Skip to main content

Access Management Policy

Access Management policies control privileges for data objects in Snowflake, allowing you to manage access without relying on data engineers or submitting tickets. With these policies, non-technical users can define which Snowflake roles have access to specific data objects.

Privileges

Specific privileges are included depending on the schema object and level of access you are granting. Refer to the following table for details:

Object Type

Grant Level

Privileges Included

Database

Read

  • USAGEUSAGE ON ALL SCHEMAS

  • SELECT ON ALL TABLES

  • SELECT ON ALL VIEWS

  • USAGE ON FUTURE SCHEMAS

  • SELECT ON FUTURE TABLES

  • SELECT ON FUTURE VIEWS

Database

Write

  • USAGEUSAGE ON ALL SCHEMAS

  • INSERT ON ALL TABLES

  • TRUNCATE ON ALL TABLES

  • UPDATE ON ALL TABLES

  • INSERT ON ALL VIEWS

  • TRUNCATE ON ALL VIEWS

  • UPDATE ON ALL VIEWS

  • FUTURE ON ALL SCHEMAS

  • FUTURE ON ALL TABLES

  • FUTURE ON ALL VIEWS

Database

Read/Write

All privileges in Read and Write

Schema

Read

  • USAGE

  • SELECT ON ALL TABLES

  • SELECT ON ALL VIEWS

  • FUTURE ON ALL TABLES

  • FUTURE ON ALL VIEWS

  • USAGE on parent database

Schema

Write

  • USAGE

  • INSERT ON ALL TABLES

  • TRUNCATE ON ALL TABLES

  • UPDATE ON ALL TABLES

  • INSERT ON ALL VIEWS

  • TRUNCATE ON ALL VIEWS

  • UPDATE ON ALL VIEWS

  • FUTURE ON ALL TABLES

  • FUTURE ON ALL VIEWS

  • USAGE on parent database

Schema

Read/Write

All privileges in Read and Write

Table

Read

  • SELECT

  • USAGE on parent schema

  • USAGE on parent database

Table

Write

INSERTTRUNCATEUPDATEUSAGE on parent schemaUSAGE on parent database

Table

Read/Write

All privileges in read and write

View

Read

  • SELECT

  • USAGE on parent schema

  • USAGE on parent databaseUSAGE on parent database

View

Write

  • INSERT

  • TRUNCATE

  • UPDATE

  • USAGE on parent schema

  • USAGE on parent database

View

Read/Write

All privileges in read and write

To create an access management policy:

  1. Ensure the Snowflake account that contains the schema objects to which you are applying policy has been connected in ALTR. Learn more.

  2. Select Policy in the Navigation menu.

  3. Click Create Policy.

  4. Locate the Access Management Policy card and click Create Policy.

  5. Locate the Snowflake card and click Create Policy.

    Note

    Access management policy is currently only supported for Snowflake data sources.

  6. Enter a user-friendly Policy Name to identify the policy.

  7. Select a Data Source that the policy affects.

    Note

    Only data sources connected in ALTR display in the dropdown. If your data source does not display in the dropdown, ensure it has been connected to ALTR. Learn more.

  8. Click Next.

  9. Click + Rule Statement to add a rule statement that defines access to data objects either by object name or by tag.

  10. Select either object name or tag to determine how access is controlled by database objects.

    1. object name—controls access by the object name and location

    2. tag—controls access by the tag assigned to the object

  11. Create the policy rule statement by selecting the following options:

    1. role that the policy affects, which is an ALTR user group. Learn more.User Group Management

    2. read, write or read/write to determine the level of access of the schema object that the users with the selected role can access. Specific privileges are included depending on the schema object and level of access you are granting. Learn more.

    3. object type: database, schema, table or view to determine what kind of object the roles have access to.

  12. Define the object or the tag, depending on the type of rule statement.

  13. Click Next.

  14. Set a schedule in your local time to automatically check for new data objects that match the rules and update the policy to include them. If you do not want to automatically check for new objects, select none. You can also manually refresh the policy at any time. Learn more.

  15. Click Save.

Note

Depending on the number of objects in the database or the size of the Snowflake warehouse, it make take some time for ALTR to create your policy.

Refresh a policy to check for new data objects and update the policy as needed.

There are two ways to refresh a policy:

  • on a schedule—automatically checks for new data objects at an interval you set for the policy

  • manually—checks for new data objects only when the Refresh button is clicked

To refresh a policy:

  1. Select Policy in the Navigation menu.

  2. Click the access management policy you wish to refresh.

  3. Click Edit Policy.

  4. Set a schedule under Policy Refresh to schedule the refresh or click Refresh to manually refresh now.

    Note

    If you manually refresh the policy, your scheduled refresh still runs at its next interval.

  5. Click Save.

Depending on the number of objects in the database or the size of the Snowflake warehouse, it may take some time for the refresh to complete.

See what access was granted by a policy.

This report helps you:

  • Verify that the policy is granting the intended access

  • Identify new databases or objects added during the latest refresh

  • Confirm that the policy is up to date

  • Share details with users about what the policy allows

The latest report, either from the schedule or a manual refresh, is available.

To view the latest report:

  1. Select Policy in the Navigation menu.

  2. Locate the policy and click Edit Policy.

  3. Click Download Latest Report; a CSV file is generated and downloaded.

If two policies have different levels of access, ALL the access from the union of the policies is granted.

Tip

You create one policy that gives the Analyst role read access to the sales_data schema. Later, another policy grants the same role write access to that schema. As a result, the Analyst role is granted read and write access to the sales_data schema.

Edit an access management policy to

  • revoke or grant additional access control

  • update the policy schedule or manually refresh the policy to update immediately

    Note

    Setting a schedule using the API allows you more flexibility than the user interface where you can run the refresh on specific days of the week at specific times. If a custom schedule is set via the API, it can only be updated via the API.

To edit a policy:

  1. Select Policy in the Navigation menu.

  2. Click Edit Policy.

  3. Update the policy as needed.

  4. Click Save.

Delete an access management policy to remove access to the specified schema objects. ALTR revokes the granted access from roles in Snowflake.

If two policies grant the same access to the same roles, deleting one of them doesn’t remove access because the remaining policy still grants it.

Note

If new objects have been granted through the FUTURE privilege after a policy was created, ALTR may not revoke that access.

To delete an access management policy:

  1. Select Policy in the Navigation menu.

  2. Click the access management policy you wish to delete.

  3. Click Edit Policy.

  4. Click Delete Policy; a modal displays.

  5. Click Delete Policy to confirm.