Skip to main content

Privacera Documentation

Snowflake connector for PolicySync on Privacera Platform

This topic covers how to configure Snowflake PolicySync access control using Privacera Manager

Snowflake PolicySync prerequisites: users, roles, warehouse, permissions, and UDFs

Before configuring Snowflake, you must first manually create the Snowflake warehouse, database, users, and roles required by PolicySync. All of this can be accomplished by manually executing SQL queries.

Note

Log in to Snowflake as a user with ACCOUNTADMIN privileges.

Creating PolicySync role

The PRIVACERA_POLICYSYNC_ROLE role, which we will create in this step, will be used in the SNOWFLAKE_ROLE_TO_USE property when configuring Snowflake with Privacera Manager.

  1. Drop a role.

    DROP ROLE IF EXISTS "PRIVACERA_POLICYSYNC_ROLE";
    
  2. Create a role.

    CREATE ROLE IF NOT EXISTS "PRIVACERA_POLICYSYNC_ROLE";
    
  3. Grant this role permission to users to create/update/delete roles.

    GRANT ROLE USERADMIN TO ROLE "PRIVACERA_POLICYSYNC_ROLE";
    
  4. Grant this permission to the role, allowing them to provide grants/revokes privileges on user/roles to create warehouse/database on account.

    GRANT ROLE SYSADMIN TO ROLE "PRIVACERA_POLICYSYNC_ROLE";
    
  5. Grant this permission to the role so that it can manage grants for snowflake resources.

    GRANT MANAGE GRANTS ON ACCOUNT TO ROLE "PRIVACERA_POLICYSYNC_ROLE";
    
  6. Grant this permission to the role so that it can create native Masking policies.

    GRANT APPLY MASKING POLICY ON ACCOUNT TO ROLE "PRIVACERA_POLICYSYNC_ROLE";
    
  7. Grant this permission to the role so that it can create native row filter policies.

    GRANT APPLY ROW ACCESS POLICY ON ACCOUNT TO ROLE "PRIVACERA_POLICYSYNC_ROLE";

Creating a warehouse

The PRIVACERA_POLICYSYNC_WH warehouse, which we will create in this step, will be used in the SNOWFLAKE_WAREHOUSE_TO_USE property when configuring Snowflake with Privacera Manager.

Create a warehouse for PolicySync. Change the warehouse size according to deployment.

CREATE WAREHOUSE IF NOT EXISTS "PRIVACERA_POLICYSYNC_WH" WITH WAREHOUSE_SIZE='XSMALL'WAREHOUSE_TYPE='STANDARD'AUTO_SUSPEND=600AUTO_RESUME= TRUE  MIN_CLUSTER_COUNT=1MAX_CLUSTER_COUNT=1SCALING_POLICY='ECONOMY';

Granting role permission to read access audits

To get read access audit permission on the Snowflake database, follow the steps below.

  1. Grant warehouse usage access so we can query the snowflake database and get the Access Audits.

    GRANT USAGE ON WAREHOUSE "PRIVACERA_POLICYSYNC_WH" TO ROLE "PRIVACERA_POLICYSYNC_ROLE";
  2. Grant our role PRIVACERA_POLICYSYNC_ROLE to read Access Audits in the snowflake database.

    GRANT IMPORTED PRIVILEGES ON DATABASE snowflake TO ROLE "PRIVACERA_POLICYSYNC_ROLE";
    

Creating database for Privacera UDFs

The database name PRIVACERA_DB will be used in the SNOWFLAKE_JDBC_DB property when configuring Snowflake with Privacera Manager.

  1. This step is optional. If you already have the database and want to use it, you can skip this step.

    CREATE DATABASE IF NOT EXISTS "PRIVACERA_DB";
    
  2. Grant our role PRIVACERA_POLICYSYNC_ROLE database access so that we can create UDFs in the database.

    GRANT ALL ON DATABASE "PRIVACERA_DB" TO ROLE "PRIVACERA_POLICYSYNC_ROLE";
    
    GRANT ALL ON ALL SCHEMAS IN DATABASE "PRIVACERA_DB" TO ROLE "PRIVACERA_POLICYSYNC_ROLE";
    

Creating user

The user which we will create in this step will be used in the SNOWFLAKE_JDBC_USERNAME and SNOWFLAKE_JDBC_PASSWORD properties when configuring Snowflake with Privacera Manager.

  1. Create a user

    CREATE USER IF NOT EXISTS "PRIVACERA_POLICYSYNC_USER"PASSWORD='<PLEASE_CHANGE>'MUST_CHANGE_PASSWORD=FALSE DEFAULT_WAREHOUSE="PRIVACERA_POLICYSYNC_WH"DEFAULT_ROLE="PRIVACERA_POLICYSYNC_ROLE";
    
  2. Grant the user the PRIVACERA_POLICYSYNC_ROLE role.

    GRANT ROLE "PRIVACERA_POLICYSYNC_ROLE" TO USER "PRIVACERA_POLICYSYNC_USER";
    

Creating owner role

By configuring the following property in vars.policysync.snowflake.yml, PolicySync can take ownership of all objects managed by it. PolicySync requires this in order to create row-filtering and column-Masking policies.

SNOWFLAKE_OWNER_ROLE:"PRIVACERA_POLICYSYNC_ROLE"

Note

If PolicySync is not configured to take ownership of all objects managed by PolicySync, keep the property value blank.

SNOWFLAKE_OWNER_ROLE:""

Masking and row level filtering

To run the Masking and Row Level Filter, the following permissions must be granted to each database managed by PolicySync. <DATABASE_NAME> must be replaced with the specific value.

GRANT ALL ON DATABASE "<DATABASE_NAME>" TO ROLE "PRIVACERA_POLICYSYNC_ROLE";
GRANT ALL ON ALL SCHEMAS IN DATABASE "<DATABASE_NAME>" TO ROLE "PRIVACERA_POLICYSYNC_ROLE";
GRANT ALL ON FUTURE SCHEMAS IN DATABASE "<DATABASE_NAME>" TO ROLE "PRIVACERA_POLICYSYNC_ROLE";
GRANT ALL ON ALL TABLES IN DATABASE "<DATABASE_NAME>" TO ROLE "PRIVACERA_POLICYSYNC_ROLE";
GRANT ALL ON FUTURE TABLES IN DATABASE "<DATABASE_NAME>" TO ROLE "PRIVACERA_POLICYSYNC_ROLE";
GRANT ALL ON ALL VIEWS IN DATABASE "<DATABASE_NAME>" TO ROLE "PRIVACERA_POLICYSYNC_ROLE";
GRANT ALL ON FUTURE VIEWS IN DATABASE "<DATABASE_NAME>" TO ROLE "PRIVACERA_POLICYSYNC_ROLE";

Generalized approach for implementing PolicySync

Use this generalized approach for implementing PolicySync.

  1. Understand how PolicySync works and how it is configured. See PolicySync design and configuration on Privacera Platform.PolicySync design and configuration on Privacera Platform

  2. Decide which PolicySync topology best suits your needs:

  3. Create the required, basic PolicySync configuration. See PolicySync design and configuration on Privacera PlatformPolicySync design and configuration on Privacera Platform

  4. Examine the BASIC and ADVANCED properties, decide which features you want to implement, and set the necessary values in the YAML property file.

Connector name: snowflake

When you create the connector as detailed in PolicySync design and configuration on Privacera Platform, use the following reserved word for the name of the connector:PolicySync design and configuration on Privacera Platform

snowflake

In formal syntax shown in PolicySync design and configuration on Privacera Platform replace <ConnectorName> with the above and in the example in PolicySync design and configuration on Privacera Platform, replace postgres with the above.PolicySync design and configuration on Privacera PlatformPolicySync design and configuration on Privacera Platform

Optional Basic Authentication for PolicySync

To optionally enable basic authenticate for PolicySync to Snowflake you can create a JSON file in your connector instance subdirectory.

The name of the file must be XXX.json.

An example of the contents of XXX.json.:

 {
  "type": "service_account",
  "project_id": "your_project_id",
  "private_key_id": "autogenerated_value",
  "private_key": "-----BEGIN PRIVATE KEY-----autogenerated_value-----END PRIVATE KEY-----\n",
  "client_email": "autogenerated_value",
  "client_id": "autogenerated_value",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/autogenerated_value"
}