Skip to content

Configure Policy Synchronization for the Okera Cluster (Optional)

Okera provides several Okera configuration parameters you can use to configure policy synchronization for the Okera cluster. Policy synchronization occurs when you synchronize the Snowflake definition in Okera. There are defaults for these parameters, so modifying these parameters is optional. Synchronization can be performed manually, on demand, as well. See Synchronize an Okera Snowflake Connection Manually.

Note: If you are using a SaaS environment, these configuration parameters are not available for your use. Instead, use parameters specified directly in your Snowflake connection. See Advanced Snowflake Connection Properties.

The configuration parameters are:

  • POLICY_SYNC_INTERVAL: This specifies how often Okera synchronizes Okera policies with Snowflake. Values are specified as a combination of a number and a one or two-letter code that represent the units. Valid unit codes are ns (nanoseconds), us (microseconds), ms (milliseconds), s (seconds), m (minutes), and h (hours). For example, 1h is one hour and 5000ms is 5000 milliseconds. The default is 30m (30 minutes). Automatic policy synchronization can be disabled in an individual Okera connection to Snowflake. See Control Automatic Synchronization.

  • POLICY_SYNC_USERS_ALLOWED_LIST: This parameter specifies a default list of users or a tag for whom Okera policies should be synced. Valid values for this parameter are either a comma-separated list of Snowflake users (with no spaces) or a Snowflake tag (with on or off tag values). You cannot specify both a tag and a list of user names. Policies are synced for Snowflake users with the specified usernames or with the Snowflake tag on or off as specified. If no list or tag is specified, all Snowflake users are synced. The default specifications in this parameter can be overridden in the definition of the actual Snowflake connection. See Limit Synchronized Users.

  • POLICY_SYNC_ROLE_PATTERN: This parameter specifies the Snowflake role pattern that Okera should use when generating Okera roles in Snowflake that are used for synchronization. The default is OKERA_%s, where %s is replaced by the user name. See Control Okera-Generated Snowflake Role Names.

    Note: The specified role pattern must not match the Okera service role name (default SERVICE_OKERA_ROLE).

  • POLICY_SYNC_SCHEDULER_ENABLED: This parameter allows you to enable and disable Okera policy synchronization with Snowflake. By default, this parameter is set to false, disabling synchronization. To enable synchronization, set it to true. See Select Use of the Policy Synchronization Enforcement Mechanism in Your Okera Connection.

  • AUDIT_LOGS_SYNC_FREQUENCY_MINS: This parameter specifies the frequency at which Okera syncs audit logs, in minutes. Valid values range from 1 to 180 minutes. The default is 30 minutes. If you specify a value larger than 180 minutes, Okera defaults to 180 minutes. See Audit Log Processing.