Skip to main content

ALTR Data Protection Dashboard

The ALTR Data Protection Dashboard is a Snowflake Native App that integrates ALTR’s advanced data protection capabilities. It provisions the required functions, stored procedures and tables to enable a comprehensive Data Protection Metrics Dashboard within your Snowflake Native App.

This dashboard helps visualize and analyze key metrics in real-time, such as the presence of tags without associated policies, security control implementation, and monitoring effectiveness. By identifying data that is tagged but lacks appropriate policy enforcement, the app helps monitor compliance, identify gaps in risk posture and assess the enforcement status of your data protection policies.

Architecture

The app utilizes Snowflake's native features and integrates directly with ALTR's data protection framework. Upon setup, it collects metadata from your Snowflake environment and your ALTR organization by calling Unified Policy API endpoints from user-defined functions and stored procedures. This data is processed and stored in application-managed tables to create a dynamic Data Protection Metrics Dashboard, which can then provide visuals in the Snowflake Native App.

Prerequisites

Users must have basic familiarity with SQL and Snowflake Native Apps.

When operating the native application, the following Snowflake privileges are required to be granted to the role running the Native App to support specific features such as external access integration, network rule configuration, secret management and usage on Snowflake provided views such as SNOWFLAKE.ACCOUNT_USAGE.TAG_REFERENCES.

This allows the application to create new databases within the Snowflake account. The application creates a database to store objects such as Network Rules and Secrets when setting up External Access Integrations. Granting CREATE DATABASE ensures it can manage and isolate these resources securely.

Grant Recommendation:

GRANT CREATE DATABASE ON ACCOUNT TO <role>;

Note

Replace <role> with the name of the Snowflake role used to run the native app.

This enables the creation on External Access Integrations. The application uses External Access Integration to securely call ALTR’s API. Granting CREATE INTEGRATION allows the app to define these integrations as part of its setup and communication with ALTR.

GRANT CREATE INTEGRATION ON ACCOUNT TO <role>;

Note

Replace <role> with the name of the Snowflake role used to run the native app.

Allows access to system-level metadata and views within the SNOWFLAKE database, particularly the ACCOUNT_USAGE schema.The application queries the TAG_REFERENCES view to identify tagged objects that do not yet have policies applied. This helps enforce governance by highlighting policy gaps.

1. Grant Import Privileges on Snowflake Database

To grant the Analytics Model the required privileges:

  1. Install the ALTR Analytics Model from Snowflake Marketplace.

  2. Open the app and click Settings.

  3. Click the Privileges tab to view access required for the analytics model.

  4. Click Review; a modal displays asking for the privileges to import privileges on the Snowflake database.

  5. Turn on the Granted switch.

  6. Click Update Privileges to apply the required access.

  7. Refresh the page and make sure you see the word “Granted” in green to indicate that the privileges were updated.

2. Create External Access Integration for ALTR

Create external access integration with ALTR by connecting your ALTR account to the Analytics Model. You need your ALTR API key and API secret.

To create external access integration for ALTR:

  1. In the app's Settings, click the Connections tab.

  2. In the Connections section, click Review; a Connect to Key management external access integration modal displays.

  3. Click Next to create the network rule.

  4. Enter your ALTR credentials:

    1. Username: Your ALTR API key

    2. Password: Your ALTR API secret

  5. Click Connect.

  6. Refresh the page and make sure you see the word “Connected” in green to indicate that the privileges were updated.

  7. Click Launch app.

3. Configure Data Protection Metrics

Configure the data protection metrics by generating all the necessary database objects required to create the charts.

To configure the data protection metrics:

  1. Navigate to the Configuration tab.

  2. (Optional) Enable Use Tag Value if you are using tag values to mask your data. Toggle it based on your masking strategy.

  3. Enter the Database Name where the ALTR tags are stored.

  4. Click Generate Required Objects to create the necessary database objects.

4. Generate Charts

To generate the Data Protection Metrics Dashboard:

  1. Click the Charts tab.

  2. Click Generate Charts. The dashboard displays charts with the following metrics:

    1. Unprotected columns by Tag Name / Tag Value

    2. Protected columns by Tag Name / Tag Value

Note

Use the Refresh button if any policies have been updated in ALTR.

APPOWNER

Description: Full access to all application functionality

Recommended Grant: To roles that need to invoke procedures, create functions, manage data and handle external key management

Note

Application roles are scoped to the application database and must be granted to Snowflake account roles to enable functionality.

Functions

Function Name

Description

ALTR_POLICY()

Returns policy details from ALTR

ALTR_RULE()

Returns alert applied on rule from ALTR

ALTR_TOKENIZE()

Lists columns configured as tokenized in ALTR

Stored Procedures

Procedure Name

Description

ALTR_TAG_INFO_SP

Calls ALTR_POLICY() and ALTR_RULE() to generate relevant tables

ALTR_TOKENIZE_SP

Invokes ALTR_TOKENIZE() and creates tables with the details of the columns that are tokenized

ALTR_SF_METADATA_SP

Pulls Snowflake metadata to create necessary tables

DPMD_DB_OBJ

Creates user-defined functions and executes all stored procedures

Tables

Table Name

Description

ALTR_RAW_POLICY_JSON_INFO

Contains the policy JSON data

ALTR_RAW_RULE

Contains JSON data of rules applied on the policy

ALTR_TAG_POLICY_INFO

Contains records of policy names and their corresponding IDs

ALTR_TAG_RULE_INFO

Contains records representing specific tag rules used in the system, typically for data protection metrics

ALTR_ALERT_INFO

Contains alerts applied to each rule

ALTR_TAG_INFO

Contains tag name and tag value on which policies are applied

TOKENIZE

Contains JSON objects representing columns configured as tokenized

ALTR_TOKENIZE_INFO

Contains columns that are configured as tokenized in ALTR org

SNOW_DB_INFO

Contains database, schema, table and column details where Snowflake object tags are applied

SNOW_TAG_INFO

Contains records of Snowflake object tags and their mapping to ALTR tags used in policy

If you require assistance or run into issues, contact ALTR Support with the subject line "Analytics Support."