AcademyCustomer Portal

Data Access Management

The Data Access Management sub-module controls all Access Management operations at the platform level.

Crawl

An instance-level Data Access Admin can crawl users, roles, and the associated permissions across warehouses, databases, schemas, and tables on all Snowflake connectors hosted within the same instance.

Database and Schema: Provides checkbox options to select specific databases and schemas for crawling. The interface displays selection status in the format (selected/total).

Schedule: In addition to manual crawls, instance-level Data Access Admin can schedule crawls at defined intervals. This enables periodic sync with the source system and supports consistent access governance.

Grouping of connectors by instance

The created connectors are grouped in the Data Access module according to the associated server instance, shown in a hierarchical tree view on the left side of the page. The tabs displayed for each instance level vary depending on the type of connector.

For Snowflake, the connectors tab lists all connectors hosted under this instance. Connectors are visible in addition to the Instance Details.

Instance Details

The Instance Detail screen displays five tabs:

Instance Summary Tab

The Instance Summary tab serves as the landing page for Snowflake connectors at the instance level. It displays all the connection parameters configured during connector setup. Parameters such as Select Bridge, Connection String, Username, Password, Warehouse, Role, Database, and Credential Manager can be modified if required. Parameters such as Server, Port, and Authentication Type cannot be modified.

Instance Data Access Admins

Instance Data Access Admins display a list of all Instance Data Access Administrators associated with different connectors in the instance.

To add or modify Instance Data Access Admins:

  • In the Instance Data Access Admins section, click the pencil icon.

  • Select one or more roles from the list.

  • Click Save to apply changes.

Role Settings Tab

Allow Add/Edit of Snowflake Roles: When enabled, the selected role can create new Snowflake roles or modify existing ones within the platform.

Allow Delete of Snowflake Roles: When enabled, the selected role can delete Snowflake roles from the platform.

To add or edit Role Settings:

  • In the Role Settings tab, click the pencil icon.

  • Use the checkboxes to enable:

    • Allow Add/Edit of Snowflake Roles

    • Allow Delete of Snowflake Roles

  • In Immutable Snowflake Roles, select one or more roles from the list.

  • Click Save to apply the changes.

User Settings Tab

Allow Add/Edit of Snowflake Users: When enabled, the selected role can create new Snowflake users or modify existing ones within the platform.

Allow Delete of Snowflake Users: When enabled, the selected role can delete Snowflake users from the platform.

Delta Crawl: When enabled, the selected role can run delta crawls in Snowflake to capture only the latest metadata changes.

To configure User Settings:

  • Go to the User Settings tab.

  • Click the pencil icon to open the edit window.

  • Use the checkboxes to enable the following options for the selected role:

    • Allow Add/Edit of Snowflake Users: Grants permission to create or modify Snowflake users.

    • Allow Delete of Snowflake Users: Grants permission to delete Snowflake users.

    • Delta Crawl: Allows triggering delta crawls to capture incremental metadata changes.

  • Under Immutable Snowflake Users Roles, select one or more roles to protect from modification or deletion.

  • Click Save to apply the changes.

Notification Tab

Click the pencil icon to configure recipients for each activity notification:

  • Use the toggle buttons to enable or disable the following notifications:

    • Changes to Roles/Users during crawling (source system sync)

    • Changes to Roles/Users from Data Access Management

    • Configure notifications for Data Access Admin

  • Select specific application users, teams, or roles as recipients of notifications.

  • Notifications will be sent to the selected recipients based on the configured settings.

  • Click Save to apply the changes.

Other Settings

To configure Query Timeout (in seconds):

  • Go to the Other Settings tab.

  • Click the pencil icon to enable editing.

  • In the Query Timeout (in seconds) field, manually enter the desired timeout value in seconds.

  • This defines how long the system should wait for a query to complete before timing out.

  • Click Save to apply the changes.

Connectors Tab

The Connector tab displays a list of all configured Snowflake connectors associated with an instance.

Attributes:

  • Connector ID: Shows the unique identifier for the connector.

  • Connection Name: Shows the configured name of the Snowflake connection.

  • Database: Indicates the name of the connected database.

  • Last Crawled Date: Captures the most recent date and time of metadata crawl.

The system displays a hierarchical tree where all connectors appear under the instance. Click the connector name to open the connector-level screen.

Roles Tab

The Roles tab displays all roles from Snowflake after the metadata crawl. This tab allows data administrators to review role definitions, privilege mappings, and role hierarchies as captured from the source system.

Attributes:

  • Snowflake Role: Displays the name of the role as defined in Snowflake.

  • Role Type: Indicates whether the role is system-defined or custom.

  • Description: Shows the description associated with the role in Snowflake.

  • Account Privileges: Lists the account-level privileges assigned to the role.

  • Source: Identifies the source connector from which the role was crawled.

  • Warehouse: Displays the associated warehouse(s) for the role, if applicable.

  • Snowflake Created Date: Indicates the original creation date of the role in Snowflake.

  • Application Created Date: Shows the date and time the role was crawled into the application.

  • Application Role: Indicates whether a role with the same name already exists in the application. If a match exists, the roles are synchronized and treated as a single entity across the system.

  • Parent Role: Displays the parent role, if the current role is part of a role hierarchy.

Users Tab

The Users tab lists all users detected in Snowflake during the metadata crawl. This tab enables data administrators to review user identities, role associations, and relevant access configurations retrieved from the source system.

Attributes:

  • Snowflake Username: Displays the username as defined in Snowflake.

  • Login Name: Indicates the login name used by the user to access Snowflake.

  • Display Name: Shows the user's display or full name, if available.

  • Email: Lists the email address associated with the user.

  • Roles: Displays the roles assigned to the user in Snowflake.

  • Default Role: Indicates the default role configured for the user.

  • Warehouse: Lists the default or assigned warehouse(s) for the user.

  • Source: Identifies the connector or source system from which the user was crawled.

  • Snowflake Created Date: Indicates when the user was created in Snowflake.

  • Application Created Date: Shows the date and time the user was crawled into the application.

Warehouses Tab

The Warehouses tab lists all virtual warehouses detected in Snowflake during the metadata crawl. This tab allows data administrators to view compute resources, configuration details, and ownership information retrieved from the source system.

Attributes:

  • Name: Displays the name of the warehouse as defined in Snowflake.

  • Description: Shows the description or comment associated with the warehouse.

  • Size: Indicates the configured size of the warehouse (e.g., X-Small, Small, Medium).

  • Type: Displays the type of warehouse (e.g., standard or multi-cluster).

  • Owner: Identifies the role or user that owns the warehouse.

  • State: Shows the current state of the warehouse (e.g., started, suspended).

Connector Level

The following tabs are displayed for each connector level. Navigate to a connector under each server instance in the left-side hierarchical Data Access Management grouping.

Connector Details

Below are its listed sub-tabs:

Summary Tab

The Connector Data Access Admins (DAA) can manage various settings for a connector on the Connector Summary page and define the Connector Data Access Administrator roles on this connector.

Enable Access Management & Sync Snowflake Permissions to Application

Permissions:

This setting enables or disables the synchronization and management of Snowflake data object permissions for users and roles. When enabled, it aligns Snowflake-level access (databases, schemas, tables) with the application’s internal permission model, ensuring consistent access governance across both systems.

Permission Controls Available under Access Management:

  • Click the pencil icon to enable the checkbox, select the appropriate permissions, and click Save to apply the changes.

Manage Database Permissions:

Grants the ability to configure and modify user and role-level permissions on Snowflake databases from within the application.

Manage Schema Permissions:

Enables managing access permissions at the schema level, allowing control over who can access or modify schema-level resources.

Manage Table Permissions:

Allows users to manage permissions for individual tables, including granting, revoking, or editing access.

Manage and Assign Masking Policies:

Allows defining and assigning Snowflake masking policies to specific columns to protect sensitive data.

Manage and Assign Row Access Policies:

Supports creating and assigning row-level access policies to filter data visibility for users based on roles or conditions.

Sync Snowflake Permissions to Application Permissions:

When enabled, Snowflake-assigned permissions are automatically reflected in the application, offering a unified view of access control.

Sync Snowflake Masking Policies to Application Policies:

Enables synchronization of existing Snowflake masking policies into the application, allowing centralized visibility and governance.

Sync Application Masking Policies to Snowflake Policies:

Allows masking policies defined in the application to be applied back to Snowflake, supporting bi-directional policy management.

Crawl and Manage Tags:

Enables the crawling of Snowflake tags and supports the management of tags applied to tables or columns within the application.

Enable Tag-based Masking Policies:

Allows configuration of masking policies based on assigned tags, automating sensitive data protection workflows.

Access Cart:

Grants access to the "Access Cart" feature, enabling users to request access or package access control actions for approval workflows.

Connector Data Access Admins

Displays the list of Data Access Admins at the connector level.

  • Click the pencil icon next to the connector to open the admin configuration.

  • Choose one or more roles from the list to assign as Data Access Admins.

  • Click Save to confirm and apply the changes.

Permissions Tab

The Permissions tab displays the mapping of Snowflake permissions across databases, schemas, and tables to corresponding application-specific permissions. This mapping provides a unified view of access control, making it easier to understand and manage user privileges across both systems.

For example, a SELECT permission on a Snowflake table corresponds to Meta Read and Data Read permissions within the application. This ensures that source-level access aligns with the application’s internal permission model for consistent governance.

Notification Tab

The Notification tab allows configuration of alerts related to user, role, and permission changes detected during metadata crawling or performed within the application. This ensures that Data Access Admins and other designated stakeholders stay informed about critical access updates.

  • Click the pencil icon to configure notification settings for each activity. Use the toggle buttons to enable or disable the following notifications:

    • Changes to users and roles identified in Snowflake during metadata crawling

    • Changes to permissions on databases, schemas, tables, and columns observed during crawling (source system sync)

    • Changes to Row Access Policies and Masking Policies detected during crawling

    • Permissions modified on Snowflake objects (databases, schemas, tables, columns, etc.) within the Data Access Management module

    • Policy-level changes (row access, masking) made within Data Access Management

    • Data Access Admin-specific actions and alerts

  • Select individual application users, teams, or roles to receive notifications. Notifications will be delivered based on the selected recipients and saved settings.

  • Click Save to apply the notification configurations.

Databases Tab

The Databases tab provides a consolidated view of Snowflake roles associated with each configured database. It allows administrators to monitor and analyze access at the database level.

Attributes:

  • Database: Displays the name of the Snowflake database.

  • Roles: Lists the roles that have access to the database.

  • Permissions: Displays the specific privileges assigned to each role within the database.

Schemas Tab

The Schema tab provides a consolidated view of Snowflake users associated with each configured schema. It helps administrators assess user access and role assignments at the database level.

Each user includes the following attributes:

  • Schema: Displays the schema within the Snowflake database that the user can access.

  • Roles: Lists the roles assigned to the user within the context of the database.

  • Permissions: Shows the specific privileges granted to the user on the schema or its objects.

Tables Tab

The Tables tab displays all Snowflake tables crawled into the application, along with the roles and users assigned permissions on each table. Permissions are organized by role, offering clear visibility into access control.

Attributes

  • Schema: Shows the schema where the table resides.

  • Type: Indicates whether the object is a Table, View, or Materialized View.

  • Table: Displays the name of the table.

  • Roles: Lists the roles assigned to the table along with the respective permissions.

Tables Column Tab

The Table Columns tab provides detailed insights into individual columns within Snowflake tables, including the data types, masking policies applied, and associated tags. This view supports column-level access governance and data sensitivity tracking.

Attributes:

  • Schema: Displays the schema containing the table.

  • Table: Shows the name of the table to which the column belongs.

  • Table Column: Indicates the name of the specific column.

  • Column Type: Displays the data type of the column.

  • Masking Policy: Shows any masking policy applied to the column.

  • Tag | Value: Lists tags assigned to the column along with the corresponding values.

Tags Tab

The Tags tab provides a comprehensive view of all tags crawled from Snowflake, along with the associations to schemas or columns. It helps administrators track data classification, enforce masking policies, and manage metadata tagging across the environment.

Attributes:

  • Schema: Displays the schema where the tag is applied.

  • Tags: Shows the name of the tag.

  • Allowed Values: Lists the predefined values permitted for the tag.

  • Comment: Displays any description or comment associated with the tag.

  • Source: Indicates the origin of the tag.

  • Masking Policy: Indicates whether a masking policy is associated with the tag.

  • Created Date: Records when the tag was created.

  • Owner: Displays the owner responsible for the tag.

  • Updated By: Indicates the user who last modified the tag.

Masking Policies Tab

The Masking Policies tab displays all masking policies defined or crawled from Snowflake, along with the configurations and associations. This tab enables administrators to manage data obfuscation rules and ensure sensitive data is protected based on user roles and access levels.

Attributes:

  • Policy: Displays the name of the masking policy.

  • Policy SQL: Shows the SQL logic defined in the policy.

  • Policy Scheme: Indicates the structure or format of the masking logic.

  • Data Type: Specifies the data type to which the policy applies.

  • Schema: Displays the schema where the policy is defined.

  • Authorized Roles: Lists roles that are allowed to view unmasked data.

  • Authorized Users: Lists specific users allowed to view unmasked data.

  • Comment: Displays any additional information or description for the policy.

  • Owner: Shows the user or role that owns the policy.

  • Policy Type: Indicates the category of policy.

  • Source: Identifies the origin of the policy.

  • Created Date: Records when the policy was created.

  • Updated By: Indicates the user who last modified the policy.

Row Access Policies Tab

The Row Access Policies tab displays all row-level access control policies defined or crawled from Snowflake. These policies restrict data visibility based on user roles or conditions, helping enforce fine-grained access control.

Attributes:

  • Policy: Displays the name of the row access policy.

  • Policy SQL: Shows the SQL logic used to define row-level access conditions.

  • Schema: Indicates the schema where the policy is created.

  • Comment: Provides additional notes or descriptions for the policy.

  • Owner: Shows the user or role that owns the policy.

  • Source: Identifies where the policy originated.

  • Created Date: Displays when the policy was created.

  • Updated By: Shows who last modified the policy.

Copyright © 2025, OvalEdge LLC, Peachtree Corners GA USA

PreviousSnowflakeNextData Access Audit

Last updated

Was this helpful?