SOURCE" TO SHARE "WORKSPACE_SCHEMA";