Skip to main content

Getting Started with ALTR and Snowflake

This guide helps new new users onboard to the ALTR platform using Snowflake Partner Connect. It walks users through creating a free ALTR account, connecting it to a Snowflake database, and creating their first data access policy. To learn more about how ALTR connects to Snowflake, see our Integration Documentation.

This documentation contains external screenshots of and links to Snowflake's interface and documentation. These may have changed since this page was published.

Note

In order to connect to ALTR, you must have

  • Enterprise or higher level of Snowflake

  • ACCOUNTADMIN role, which is needed to sign up for Snowflake Partner Connect and to grant access to ALTR. ALTR is not required to run as this role.

Warning

ALTR must be able to communicate with Snowflake over the internet in order to apply and enforce data security policies. If your Snowflake account restricts IP traffic using network policies , you must create new network rules whitelisting ALTR's IP addresses before connecting an ALTR account. ALTR's IP addresses are:

  • 44.203.133.160/28 

  • 3.145.219.176/28 

  • 35.89.45.128/28 

ALTR participates in Snowflake Partner Connect (SPC), making it easy to get started with Snowflake partners. Snowflake ACCOUNTADMIN users can easily create and connect an ALTR account using Snowflake's Partner Connect UI.

Accessing Partner Connect from the Snowsight UI:
  1. Log into Snowsight as an account that has access to the ACCOUNTADMIN role.

  2. Change your role to ACCOUNTADMIN.

  3. Expand the Admin menu in the left navigation.

  4. Select ALTR from the list of partners, under the "Security and Governance" Section.

Snowsight_Snowflake_Partner_Connect_ALTR.png
Accessing Partner Connect from the Classic Console:
  1. Log into Snowflake's legacy UI with an account that has access to the ACCOUNTADMIN role.

  2. Change your role to ACCOUNTADMIN.

  3. Select the "Partner Connect" at the top right of the UI.

  4. Select ALTR from the list of partners.

When you sign up for ALTR through Snowflake Partner Connect, Snowflake will auto-generate a Snowflake User, Role, and Warehouse for ALTR. See our Service User documentation for more information on how ALTR leverages these objects.

Patner_Connect_Modal.png

After clicking Connect, ALTR will send you an email to create your ALTR account, set your ALTR password, and start onboarding. Your ALTR username will default to your email address and your Two-Factor Authentication method will default to email.

The first step of ALTR onboarding has users confirm their ALTR Organization and Snowflake information. On this page, you can set your organization name in ALTR. This can be anything descriptive of your ALTR tenant, such as "ACME Corporation".

ALTR connects to Snowflake using a Snowflake Service User and Role. You need to assign this role the necessary privileges for ALTR to connect to Snowflake and create and enforce data access governance policies.

ALTR's SPC Onboarding offers two different routes to configure the Service Role: An "express" route where you can grant ALTR ACCOUNTADMIN and it will automatically grant privileges to its service role and a "manual" route where you execute a Stored Procedure in Snowflake that automatically grants each required privilege to ALTR's service role.

Express Configuration

In Express Configuration, you grant ALTR’s service user the ACCOUNTADMIN role. ALTR uses this role to grant all of the necessary privileges to PC_ALTR_ROLE. Once onboarding is complete (after successfully connecting a database), you can safely revoke the ACCOUNTADMIN role.

Manual Configuration

In Manual Configuration, you manually execute grants to PC_ALTR_ROLE required for ALTR to create and enforce governance policies across all of your databases in Snowflake. ALTR provides a Stored Procedure that automates these privileges. For a list of these privileges and what ALTR uses them for, see the Snowflake Service User documentation.

Note

If you prefer to limit ALTR’s access to particular databases or have questions about particular privileges, then reach out to support@altr.com. We are happy to help!

After you successfully configure service user privileges, you can start connecting Snowflake databases to ALTR. To connect a database, select it from the dropdown and click the Connect Database button. Connecting a database may take several minutes or longer, depending on how many schema objects are present within the database. ALTR will send you an email once the process is complete. To learn more about how ALTR connects to Snowflake databases, see our Integration documentation.

To connect a column:

  1. Click Data ConfigurationData Management in the Navigation menu.

  2. Click the Columns tab.

  3. Click the Connect Column button.

  4. Select the Data Source the column resides in from the data source dropdown.

  5. Select the Schema and Table or View the column resides in from the relevant dropdowns.

  6. Select the column from the relevant dropdown.

  7. (Optional) Select the Tokenized check box to use ALTR policy to detokenize sensitive data. Ensure all values for this column are tokenized. Refer to Tokenization Access Policies for more information.

  8. Assign a name to the column (cosmetic).

  9. Click the Connect Column button.

Column Access Policies are managed on the Column Access tab in the Locks page.

To create a column access policy:

  1. Click Data PolicyLocksColumn Access in the Navigation menu.

  2. Click the Add New button.

  3. Enter a (cosmetic) Lock Name.

  4. Select an Application. This list box displays all driver applications configured in ALTR.

  5. Select the ALTR User Groups (typically role) that the policy affects.

    Note

    If a User Group is not included in a policy, they receive NULL values when querying data protected by ALTR.

  6. Click the Tag or the Column toggle to define the User Group's level of access.

  7. If creating a Tag policy, indicate how the masking policy is applied. There are two options

    • Tag Name and Value—applies the masking policy to the tag name-value pair, enabling you to set different policies on different tag values

    • Tag Name only—applies the masking policy to only the tag name; access is the same for all values associated with the tag

    The default option is Tag Name and Value. Refer to the examples for use cases on each option.

  8. Select the Masking Policy. Whenever a user in the User Group queries this data, the results are masked using this strategy.

    Note

    If a user group is assigned multiple masking strategies to a single column or tag between different locks, ALTR enforces whichever strategy is most permissive. Refer to Column Access Policy for more information.

  9. Click the +Add Another link to add all columns or tags for this policy.

  10. Click the Add Lock button.

Once a column access policy is created, it is immediately in effect. All queries against the columns or tags protected by the policy will control data access using the rules you specified.

Tag Usage Examples

The following are use cases for each option when defining locks directly on tags:

Tag Name and Value

Use this option when you want to set up specific, complex or granular policies. Let's say you have two different kids of sensitive employee data: SSNs and phone numbers. By using a single tag with different values for SSN and phone number, you can set a policy around SSNs where the first 5 digits are masked (###-##-1234) and only HR has access. And then you can set a different policy on phone numbers with no mask and grants access to anyone in the company.

Tag Name only

Use this option to control policy at the tag level without specifying each value. This option is good for simple, broad, high-level policies on a tag. For example, set a policy to mask all salary data and grant access to only the CFO. In this example, salary data is the tag and the columns (i.e., values) themselves are irrelevant because they will all be masked the same.

Once Column Access Policies are defined, you're up and running! Feel free to explore querying the affected columns in Snowflake with various roles. Now that you’re onboarded to ALTR, check out our other features such as Data Usage Analytics, Data Classification, and the Query Log. If you’d like to access any of our Enterprise level governance and security tools, reach out to ALTR Support.