Snowflake Table Grants
Snowflake table grants simplifies the management of privileges in Snowflake when using Immuta. Instead of having to manually grant users access to tables registered in Immuta, you allow Immuta to manage privileges on your Snowflake tables and views according to subscription policies. Then, users subscribed to a data source in Immuta can view and query the Snowflake table, while users who are not subscribed to the data source cannot view or query the Snowflake table.
Enabling Snowflake table grants gives the following privileges to the Immuta Snowflake role:
MANAGE GRANTS ON ACCOUNTallows the Immuta Snowflake role to grant and revoke
SELECTprivileges on Snowflake tables and views that have been added as data sources in Immuta.
CREATE ROLE ON ACCOUNTallows for the creation of a Snowflake role for each user in Immuta, enabling fine-grained, attribute-based access controls to determine which tables are available to which individuals.
Using Snowflake table grants
Since table privileges are granted to roles and not to users in Snowflake, Immuta's Snowflake table grants feature creates a new Snowflake role for each Immuta user. This design allows Immuta to manage table grants through fine-grained access controls that consider the individual attributes of users.
Each Snowflake user with an Immuta account will be granted a role that Immuta manages. The
naming convention for this role is
IMMUTA is the prefix you specified when
enabling the feature on the
Immuta app settings page.
Users will be granted access to each Snowflake table or view automatically when they are subscribed to the corresponding data source in Immuta.
You have two options to query from Snowflake tables that are managed by Immuta:
- Use the role that Immuta manages
for your user (i.e.,
USE ROLE IMMUTA_<username>). In this example,
IMMUTAis the prefix you specified when enabling the feature on the Immuta app settings page. If choosing this option of using the current active primary role exclusively, you must ensure that
USAGEon a Snowflake warehouse is granted to the Immuta-managed Snowflake role for each user.
USE SECONDARY ROLES ALL, which allows you to use the privileges from all roles that you have been granted, including
IMMUTA_<username>, in addition to the current active primary role. In this example,
IMMUTAis the prefix you specified when enabling the feature on the Immuta app settings page. You may also set a value for
DEFAULT_SECONDARY_ROLESas an object property on a Snowflake user. To learn more about primary roles and secondary roles in Snowflake, see Snowflake documentation.
- Project workspaces are not supported when Snowflake table grants is enabled.
- If an Immuta instance is connected to an external IAM and that external IAM has a username identical to another username in Immuta's built-in IAM, those users will have the same Snowflake role, leading both to see the same data.