Row Access Policies

‍

What is a Snowflake Row Access Policy?

Row Access Policy is an ALTR governance tool that allows you to restrict access to individual rows within a table to particular roles. This policy is particularly useful when particular groups of users are only authorized to access subsets of data, such as limiting access on a table of payments data based on the country the data originated from. Row Access Policy acts as a conditional WHERE clause on tables, filtering the rows displayed onto those that a user is authorized to see.

ALTR supports Row Access Policy on Snowflake tables where access needs to be restricted based on the value of a column within that table, which we refer to as the “reference column”. For instance, if you wish to restrict access based on the country data originated from, then you might use COUNTRY_CODE as your reference column. ALTR’s Snowflake Row Access Policies enable you to specify what values within the reference column can be accessed by particular Snowflake roles.

How does it work?

ALTR provides a no-code integration with Snowflake’s native Row Access Policy feature, empowering you to take advantage of powerful governance controls without having to write SnowSQL. When defining row access policies in ALTR, you specify:

1. The table for which the policy will apply to
2. The reference column that will determine access to rows
3. A mapping of ALTR User Groups (Snowflake Roles) to the Reference Column Values

Once you define a Row Access Policy in ALTR, then we attempt to insert it into your Snowflake Account for the specified table. Users querying that table will only be returned rows where a mapping exists for their role to specified reference column values. If a user group is not specified in the Row Access Policy, then they will not be able to access any rows in the table.

Row Access Policies are an Enterprise feature and is currently in preview. If you are an Enterprise ALTR user and would like us to enable this feature for your account, then reach out to support@altr.com.

Using Snowflake's Row Access Policy

Row Access Policies can be accessed on the “Row Access” section of the Locks page.

To create a Row Access Policy, select Add New. This will enable you to specify the table the Row Access Policy will apply to and the reference column that will control access.

Next, you can specify the mappings between User Groups (Snowflake Roles) and column values. When querying data on the table, users using the specified Snowflake Role will only be able to access rows where one of these values matches the value of the Reference Column.

Now, all that’s left is to review your policy and give it a name. This name will be displayed in ALTR to reference the Row Access Policy.

Once you click on Submit, then ALTR will attempt to insert the row access policy into Snowflake. It may take several seconds for this policy to be inserted and active in Snowflake.

Frequently Asked Questions‍

Question 1. Can I assign multiple Row Access Policies to the same table?

To avoid the potential of conflicting rules between different Row Access Policies, Snowflake allows for only one Row Access Policy per table.

Question 2. Can I create a Column-Based Access Policy on a Row Access Policy’s Reference Column?

Snowflake does not allow for a Row Access Policy to reference a column with a Dynamic Data Masking policy assigned to it. Because of this, the Reference Column for a Row Access Policy cannot be connected, “governed”, in ALTR.

Question 3. What columns can be a “reference column” for a Row Access Policy in ALTR?

A reference column can be any String column that is not connected, “governed” in ALTR.

Question 4. What happens if I create a Row Access Policy directly in Snowflake?

ALTR will not interfere with any Row Access Policies you create directly in Snowflake; however, you will not be able to view, edit, or remove any manually-created Row Access Policies in ALTR.

Troubleshooting Tips

If you encounter any issues with ALTR's Snowflake Row Access Policies that you can’t resolve, then please reach out to support@altr.com.

1. ALTR says my policy was created but it’s not working in Snowflake.
   ALTR’s service user may be missing the required permissions to create Row Access Policies.Try re-executing the latest Snowflake Service User Stored Procedure to update your service user before attempting to create a Row Access Policy.
   Check your table in Snowflake to ensure that you don’t already have a Row Access Policy in place for that table. If you do, and instead with to control that table with an ALTR Row Access Policy, delete the existing policy from Snowflake.
   ‍
2. The column that I want to use as the Reference Column is greyed out.
   ALTR currently only supports Row Access Policies where the reference column is a String. If you require Row Access Policies determined by non-string columns, then please open a feature request with support@altr.com documenting your use case.

‍