Skip to content

Advanced Snowflake Connection Properties

Various advanced properties can be specified in the Snowflake connection itself. These properties apply to the individual Snowflake connection and should be added to the Snowflake connection definition under Advanced Properties.

Note: Most of the advanced properties are only available if you integrate Okera with Snowflake using policy synchronization. Only the okera.policy_sync.enabled property applies to both policy synchronization and the BI gateway enforcement patterns.

  • okera.policy_sync.audit_logs: Indicates whether the Snowflake compliance history is logged in Okera's audit logs. Valid values are true (log the compliance history) and false (do not log the compliance history). See Audit Log Processing.

  • okera.policy_sync.enabled: Identifies the type of policy enforcement used for the Snowflake connection. Valid values are true (policy synchronization is used) or false (BI Gateway enforcement is used). See Select Use of the BI Gateway Enforcement Mechanism and Select Use of the Policy Synchronization Enforcement Mechanism.

  • okera.policy_sync.install_artifacts: Indicates whether the Okera UDFs should be automatically installed. This option is only available for policy synchronization and should not be changed at this time. Valid values are true or false. The default is false and should not be changed at this time.

  • okera.policy_sync.interval: Specifies how often Okera synchronizes Okera policies with Snowflake during process synchronization. Values are specified as a combination of a number and a one or two-letter code that represent the units. Valid unit codes are ns (nanoseconds), us (microseconds), ms (milliseconds), s (seconds), m (minutes), and h (hours). For example, 1h is one hour and 5000ms is 5000 milliseconds. For example, okera.policy_sync.interval=5m sets the interval to five minutes.

    Note: If the setting for POLICY_SYNC_INTERVAL is greater than the setting for okera.policy_sync.interval on a connection, the POLICY_SYNC_INTERVAL setting is used.

    In addition, if a custom synchronization interval has been set for a Snowflake connection, you can determine what interval was set by locating the okera.policy_sync.interval setting in the Advanced Properties list on the Connection Details tab for the connection.

  • okera.policy_sync.scheduled: Indicates whether automatic policy synchronization occurs for a Snowflake connection. Valid values are true (enable automatic synchronization) and false (disable automatic synchronization). See Control Automatic Synchronization.

  • okera.policy_sync.user_allowed_list: Okera UI users should not use this advanced property. Instead, use the Synchronize permissions for all Snowflake users checkbox and the Synchronize permissions for specific Snowflake users entry box on the Create new Snowflake connection dialog to specify a comma-separated list of Snowflake users (with no spaces) or a Snowflake tag with an on or off value. You cannot specify both a tag and list of user names in a single connection. See Permission synchronization.

    However, if you use the API to create a Snowflake connection, you can use this property to specify the Snowflake users or tag for which policy synchronization should occur. Valid values for this parameter are either a comma-separated list of Snowflake users (with no spaces) or a Snowflake tag with an on or off tag value.

    Only one tag can be specified per connection. The syntax for specifying a tag name is tag:<tag-name>:<on or off>. For example, tag:OKERA_UDFS.PUBLIC.OKERA_POLICY_SYNC_TAG:on. To learn how to set up tags for Snowflake users, see Tag Users in Snowflake.

    Policies are synced for Snowflake users with the specified usernames or with the Snowflake tag on or off as specified. If no list or tag is specified, all Snowflake users are synced. See Limit Synchronized Users.

  • okera.service_role_grant.enabled: Enables or disables the use of the Okera role hierarchy in Snowflake. Valid values are true (enable the Okera role hierarchy) or false (disable the Okera role hierarchy). The default is false.

    During policy synchronization, Okera generates Snowflake roles dedicated to Okera policy synchronization for every Snowflake user. Depending on how many Snowflake users you have, the number of roles granted to the okera_role could be significant. To minimize Okera's role footprint in your Snowflake environment, enable the Okera role hierarchy. When enabled, all the Okera-generated Snowflake roles will be stored in a hierarchy under the primary Okera service role (okera_role) that you created when you configured your Snowflake environment for Okera. (By default, the primary Okera service role is called SERVICE_OKERA_ROLE.)

  • udfDb: Overrides the setting of the Okera configuration parameter EXTERNAL_OKERA_SECURE_POLICY_DB for this connection. The valid value is the name of a Snowflake database dedicated for Okera use. The default is OKERA_UDFS.

  • udfSchema: Overrides the setting of the Okera configuration parameter EXTERNAL_OKERA_SECURE_POLICY_SCHEMA for this connection. The valid value is the name of a default schema in the Snowflake database dedicated for Okera use. The default is PUBLIC.