Guides

Features

Advanced

Getting started with ALTR + Snowflake

Welcome to ALTR! This quick start guide includes all of the necessary steps required to get started with ALTR to protect your sensitive Snowflake Data.

Prerequisites for using ALTR

In order for ALTR to connect to Snowflake, some prerequisites must be met. These include:

  1. A Snowflake Enterprise Edition account (or higher)
    ALTR requires Snowflake features such as Dynamic Data Masking Policies to enforce data governance, which are not available on Standard Edition Snowflake accounts. To get started with ALTR, your Snowflake account must be Enterprise Edition or higher.
  2. Networking rules that allow ALTR to communicate with your Snowflake Account
    If you’ve restricted your Snowflake account to only be accessible from certain IP addresses, you need to add ALTR’s IP addresses to your Snowflake network policies. ALTR’s IP addresses are 144.203.133.160/28, 23.145.219.176/28, and 335.89.45.128/28.
    (If you don’t have restricted network policies for your Snowflake account, you can skip this step)

Joining ALTR through Snowflake Partner Connect

ALTR participates in Snowflake’s Partner Connect Ecosystem, enabling users to get up and running as easily as possible. Snowflake Partner Connect can be accessed by ACCOUNTADMIN users in Snowflake through both Snowflake’s Classic Console and the new Snowsight UI.

Accessing Partner Connect from Snowflake’s Classic Console

  1. Log into Snowflake’s legacy UI as an account with ACCOUNTADMIN Privileges
  2. Change your active role to ACCOUNTADMIN on the top right
  3. Select the “Partner Connect” Icon towards the top right
  4. Select “ALTR” from the list of partners

Accessing Partner Connect from the Snowsight UI

  1. Log into Snowsight as an account with ACCOUNTADMIN privileges
  2. Change your active role to ACCOUNTADMIN in the top left
  3. Expand the “Admin” menu in the left navigation
  4. Select “Partner Connect” in the navigation menu
  5. Select “ALTR” from the list of partners, under the “Security and Governance” section

When you sign up for ALTR through Snowflake Partner Connect, Snowflake will auto-generate a Snowflake Warehouse and Service User for ALTR. ALTR uses these to communicate with your Snowflake account. Snowflake also asks you to select the databases you want to grant USAGE to for ALTR. You can ignore this step; ALTR requires more permissions than this to enforce governance. We help you configure these permissions when onboarding onto ALTR.

After clicking “Connect”, ALTR will send you an email to create your ALTR account, set your ALTR password, and start onboarding! ALTR uses the email address associated with your Snowflake account as your username and as the default method for two-factor authentication when logging into our platform.

Once your set your password, you will be greeted by ALTR’s onboarding wizard! The rest of this document will cover how to finalize configuration of your ALTR account, connect your Snowflake databases, and start governing data.

Configuring Snowflake Service User Permissions

The first step during onboarding is to grant ALTR’s service user access to create and enforce governance policies. Two options are available: an express configuration where you execute one line of code and ALTR permissions itself, and a manual configuration where you create an execute a Stored Procedure to grant specific permissions to ALTR.

Express Configuration

In “Express Configuration”, you grant ALTR’s service user ACCOUNTADMIN permissions and ALTR uses ACCOUNTADMIN to grant itself all of the permissions it requires to create and enforce governance policies. ALTR only uses ACCOUNTADMIN to permission PC_ALTR_ROLE during this step of onboarding; all other actions are performed as PC_ALTR_ROLE. If you are uncomfortable granting ALTR ACCOUNTADMIN permissions to your Snowflake account, use the Manual Configuration option.

Manual Configuration

In Manual Configuration, you manually execute grants to PC_ALTR_ROLE required for ALTR to create and enforce governance policies across all of your databases in Snowflake. To make the process easy, ALTR provides a Stored Procedure that automates these permissions. A list of these permissions, and what ALTR uses them for, can be found here. If you prefer to limit ALTR’s access to particular databases, or have questions about particular permissions, reach out to support@altr.com and we are happy to help you configure your service user.

Not comfortable connecting your Snowflake account right away? Click “Request access to a sample Snowflake account” and we’ll work with you to get a sandbox Snowflake Account spun up and connected.

After competing either service user setup, ALTR will reach out to Snowflake and run a test to ensure that PC_ALTR_ROLE has the correct permissions.

Connecting Snowflake Databases During Onboarding

After successfully configuring your service user, you can select which Snowflake databases to connect to ALTR. ALTR’s onboarding allows you to connect up to 25 databases at once. Connecting databases is as simple as selecting them from the dropdown and clicking “Add Databases”.

Upon doing this, ALTR will reach out to Snowflake and make the necessary connections to create and enforce data governance. More information on what exactly ALTR creates when connecting to Snowflake databases can be found here. Once your databases are connected, you can continue to connecting columns to ALTR for governance and creating governance policies on those columns!

Managing Columns in ALTR

Before creating governance policies, you need to connect columns to ALTR. ALTR uses Snowflake’s Dynamic Data Masking Policies to govern data in Snowflake, and connecting columns to ALTR creates those Dynamic Data Masking Policies.

Columns can be connected on the “Data Management” page. To connect a column, click “Add New”. This opens the form where you can specify a column to connect, as well as a “Column Name” which is the label ALTR will use for that column in our UI. Complete this process for each column you want to includes in governance policies.

Don’t want to create governance policies per-column? ALTR enables creation of Column Access Policies in bulk through the use of Data Tags, which is an Enterprise feature. Upgrade to Enterprise, or reach out to support@altr.com, to learn more!

Once columns are connected to ALTR, they will become available when creating Column Access Policies. Connecting columns in ALTR will also enable all queries against that column to be monitored in ALTR’s Query Log!

Creating Column Access Policies

Column Access Policies enable users to control which Snowflake roles can access which columns. Column access policies can be configured to completely block access to non-permissioned roles, where a column will be NULLed, as well with Masking Policies, where the column values are partially or fully replaced with substitute values. More information on masking policies can be found here.

To create Column Access Policies, navigate to the Column Access Policies Tab under the Locks page. From here, you can define how particular Snowflake roles can access particular columns. There are four aspects to each Column Access Policy:

  1. A name for the policy
  2. The User Groups (Snowflake Roles) affected by the policy
  3. The columns affected by the policy
  4. The masking strategy (if applicable) for the each column

If a User Group is not included in a Column Access Policy, any attempt to query that column will result in NULL values for the affected columns. If you create conflicting Column Access Policies - where there are multiple different masks defined for a particular role, ALTR will resolve the conflict by enforcing the most permissive policy.

Once Column Access Policies are defined - your data is governed! Feel free to explore querying the affected columns in Snowflake with various roles. Now that you’re onboarded to ALTR - check out our other features such as Data Usage Analytics, Data Classification, and the Query Log! If you’d like to access any of our Enterprise level governance and security tools, such as Tag-Based Column Access Policies, Row-Access Policies, or Tokenization, reach out to support@altr.com.

First section of content