Snowflake Data Source Connections¶
You can use Okera for policy enforcement of your Snowflake data. To do this, you must first establish an Okera connection to your Snowflake database. For information on how to create a Snowflake data source connection, see Create a Snowflake Connection.
Okera supports two different policy enforcement mechanisms for Snowflake. (The character limit for Okera Snowflake policies is 5000 characters.)
This is the only policy enforcement mechanism available for SaaS customers.
Using policy synchronization enforcement, Okera functions as the central policy manager, pushing universal data access policies into Snowflake. This applies Okera's fine-grained access controls onto Snowflake objects, such as roles, permissions, and row access policies, allowing Snowflake to enforce policies defined and managed in Okera, while removing Okera from the Snowflake query execution path. Your Snowflake users connect to Snowflake normally and can continue to use the full suite of Snowflake features, including Snowflake SQL, drivers, and tools, but the data they can access is governed by Okera.
When you change the Okera permissions for a Snowflake data source, the Snowflake connection must be synchronized with Snowflake so the Okera policy is applied to your Snowflake accounts. This synchronization occurs automatically at a specified interval, but can also be instigated manually, as needed. When policy synchronization occurs, Okera ensures that specific Snowflake roles exist for each Snowflake user, generating the Snowflake roles if needed. An Okera-generated Snowflake role incorporates a user's Okera privileges and permissions, including row-based and fine-grained access controls. Each user is assigned one such role.
After policy synchronization has occurred, your Snowflake users should use their Okera-generated Snowflake roles when working with Snowflake.
Policy synchronization enforcement requires special configuration steps in Snowflake and in Okera before you can effectively create and use your Okera connection to Snowflake. For more information, see Configure and Use Snowflake Policy Synchronization Enforcement.
Okera's BI Gateway (pushdown processing) is the classic enforcement method for Snowflake. It pushes down full queries (including joins and aggregations) to Snowflake, while enforcing the complete access policy, as well as audit log entries. Note that this enforcement mechanism is designed for data read/
SELECTqueries and not
DDLoperations on the underlying Snowflake database.
This policy enforcement mechanism is not available to Okera SaaS customers.
For more information, see Use Snowflake BI Gateway Enforcement.