Access Management Policy
Access Management policies control privileges for data objects in Snowflake, allowing you to manage access without relying on data engineers or submitting tickets. With these policies, non-technical users can define which Snowflake roles have access to specific data objects.
Privileges
Specific privileges are included depending on the schema object and level of access you are granting. Refer to the following table for details:
Object Type | Grant Level | Privileges Included |
|---|---|---|
Database | Read |
|
Database | Write |
|
Database | Read/Write | All privileges in Read and Write |
Schema | Read |
|
Schema | Write |
|
Schema | Read/Write | All privileges in Read and Write |
Table | Read |
|
Table | Write | INSERTTRUNCATEUPDATEUSAGE on parent schemaUSAGE on parent database |
Table | Read/Write | All privileges in read and write |
View | Read |
|
View | Write |
|
View | Read/Write | All privileges in read and write |
To create an access management policy:
Ensure the Snowflake account that contains the schema objects to which you are applying policy has been connected in ALTR. Learn more.
Select Policy in the Navigation menu.
Click Create Policy.
Locate the Access Management Policy card and click Create Policy.
Locate the Snowflake card and click Create Policy.
Note
Access management policy is currently only supported for Snowflake data sources.
Enter a user-friendly Policy Name to identify the policy.
Select a Data Source that the policy affects.
Only data sources connected in ALTR display in the dropdown. If your data source does not display in the dropdown, ensure it has been connected to ALTR. Learn more.
Click Next.
Click + Rule Statement to add a rule statement that defines access to data objects either by object name or by tag.
Select either object name or tag to determine how access is controlled by database objects.
object name—controls access by the object name and location
tag—controls access by the tag assigned to the object
Create the policy rule statement by selecting the following options:
Role that the policy affects, which is an ALTR user group. Learn more.
Read, write or read/write to determine the level of access of the schema object that the users with the selected role can access. Specific privileges are included depending on the schema object and level of access you are granting. Learn more.
object type: database, schema, table or view to determine what kind of object the roles have access to.
Define the object or the tag, depending on the type of rule statement.
Click Next.
Set a schedule in your local time to automatically check for new data objects that match the rules and update the policy to include them. If you do not want to automatically check for new objects, select none. You can also manually refresh the policy at any time. Learn more.
Click Save.
Note
Depending on the number of objects in the database or the size of the Snowflake warehouse, it make take some time for ALTR to create your policy.