Advanced Snowflake Connection Properties¶
Various advanced properties can be specified in the Snowflake connection itself. These properties apply to the individual Snowflake connection and should be added to the Snowflake connection definition under Advanced Properties.
Note: Most of the advanced properties are only available if you integrate Okera with Snowflake using policy synchronization. Only the
okera.policy_sync.enabled
property applies to both policy synchronization and the BI gateway enforcement patterns.
-
okera.policy_sync.audit_logs
: Indicates whether the Snowflake compliance history is logged in Okera's audit logs. Valid values aretrue
(log the compliance history) andfalse
(do not log the compliance history). See Audit Log Processing. -
okera.policy_sync.enabled
: Identifies the type of policy enforcement used for the Snowflake connection. Valid values aretrue
(policy synchronization is used) orfalse
(BI Gateway enforcement is used). See Select Use of the BI Gateway Enforcement Mechanism and Select Use of the Policy Synchronization Enforcement Mechanism. -
okera.policy_sync.install_artifacts
: Indicates whether the Okera UDFs should be automatically installed. This option is only available for policy synchronization and should not be changed at this time. Valid values aretrue
orfalse
. The default isfalse
and should not be changed at this time. -
okera.policy_sync.interval
: Specifies how often Okera synchronizes Okera policies with Snowflake during process synchronization. Values are specified as a combination of a number and a one or two-letter code that represent the units. Valid unit codes arens
(nanoseconds),us
(microseconds),ms
(milliseconds),s
(seconds),m
(minutes), andh
(hours). For example,1h
is one hour and5000ms
is 5000 milliseconds. For example,okera.policy_sync.interval=5m
sets the interval to five minutes.Note: If the setting for
POLICY_SYNC_INTERVAL
is greater than the setting forokera.policy_sync.interval
on a connection, thePOLICY_SYNC_INTERVAL
setting is used.In addition, if a custom synchronization interval has been set for a Snowflake connection, you can determine what interval was set by locating the
okera.policy_sync.interval
setting in the Advanced Properties list on the Connection Details tab for the connection. -
okera.policy_sync.scheduled
: Indicates whether automatic policy synchronization occurs for a Snowflake connection. Valid values aretrue
(enable automatic synchronization) andfalse
(disable automatic synchronization). See Control Automatic Synchronization. -
okera.policy_sync.user_allowed_list
: Okera UI users should not use this advanced property. Instead, use the Synchronize permissions for all Snowflake users checkbox and the Synchronize permissions for specific Snowflake users entry box on the Create new Snowflake connection dialog to specify a comma-separated list of Snowflake users (with no spaces) or a Snowflake tag with anon
oroff
value. You cannot specify both a tag and list of user names in a single connection. See Permission synchronization.However, if you use the API to create a Snowflake connection, you can use this property to specify the Snowflake users or tag for which policy synchronization should occur. Valid values for this parameter are either a comma-separated list of Snowflake users (with no spaces) or a Snowflake tag with an
on
oroff
tag value.Only one tag can be specified per connection. The syntax for specifying a tag name is
tag:<tag-name>:<on or off>
. For example,tag:OKERA_UDFS.PUBLIC.OKERA_POLICY_SYNC_TAG:on
. To learn how to set up tags for Snowflake users, see Tag Users in Snowflake.Policies are synced for Snowflake users with the specified usernames or with the Snowflake tag on or off as specified. If no list or tag is specified, all Snowflake users are synced. See Limit Synchronized Users.
-
okera.service_role_grant.enabled
: Enables or disables the use of the Okera role hierarchy in Snowflake. Valid values aretrue
(enable the Okera role hierarchy) orfalse
(disable the Okera role hierarchy). The default isfalse
.During policy synchronization, Okera generates Snowflake roles dedicated to Okera policy synchronization for every Snowflake user. Depending on how many Snowflake users you have, the number of roles granted to the
okera_role
could be significant. To minimize Okera's role footprint in your Snowflake environment, enable the Okera role hierarchy. When enabled, all the Okera-generated Snowflake roles will be stored in a hierarchy under the primary Okera service role (okera_role
) that you created when you configured your Snowflake environment for Okera. (By default, the primary Okera service role is calledSERVICE_OKERA_ROLE
.) -
udfDb
: Overrides the setting of the Okera configuration parameterEXTERNAL_OKERA_SECURE_POLICY_DB
for this connection. The valid value is the name of a Snowflake database dedicated for Okera use. The default isOKERA_UDFS
. -
udfSchema
: Overrides the setting of the Okera configuration parameterEXTERNAL_OKERA_SECURE_POLICY_SCHEMA
for this connection. The valid value is the name of a default schema in the Snowflake database dedicated for Okera use. The default isPUBLIC
.