Snowflake

Access Management policies control privileges for data objects in Snowflake, allowing you to manage access without relying on data engineers or submitting tickets. With these policies, non-technical users can define which Snowflake roles have access to specific data objects.

Privileges

Specific privileges are included depending on the schema object and level of access you are granting. Refer to the following table for details:

Object Type	Grant Level	Privileges Included
Database	Read	USAGEUSAGE ON ALL SCHEMAS SELECT ON ALL TABLES SELECT ON ALL VIEWS USAGE ON FUTURE SCHEMAS SELECT ON FUTURE TABLES SELECT ON FUTURE VIEWS
Database	Write	USAGEUSAGE ON ALL SCHEMAS INSERT ON ALL TABLES TRUNCATE ON ALL TABLES UPDATE ON ALL TABLES INSERT ON ALL VIEWS TRUNCATE ON ALL VIEWS UPDATE ON ALL VIEWS FUTURE ON ALL SCHEMAS FUTURE ON ALL TABLES FUTURE ON ALL VIEWS
Database	Read/Write	All privileges in Read and Write
Schema	Read	USAGE SELECT ON ALL TABLES SELECT ON ALL VIEWS FUTURE ON ALL TABLES FUTURE ON ALL VIEWS USAGE on parent database
Schema	Write	USAGE INSERT ON ALL TABLES TRUNCATE ON ALL TABLES UPDATE ON ALL TABLES INSERT ON ALL VIEWS TRUNCATE ON ALL VIEWS UPDATE ON ALL VIEWS FUTURE ON ALL TABLES FUTURE ON ALL VIEWS USAGE on parent database
Schema	Read/Write	All privileges in Read and Write
Table	Read	SELECT USAGE on parent schema USAGE on parent database
Table	Write	INSERTTRUNCATEUPDATEUSAGE on parent schemaUSAGE on parent database
Table	Read/Write	All privileges in read and write
View	Read	SELECT USAGE on parent schema USAGE on parent databaseUSAGE on parent database
View	Write	INSERT TRUNCATE UPDATE USAGE on parent schema USAGE on parent database
View	Read/Write	All privileges in read and write

Create Access Mangement Policy

To create an access management policy:

Ensure the Snowflake account that contains the schema objects to which you are applying policy has been connected in ALTR. Learn more .
Select Policy in the Navigation menu.
Click Create Policy .
Locate the Access Management Policy card and click Create Policy .
Locate the Snowflake card and click Create Policy .
Enter a user-friendly Policy Name to identify the policy.
Select a Data Source that the policy affects.
Click Next .
Click + Rule Statement t to add a rule statement that defines access to data objects either by object name or by tag.
Select either object name or tag to determine how access is controlled by database objects.
object name— controls access by the object name and location
tag— controls access by the tag assigned to the object
Create the policy rule statement by selecting the following options:
role that the policy affects, which is an ALTR user group. Learn more .
read , write or read/write to determine the level of access of the schema object that the users with the selected role can access. Specific privileges are included depending on the schema object and level of access you are granting. Learn more .
object type: database, schema, table or view to determine what kind of object the roles have access to.
Define the object or the tag, depending on the type of rule statement.
Click Next .
Set a schedule in your local time to automatically check for new data objects that match the rules and update the policy to include them. If you do not want to automatically check for new objects, select none . You can also manually refresh the policy at any time. Learn more .
Click Save .

Refresh Access Management Policy

Refresh a policy to check for new data objects and update the policy as needed.

There are two ways to refresh a policy:

on a schedule— automatically checks for new data objects at an interval you set for the policy
manually— checks for new data objects only when the Refresh button is clicked

To refresh a policy:

Select Policy in the Navigation menu.
Click the access management policy you wish to refresh.
Click Edit Policy .
Set a schedule under Policy Refresh to schedule the refresh or click Refresh to manually refresh now.
Click Save .

Depending on the number of objects in the database or the size of the Snowflake warehouse, it may take some time for the refresh to complete.

View Report

See what access was granted by a policy.

This report helps you:

Verify that the policy is granting the intended access
Identify new databases or objects added during the latest refresh
Confirm that the policy is up to date
Share details with users about what the policy allows

The latest report, either from the schedule or a manual refresh, is available.

To view the latest report:

Select Policy in the Navigation menu.
Locate the policy and click Edit Policy .
Click Download Latest Report ; a CSV file is generated and downloaded.

Conflicting Policies

If two policies have different levels of access, ALL the access from the union of the policies is granted.

Edit Access Management Policy

Edit an access management policy to

revoke or grant additional access control
update the policy schedule or manually refresh the policy to update immediately

To edit a policy:

Select Policy in the Navigation menu.
Expand the policy to edit.
Click Edit Policy .
Update the policy as needed.
Click Save .

Delete Access Mangement Policy

Delete an access management policy to remove access to the specified schema objects. ALTR revokes the granted access from roles in Snowflake.

If two policies grant the same access to the same roles, deleting one of them doesn’t remove access because the remaining policy still grants it.

To delete an access management policy:

Select Policy in the Navigation menu.
Expand the policy to delete.
Click Edit Policy .
Click Delete Policy ; a modal displays.
Click Delete Policy to confirm.