Service User Privilege Requirements
Privilege Name | Level | How ALTR's service user uses this privilege |
---|---|---|
APPLY MASKING POLICY | Account | Allows ALTR to apply masking policies to columns and tags in Snowflake. This privilege is required to create the necessary policies for data masking, decryption or detokenizaiton. |
APPLY ROW ACCESS POLICY | Account | Allows ALTR to apply row access policies to tables in Snowflake. This privilege is required to automate the assignment of row access policies to tables and views. |
APPLY TAG | Account | Allows ALTR to assign tags to columns during a Snowflake classification and automatic tagging of data. When using Snowflake’s native classification tool, this privilege is needed to assign the SEMANTIC_CATEGORY and PRIVACY_CATEGORY tags. For automatic tagging, this privilege is to assign custom customer tags to data based on the classification result. This privilege is also required to automate assigning tags from data classification and facilitates identifying the databases are warehouses are protected by ALTR. |
CREATE DATABASE | Account | Allows ALTR to create its utility database, ALTR_DSAAS_DB, which is used to house the ALTR security objects required for access governance and security. This privilege is required to create and manage this database in order for ALTR to function. |
CREATE INTEGRATION | Account | Allows ALTR's service user to create API integrations for each connected database. This integration is used to make in-line policy decisions, perform detokenization, obtain decryption keys and generate query audit logs. This privilege is required for ALTR's access control policy and database activity monitoring to properly function. |
MANAGE GRANTS | Account | Allows ALTR's service user to manage access to objects (database, schema, table) in Snowflake. |
CREATE ROW ACCESS POLICY | Database | Allows ALTR to create row access policies in Snowflake. This privilege is required for ALTR to automate the creation and application of row access policies. |
CREATE SCHEMA ON DATABASE | Database | Allows ALTR to create the ALTR_DSAAS schema within a database, where masking and row access policies are stored. This privilege is required to create and enforce dynamic data masking and row access policy. |
CREATE TAG ON SCHEMA | Database | Allows ALTR to save the results of Snowflake's native Classification tool as SEMANTIC_CATEGORY and PRIVACY_CATEGORY tags. This privilege is required for ALTR to save the results of Snowflake data classification as object tags. It is also required during automatic tagging if a customer wishes to use ALTR to create new tags on their behalf. |
SELECT ON MATERIALIZED VIEWS | Database | This privilege enables ALTR to identify individual columns within a view for column-based masking and row access policies. This also enables ALTR to sample data within views for Google DLP classification. This privilege is required for ALTR to identify columns for use in access control policies and to classify data in these views during classification. NoteALTR does not sample customer data unless explicitly asked during data classification. These samples are randomized and are not persisted in ATLR once classification is complete. |
SELECT ON TABLES | Database | This privilege enables ALTR to identify individual columns within a table for column-based masking and row access policies. This also enables ALTR to sample data within tables for Google DLP classification. This privilege is required to identify columns for use in access control policies and to classify data in these tables during classification. NoteALTR does not sample customer data unless explicitly asked to during data classification. These samples are randomized and are not persisted in ALTR once classification is complete. |
SELECT ON VIEWS | Database | This privilege enables ALTR to identify individual columns within a table for column-based masking and row access policies. This also enables ALTR to sample data within tables for Google DLP classification. This privilege is required to identify columns for use in access control policies and to classify data in these tables during classification. NoteALTR does not sample customer data unless explicitly asked to during data classification. These samples are randomized and are not persisted in ALTR once classification is complete. |
USAGE ON DATABASE | Database | This privilege is required for ALTR to identify the databases within your Snowflake account. This is necessary when connecting databases to ALTR, as well as other operations that require ALTR to be aware of Snowflake databases such as connecting Snowflake Object Tags. |
USAGE ON SCHEMA | Database | This privilege is required for ALTR to identify schemas in a database. This is necessary when performing any action that requires ALTR to identify schema information, such as classifying data, connecting tags, creating row access policies, or creating column-based access policies. |
GRANT IMPORTED PRIVILEGES | Snowflake database | This privilege is used for ALTR to identify historical data consumption in the ACCESS_HISTORY view in Snowflake account for the Data History Import feature. |
MONITOR ON WAREHOUSE | Warehouse | This privilege enables ALTR to monitor activity and logs for all queries executed on a warehouse. This privilege is required for ALTR to generate query audit logs for any queries executed using this warehouse. |