Skip to content

Tag Users in Snowflake

You can use Snowflake tags, assigned to Snowflake users, to limit the users that get synchronized with Okera. For information on limiting synchronized users, read Limit Synchronized Users.

This section describes how to tag a user in Snowflake and provides a sample script you might use. For complete information, see Object Tagging in the Snowflake documentation.

Step 1. Create the Snowflake Tag for Okera Syncs

To create the Snowflake tag, log into Snowsight as a user with the ACCOUNTADMIN role. Then copy the following script into a Snowsight worksheet, tailor it, and run it.

USE DATABASE <okera_db>;
DROP TAG IF EXISTS <tag_name>;
CREATE TAG <tag_name> COMMENT = 'OKERA: sync users with tag set : on';
GRANT OWNERSHIP ON TAG <tag_name> TO ROLE SYSADMIN;
SHOW TAGS;

Make appropriate changes for these variables in the script as described in the following table.

Variable
Required to Change?
Default
Description
okera_db No OKERA_UDFS Specify the name of the Snowflake database dedicated for Okera. Okera uses this database to store its user-defined functions (UDFs) and other metadata. The value of this variable must match the setting of the Okera configuration parameter EXTERNAL_OKERA_SECURE_POLICY_DB (default OKERA_UDFS). If you have set or otherwise changed this configuration parameter in the Okera configuration file, the change should be reflected in this script variable.
tag_name Yes --- Specify the name of the tag you want to use to limit Okera policy synchronization.

Note: Okera recommends that all Snowflake object (role, user, database, schema, and view) names be specified in the case used in your Snowflake environment. Typically, this is uppercase. Currently, Okera does not support Snowflake object names in mixed case. See Limitations and Case Considerations.

For example, the script might look like this after it is tailored to use the OKERA_UDFS database and tag name OKERA_POLICY_SYNC_TAG:

USE DATABASE OKERA_UDFS;
DROP TAG IF EXISTS OKERA_POLICY_SYNC_TAG;
CREATE TAG OKERA_POLICY_SYNC_TAG COMMENT = 'OKERA: sync users with tag set : on';
GRANT OWNERSHIP ON TAG OKERA_POLICY_SYNC_TAG TO ROLE SYSADMIN;
SHOW TAGS;

Step 2. Apply the Tag to Users

In a Snowsight worksheet, tailor and run the following command:

ALTER USER <username> SET TAG <tagname> = 'ON';

Substitute the name of a Snowflake user for <username> and the name of the tag you created in Step 1 for <tagname> before you run this command.

Step 3. Verify the Tag is On for a User

To verify the tag is turned on for a user, tailor and run the following command:

SELECT SYSTEM$GET_TAG('<tagname>', '<username>', 'USER')

Substitute the name of the Snowflake user for <username> and the name of the tag you created in Step 1 for <tagname> before you run this command.

Step 4. Apply the Tag to the Okera Snowflake Connection Definition

After the tag has been created and applied to your Snowflake users, return to the Snowflake connection in the Okera UI and add the tag to the connection in the Synchronize permissions for specific Snowflake users box. Tags should be specified using this syntax:

tag:<tag-name>:<on or off>

For example, the following tag specification sets the OKERA_POLICY_SYNC_TAG on. This tag is stored in the OKERA_UDFS.PUBLIC database and schema.

tag:OKERA_UDFS.PUBLIC.OKERA_POLICY_SYNC_TAG:on

Only one tag can be specified per connection. You cannot specify a tag and a list of users in the same Snowflake connection; they are mutually exclusive.