Guides

Features

Advanced

Connect a Snowflake Database

This page describes how ALTR connects to Snowflake databases. It includes a walkthrough of how to connect Snowflake databases to ALTR and a detailed overview of what objects ALTR creates in Snowflake to support the connection. It also includes common questions and troubleshooting steps for users who have trouble connecting Snowflake databases.

What does ALTR do when it connects a Snowflake Database?

When you connect a Snowflake database to ALTR, what happens next is that ALTR creates a variety of Snowflake-Side objects that enable data governance. These include:

  • An API integration that enables Snowflake to communicate directly with ALTR’s SaaS governance engine
  • The ALTR_DSAAS schema that ALTR uses to house schema-level governance objects, like Dynamic Data Masking Policies

Additionally, ALTR executes a variety of processes in its SaaS platform in order to ensure it can properly access the Snowflake database and its schema objects. This includes:

  • Executing a 'Database Status Check', where ALTR ensures that it can connect to your Snowflake account. This check also ensures that the Service User for this database is appropriately permissioned.
  • Identifying all schemas and tables available in the Snowflake database to accelerate ALTR’s UI.

NOTES: ALTR only accesses and persists account and schema object information relating to your Snowflake Database. ALTR does not automatically access or persist any data stored in Snowflake.

If PC_ALTR_DB_PICKER_ROLE exists in your Snowflake account, then it can be safely removed from Snowflake without impacting ALTR’s functionality.

How to Connect Snowflake Databases to ALTR

To unlock ALTR’s data governance tools for Snowflake databases, you must connect that database to ALTR. ALTR’s Snowflake Partner Connect Onboarding offers a guided walkthrough for connecting your first databases. This section covers how to connect Snowflake Databases after onboarding.

NOTES:

  • ALTR can only connect to Snowflake Databases if the Service User has permission to access that database. In order to ensure you can successfully connect a database, ALTR recommends re-running the Stored Procedure to ensure the Service User can access all databases in your Snowflake account.
  • In order for ALTR to connect to a database from a new Snowflake account, that account must be Snowflake Enterprise Edition or higher. Additionally, Snowflake must be able to send and receive data from ALTR’s Cloud Governance tools. If your Snowflake Account has restricted network policies, then please ensure that ALTR’s IP addresses are whitelisted. This information can be found on our onboarding documentation.
  • Snowflake does not support External Functions on shared databases. Because of this, any Snowflake databases created from a Snowflake Share such as “Snowflake Sample Data” cannot be connected to ALTR.

ALTR offers two routes for connecting Snowflake Databases:

  • Snowflake Partner Connect, containing a streamlined form to connect any database in a Snowflake Account connected through Snowflake Partner Connect
  • User Authentication, containing a detailed form to connect any Snowflake Databases from any Snowflake Account using any Service User

Connecting Snowflake Partner Connect Databases

If you joined ALTR through Snowflake Partner Connect, ALTR remembers the Snowflake Hostname and Service User information from your Snowflake account. Connecting a database in the Partner Connect form is as simple as selecting the database from a dropdown, giving it a name in ALTR, and choosing optional features for the databases such as:

  1. Classify and Tag Data
  2. If selected, ALTR will attempt to classify your column data to allow you to more easily identify sensitive data. These classifications will also result in Data Tags, and Enterprise ALTR feature that enables you to create Column Access Policies at scale.
  3. Import Access History
  4. If selected, ALTR will access the database’s query history in order to show the last 30 days of data access for Data Usage Analytics

NOTE: If PC_ALTR_DB_PICKER_ROLE exists in your Snowflake account, then it can be safely removed from Snowflake without impacting ALTR’s functionality.

Connecting Snowflake Databases Manually


To connect a database from a Snowflake account other than the one used for Partner Connect,  you can manually do it by providing ALTR with the Snowflake Hostname and Service User information for the database’s Snowflake Account. To manually create and permission a non-Partner Connect Service User, see this guide.

When manually connecting a Snowflake database, ALTR requires the following information:

  • A Name for that database in ALTR
  • The Snowflake Account Hostname. This can be found in the URL for Snowflake’s Classic Console. If you are using the Snowsight UI, this can be found by clicking the link icon when hovering over your account information in the bottom left corner of the Snowsight UI.
  • The Username and Password for the Snowflake Service User . To generate and automatically permission a Snowflake Service User outside of Snowflake Partner Connect, see this guide.
  • The name of the Snowflake Database (This must exactly match the name of the database in Snowflake)
  • Optional: Classify and Tag Data (If selected, ALTR will attempt to classify your columnar data to allow you to more easily identify sensitive data. These classifications will also result in Data Tags, and Enterprise ALTR feature that enables you to create Column Access Policies at scale).
  • Optional: Import Access History (If selected, then ALTR will access the query history in order to show the last 30 days of data access for Data Usage Analytics)

NOTE: If PC_ALTR_DB_PICKER_ROLE exists in your Snowflake account, then it can be safely removed from Snowflake without impacting ALTR’s functionality.

Advanced Settings

ALTR offers advanced configuration options when connecting a database or modifying database connections. Most users do not need to update these settings.

  • Port: This is the network port used to communicate with Snowflake. The default value is 443.
  • Warehouse Name: This is the warehouse that ALTR will use when the Snowflake Service User is executing queries in Snowflake. If this is left blank, ALTR will use the default warehouse for the Service User (this is configured in Snowflake).
  • Role Name: This is the role that ALTR will use when the Snowflake Service User is executing queries in Snowflake. If this is left blank, ALTR will use the default role for the Service User (this is configured in Snowflake).
  • Maximum Data Source Connections: This is the maximum amount of simultaneous open connections ALTR will have open with the Snowflake Database. The default and recommended value is 5.

How to Disconnect a Snowflake Database from ALTR

If your service user is having problems or some other issue has occurred where you want to disconnect a Snowflake database from ALTR, then follow the steps below.

NOTE: You cannot remove a database if there are any columns that are still connected to it. You will need to disconnect the columns first. For the steps to do this, read How to disconnect a column from ALTR.

  1. Click on the Data Sources tab in the left navigation menu.
  2. Click on your Data Source in the table.
  3. Click on Remove Data Source. You will see a confirmation message display if the database has been successfully disconnected. Otherwise, if you had problems trying to disconnect it normally, then ALTR offers the option to Force Disconnect your data source.
Remove Data Source button


Troubleshooting and FAQs

Our frequently asked questions and troubleshooting steps are organized by topics below.

Changing Passwords in ALTR


Question: I changed the password for my Snowflake Partner Connect Service User. How do I change it in ALTR?
Answer: If you change the password for PC_ALTR_USER, please reach out to support@altr.com for assistance.


Connecting a Snowflake database via the Snowflake Partner Connect form

Question: I’m trying to connect a database via the Snowflake Partner Connect form but it isn’t appearing in the dropdown. Why?
Answer: ALTR can only connect databases that the Service User has access to. Try re-executing the stored procedure in order to ensure the service user can see all of the databases in your Snowflake Account.

Due to limitations in Snowflake Data Sharing, ALTR does not support governing databases created from a Data Share. Because of this, shared databases are not included in the dropdown.
ALTR automatically excludes the automatically created databases PC_ALTR_DB from the list, as this database is auto-generated by Snowflake and serves no purpose.


Question:
Why am I getting errors when I try to connect a Snowflake Database via the Partner Connect form?
Answer: Make sure that your service user permissions are up-to-date by re-executing the Stored Procedure.
Also, check that no one has changed the password for PC_ALTR_USER in Snowflake. If that password has changed, then reach out to

ALTR must be able to communicate with Snowflake over the internet to create database connections. Please make sure that ALTR’s IP addresses are whitelisted in your Snowflake Network Policies. Information on ALTR's IP addresses can be found in our onboarding guide.

Connecting a Snowflake Database via the Manual Configuration form

Question: Why am I getting errors when I try to connect a Snowflake Database via the Manual Configuration form?
Answer: Make sure that you have a valid service user and re-execute the Stored Procedure to confirm that the service user has permission to the database.
Also, check that you correctly entered the hostname for the Snowflake account in the format loremipsum.snowflakecomputing.com. See the section earlier in this page for help identifying your Snowflake hostname.
Lastly, make sure that you are entering the correct Service User Username and Password.
If you continue to have issues, reach out to support@altr.com.


Force Disconnecting a Database

Question: I'm  having trouble trying to disconnect a database. How can I solve this problem?
Answer: Certain situations might occur where you will not be able to disconnect a database in ALTR normally. For example, your service user may be having problems or some other issue could exist. This is when it would be appropriate to use our Force Disconnect a Data Source feature that's shown in the screenshot below.

By using the Force Disconnect a Data Source feature, it removes the integration memory from your database connection to ALTR. Be aware that if you choose to do this, then artifacts such as the masking policy, schema objects from your account, etc., might still be left in Snowflake.
Before you proceed, we're also making you aware that:

  • Data sources cannot be removed if they have connected columns. First, you have to disconnect all of the columns from ALTR.
  • You are unable to force remove a data source if there are any active row access policies on it.


NOTE: We recommend that after you force disconnect a data source, you then go back and check Snowflake in case you'd prefer to clear out remnants due to storage limits, security risk policies from ongoing API call requests, or other reasons. To identify and remove them, you can email support@altr.com

Force Remove Data Source button


First section of content