Advanced Snowflake Connection Properties¶
Various advanced properties can be specified in the Snowflake connection itself. These properties apply to the individual Snowflake connection and should be added to the Snowflake connection definition under Advanced Properties.
Note: Most of the advanced properties are only available if you integrate Okera with Snowflake using policy synchronization. Only the
okera.policy_sync.enabledproperty applies to both policy synchronization and the BI gateway enforcement patterns.
okera.policy_sync.audit_logs: Indicates whether the Snowflake compliance history is logged in Okera's audit logs. Valid values are
true(log the compliance history) and
false(do not log the compliance history). See Audit Log Processing.
okera.policy_sync.enabled: Identifies the type of policy enforcement used for the Snowflake connection. Valid values are
true(policy synchronization is used) or
false(BI Gateway enforcement is used). See Select Use of the BI Gateway Enforcement Mechanism and Select Use of the Policy Synchronization Enforcement Mechanism.
okera.policy_sync.install_artifacts: Indicates whether the Okera UDFs should be automatically installed. This option is only available for policy synchronization and should not be changed at this time. Valid values are
false. The default is
falseand should not be changed at this time.
okera.policy_sync.interval: Specifies how often Okera synchronizes Okera policies with Snowflake during process synchronization. Values are specified as a combination of a number and a one or two-letter code that represent the units. Valid unit codes are
h(hours). For example,
1his one hour and
5000msis 5000 milliseconds. For example,
okera.policy_sync.interval=5msets the interval to five minutes.
Note: If the setting for
POLICY_SYNC_INTERVALis greater than the setting for
okera.policy_sync.intervalon a connection, the
POLICY_SYNC_INTERVALsetting is used.
In addition, if a custom synchronization interval has been set for a Snowflake connection, you can determine what interval was set by locating the
okera.policy_sync.intervalsetting in the Advanced Properties list on the Connection Details tab for the connection.
okera.policy_sync.scheduled: Indicates whether automatic policy synchronization occurs for a Snowflake connection. Valid values are
true(enable automatic synchronization) and
false(disable automatic synchronization). See Control Automatic Synchronization.
okera.policy_sync.user_allowed_list: Okera UI users should not use this advanced property. Instead, use the Synchronize permissions for all Snowflake users checkbox and the Synchronize permissions for specific Snowflake users entry box on the Create new Snowflake connection dialog to specify a comma-separated list of Snowflake users (with no spaces) or a Snowflake tag with an
offvalue. You cannot specify both a tag and list of user names in a single connection. See Permission synchronization.
However, if you use the API to create a Snowflake connection, you can use this property to specify the Snowflake users or tag for which policy synchronization should occur. Valid values for this parameter are either a comma-separated list of Snowflake users (with no spaces) or a Snowflake tag with an
Only one tag can be specified per connection. The syntax for specifying a tag name is
tag:<tag-name>:<on or off>. For example,
tag:OKERA_UDFS.PUBLIC.OKERA_POLICY_SYNC_TAG:on. To learn how to set up tags for Snowflake users, see Tag Users in Snowflake.
Policies are synced for Snowflake users with the specified usernames or with the Snowflake tag on or off as specified. If no list or tag is specified, all Snowflake users are synced. See Limit Synchronized Users.
okera.service_role_grant.enabled: Enables or disables the use of the Okera role hierarchy in Snowflake. Valid values are
true(enable the Okera role hierarchy) or
false(disable the Okera role hierarchy). The default is
During policy synchronization, Okera generates Snowflake roles dedicated to Okera policy synchronization for every Snowflake user. Depending on how many Snowflake users you have, the number of roles granted to the
okera_rolecould be significant. To minimize Okera's role footprint in your Snowflake environment, enable the Okera role hierarchy. When enabled, all the Okera-generated Snowflake roles will be stored in a hierarchy under the primary Okera service role (
okera_role) that you created when you configured your Snowflake environment for Okera. (By default, the primary Okera service role is called
udfDb: Overrides the setting of the Okera configuration parameter
EXTERNAL_OKERA_SECURE_POLICY_DBfor this connection. The valid value is the name of a Snowflake database dedicated for Okera use. The default is
udfSchema: Overrides the setting of the Okera configuration parameter
EXTERNAL_OKERA_SECURE_POLICY_SCHEMAfor this connection. The valid value is the name of a default schema in the Snowflake database dedicated for Okera use. The default is