Access Management Policy
Access Management policies control privileges for data objects in Snowflake, allowing you to manage access without relying on data engineers or submitting tickets. With these policies, non-technical users can define which Snowflake roles have access to specific data objects.
Privileges
Specific privileges are included depending on the schema object and level of access you are granting. Refer to the following table for details:
Object Type | Grant Level | Privileges Included |
|---|---|---|
Database | Read |
|
Database | Write |
|
Database | Read/Write | All privileges in Read and Write |
Schema | Read |
|
Schema | Write |
|
Schema | Read/Write | All privileges in Read and Write |
Table | Read |
|
Table | Write | INSERTTRUNCATEUPDATEUSAGE on parent schemaUSAGE on parent database |
Table | Read/Write | All privileges in read and write |
View | Read |
|
View | Write |
|
View | Read/Write | All privileges in read and write |
To create an access management policy:
Ensure the Snowflake account that contains the schema objects to which you are applying policy has been connected in ALTR. Learn more.
Select Policy in the Navigation menu.
Click Create Policy.
Locate the Access Management Policy card and click Create Policy.
Locate the Snowflake card and click Create Policy.
Note
Access management policy is currently only supported for Snowflake data sources.
Enter a user-friendly Policy Name to identify the policy.
Select a Data Source that the policy affects.
Note
Only data sources connected in ALTR display in the dropdown. If your data source does not display in the dropdown, ensure it has been connected to ALTR. Learn more.
Click Next.
Click + Rule Statement to add a rule statement that defines access to data objects either by object name or by tag.
Select either object name or tag to determine how access is controlled by database objects.
object name—controls access by the object name and location
tag—controls access by the tag assigned to the object
Create the policy rule statement by selecting the following options:
role that the policy affects, which is an ALTR user group. Learn more.
read, write or read/write to determine the level of access of the schema object that the users with the selected role can access. Specific privileges are included depending on the schema object and level of access you are granting. Learn more.
object type: database, schema, table or view to determine what kind of object the roles have access to.
Define the object or the tag, depending on the type of rule statement.
Click Next.
Set a schedule in your local time to automatically check for new data objects that match the rules and update the policy to include them. If you do not want to automatically check for new objects, select none. You can also manually refresh the policy at any time. Learn more.
Click Save.
Note
Depending on the number of objects in the database or the size of the Snowflake warehouse, it make take some time for ALTR to create your policy.
Refresh a policy to check for new data objects and update the policy as needed.
There are two ways to refresh a policy:
on a schedule—automatically checks for new data objects at an interval you set for the policy
manually—checks for new data objects only when the Refresh button is clicked
To refresh a policy:
Select Policy in the Navigation menu.
Click the access management policy you wish to refresh.
Click Edit Policy.
Set a schedule under Policy Refresh to schedule the refresh or click Refresh to manually refresh now.
Note
If you manually refresh the policy, your scheduled refresh still runs at its next interval.
Click Save.
Depending on the number of objects in the database or the size of the Snowflake warehouse, it may take some time for the refresh to complete.
See what access was granted by a policy.
This report helps you:
Verify that the policy is granting the intended access
Identify new databases or objects added during the latest refresh
Confirm that the policy is up to date
Share details with users about what the policy allows
The latest report, either from the schedule or a manual refresh, is available.
To view the latest report:
Select Policy in the Navigation menu.
Locate the policy and click Edit Policy.
Click Download Latest Report; a CSV file is generated and downloaded.
If two policies have different levels of access, ALL the access from the union of the policies is granted.
Tip
For example, say you create one policy that gives the Analyst role read access to the sales_data schema. Later, another policy grants the same role write access to that schema. As a result, the Analyst role is granted read and write access to the sales_data schema.
Edit an access management policy to
revoke or grant additional access control
update the policy schedule or manually refresh the policy to update immediately
Note
Setting a schedule using the API allows you more flexibility than the user interface where you can run the refresh on specific days of the week at specific times. If a custom schedule is set via the API, it can only be updated via the API.
To edit a policy:
Select Policy in the Navigation menu.
Click Edit Policy.
Update the policy as needed.
Click Save.
Delete an access management policy to remove access to the specified schema objects. ALTR revokes the granted access from roles in Snowflake.
If two policies grant the same access to the same roles, deleting one of them doesn’t remove access because the remaining policy still grants it.
Note
If new objects have been granted through the FUTURE privilege after a policy was created, ALTR may not revoke that access.
To delete an access management policy:
Select Policy in the Navigation menu.
Click the access management policy you wish to delete.
Click Edit Policy.
Click Delete Policy; a modal displays.
Click Delete Policy to confirm.