A Quick Guide to Data Access Controls for Snowflake

What are Data Access Controls in Snowflake?

Data Access Controls are an essential part of data governance for any database. These controls are necessary to protect data from unauthorized access and usage by malicious actors.

In Snowflake, data access control privileges determine:

1. Who can access, and
2. Use the data to perform operations on specific objects in Snowflake.

Snowflake provides visibility of access controls at a granular level. Snowflake Administrators can see all the privileges each user has and ensure all access privileges comply with the organization’s data governance policies.

What are Role-Based Access Controls (RBACs) in Snowflake?

Snowflake’s role-based access controls define which role gets access to what objects in the database and for which purposes.

RBACs make data governance in Snowflake easy and efficient too. System administrators only need to set up access controls for each role once. After that, when an individual is allocated a specific role, they are automatically given access to data, according to the organization’s governance policies.

In Snowflake, a user can also be assigned multiple roles if required. ​Users can switch roles to perform different actions using separate sets of privileges. Users with appropriate access can also create custom roles.

Snowflake has some system-defined roles such as Account Administrator, Security Administrator, User Administrator, System Administrator, and a default role called Public. Depending on the organization’s requirements, the user administrator can give additional privileges to each role. Security Administrators can also create custom roles in Snowflake and assign specific privileges to them. The privileges associated with a role are inherited by any roles above that role in the hierarchy.

The Data Access Control Considerations in Snowflake

Data Access Controls are granted to roles that are then assigned to individual users. There are several factors that data governance professionals need to consider when creating data control policies for managing secure access to their Snowflake instance and the data stored within the instance.

The Snowflake instance may contain personal data and sensitive personal data of customers, vendors, or employees. While formulating data governance policies, the team needs to assess each role’s specific data access needs and assign privileges accordingly. Personal and Sensitive Personal Data requires additional protection, and access should be carefully restricted.

For example, a payroll analyst might need access to employees’ sensitive personal data like their financial accounts, tax status, age, government tax (Social Security) numbers, etc., to perform daily duties. This data is highly sensitive, and access to it should be very restricted.

On the other hand, an HR analyst might only need access to general employee information like joining dates, resignation dates, positions held, contact information, etc. This is personal information that must be restricted, but to a lesser extent than sensitive personal data.

For more information, read the extensive guide to Data Access Control Considerations in Snowflake.

The Data Access Control Privileges in Snowflake

Once access has been defined, there are further privileges that define the specific operations users can perform on the data within the Snowflake system.

Similar to access control considerations, data governance teams need to carefully assess each role’s duties and responsibilities to determine the appropriate privileges and grant them. To use the previous examples, HR representatives should be able to change the name of the employee. home address details, next of kin and many other fields, but not the date of birth. Payroll should be able to change banking details, update tax information, but other personal data changes are likely not in their remit.

Snowflake has extensive privileges that user administrators can assign to multiple roles. For instance, a database administrator will need database privileges that will allow him to modify and monitor the database or create schemas. However, to safeguard the data itself, organizations need to decide whether the database administrator can only change the schema, but not the data within the database. On the other hand, a data analyst might be only granted querying privileges using the SELECT statement.

For more information, go through the detailed guide on Data Access Control Privileges in Snowflake.

Manage Snowflake Data Access Controls and more with Securiti

Securiti has designed a customized solution that integrates natively with Snowflake and simplifies Data Governance, privacy, and data security with automation.

Data Governance for Snowflake

Securiti incorporates all of the Data Governance features in Snowflake and simplifies policy enforcement with automation. Once Data Governance policies are defined, the solution continuously monitors data access and usage configurations, with automatic alerts that flag any misconfigurations.

The solution also incorporates:

• Dynamic Data masking based on roles and policies to restrict access & usage of sensitive data from unauthorized personnel.
• Table, column, and even row-level access policy enforcement.
• User access history audits to detect any non-compliance with governance policies.

Learn more about Securiti’s Data Governance features for Snowflake

Data Privacy for Snowflake

Securiti specializes in providing cutting-edge, A.I-powered data privacy solutions that automate:

• Data Mapping and Classification of personal data,
• Quick and accurate DSR fulfillment.
  • Using a conversational interface (Auti) you can extract any individual’s personal data within minutes.
• Comprehensive Privacy Risk Assessments that enable proactive approaches.
• Data Breach Management Notifications that meet strict regulatory requirements and notify all impacted parties as quickly as possible.
• The Workflow Orchestration feature uses a simple drag-and-drop design and helps automate various privacy, governance, and security functions within Snowflake.

Learn more about Securiti’s Data Privacy features for Snowflake.

Data Security for Snowflake

Securiti’s solution also incorporates all of Snowflake’s native data security features, including:

• Network Security:
  • Site access is controlled through IP allow and block lists, managed through network policies.
• Account/user authentication:
  • MFA (multi-factor authentication) for increased security for account access by users.
  • Automated security scanning of any misconfigurations. Snowflake Security Administrators can decide to remediate any misconfigurations automatically or receive notifications.
• Compliance with Data Regulations like PCI-DSS, HIPAA, and more.
  • Map security policies to specific standard controls and regulatory compliance.
  • Generate one-click reports to demonstrate compliance coverage to regulators and auditors for various data privacy and security regulations.