Manage Snowflake Data Sources

This section describes ALTR’s capabilities for managing Snowflake data sources. ALTR must be connected to a data source in order to enforce data access governance and advanced data protection on sensitive data.

ALTR’s Service User and Role

When an ALTR account is created by Snowflake Partner Connect, Snowflake automatically creates the PC_ALTR_USER, PC_ALTR_ROLE, and PC_ALTR_WAREHOUSE objects and shares their information with ALTR. During onboarding, ALTR users privilege PC_ALTR_ROLE with the necessary grants for the service user to provide ALTR with access to the data sources.

If an ALTR account is not created by Snowflake Partner Connect or if for some reason a customer wishes not to use PC_ALTR_USER, the service user, role, and warehouse must be manually created in Snowflake. The service user must be specified when connecting Snowflake data sources to ALTR. When creating a custom service user, make sure that it has the appropriate Snowflake privileges. Refer to Required Snowflake Objects for more information.

Update Snowflake Service User Password

If you change the password for your service user, ALTR will be unable to connect to Snowflake. Although existing data access governance and security policies will continue to function, ALTR will be unable to define new policies and may not be able to generate accurate query audit logs. Do not change the service user password without updating it in ALTR.

Caution

If your ALTR account leverages PC_ALTR_USER and that service user’s password changes, you will be unable to connect new data sources using PC_ALTR_USER until you update that user’s password in your organization’s Snowflake Partner Connect Settings. This must be done in addition to updating the password on each individual data source.

Connect Snowflake Data Sources

In order to connect a data source to ALTR, you must have access to a service user that has the appropriate privileges to access the database and enforce security policies. ALTR strongly recommends running the stored procedure to update the service user’s grants before connecting a new data source.

Before you can connect tags and columns to ALTR so policy can be applied, connect your data source.

To connect a Snowflake data source:

1. Select Data Configuration > Data Sources in the navigation menu.
2. Click Add Data Source.
3. For the Snowflake connection type, click Select.
4. Enter a Display Name. This is a user-friendly name to identify the data source.
5. Select a Service User. If your ALTR account was created from Snowflake Partner Connect, select PC_ALTR_USER.
6. Enter your Database Name exactly as it appears in Snowflake.
7. (Optional) Click Advanced Settings to set advanced settings for this data source. ALTR does not recommend users change any of these settings without consulting ALTR Support.
   • Max Data Connection — This field is not used. The default value is 5.
   • Warehouse — If present, ALTR will attempt to use this warehouse when connecting to Snowflake. If this value is not supplied, ALTR will use the Service User’s default warehouse.
   • Role — This is the Snowflake role. If present, ALTR will attempt to use this role when connecting to Snowflake. If this value is not supplied, ALTR will use the Service User’s default role.
8. Click Next.
9. Click Connect Data Source.

Note

If you created this database using a case-sensitive name, be sure to encase it in double quotation marks.

If your service user is not listed, create a service user in Snowflake and register it with ALTR.

Check Snowflake Connections

Check the data source connection if you suspect there’s an issue with the connection, such as if you received errors or the data source has changed.

To check the data source connection:

1. Select Data Configuration > Data Sources in the navigation menu.
2. Click the data source that you want to test the connection.
3. Click the Connection Details tab.
4. Click Check Connection.

Remove Snowflake Data Sources

Remove a Snowflake data source from ALTR if your service user is having problems or some other issue has occurred with the data source.

Note

If there are columns connected to your data source, you must disconnect the columns before you can remove the data source.

To remove a data source:

1. Select Data Configuration > Data Sources in the navigation menu.
2. Select the data source you wish to disconnect.
3. Click Remove Data Source. The process to remove a data source can take up to several minutes to complete.

Force Remove Data Source

Caution

Before force removing a data source, consult ALTR Support.

Force removing data sources clears the integration memory from your data source connection. Be aware that if you choose to do this, artifacts, such as the masking policy and schema objects, might still be left in Snowflake.

Force remove a data source if you are unable to remove a data source as expected. This action ignores any errors encountered during the removal process. Use great caution with this feature because it cannot be undone.

To force remove a data source:

1. Ensure all columns have been disconnected from ALTR.
2. Ensure there are no active row policies on the data source.
3. Select the data source you wish to remove.
4. Click Remove Data Source.
5. Click the Trouble Removing? link; a modal displays to confirm.
6. Click Force Remove Data Source button; a modal displays to confirm.
7. Click Yes, Force Remove Data Source.
8. Review your source system and clear out any remnants, which could limit storage or pose security risks from ongoing API call requests.