Policy Synchronization Enforcement Overview¶

Policy synchronization is the newest, and recommended, Okera policy enforcement mechanism for Snowflake. Using policy synchronization enforcement, Okera functions as the central policy manager, pushing universal data access policies into Snowflake. This applies Okera's fine-grained access controls onto Snowflake objects, such as roles, permissions, and row access policies, allowing Snowflake to enforce policies defined and managed in Okera, while removing Okera from the Snowflake query execution path. Your Snowflake users can continue to use the full suite of Snowflake features, including Snowflake SQL, drivers, and tools, but the data they can access is governed by Okera.

Important

Policy synchronization enforcement requires special configuration steps in Snowflake before you set up your Okera connection to Snowflake. See Configure Your Snowflake Environment. In addition, if you are a non-SaaS customer, you must select the use of Okera policy synchronization. See Select Use of Policy Synchronization in Your Okera Connection. SaaS customers automatically use policy synchronization because BI gateway enforcement is not available in SaaS environments.

When you change the Okera permissions for a Snowflake data source or change the configuration of Okera policy synchronization in Snowflake (for example, by adding a new Snowflake database), the Snowflake connection must be synchronized so the Okera policy is applied to the corresponding Snowflake databases. This synchronization occurs automatically at a specified interval, but can also be instigated manually, as needed. See Synchronization Options.

When policy synchronization occurs, Okera ensures that specific Snowflake roles exist for each Snowflake user, generating the Snowflake roles if needed. An Okera-generated Snowflake role incorporates a user's Okera privileges and permissions, including row-based and fine-grained access controls and USAGE privilege on the warehouse specified in the Snowflake connection. Each user is assigned one such role.

Important

After policy synchronization has occurred, your Snowflake users should use their Okera-generated Snowflake roles when working with Snowflake.

Okera policy synchronization supports ALL, INSERT, DELETE, and SELECT access for Snowflake data. In Snowflake, ALL access provides a set of Snowflake privileges that do not include OWNERSHIP. Consequently, if you grant ALL access in Okera, Okera grants the same Snowflake privileges, without OWNERSHIP.

Note: Okera policy synchronization uses the Snowflake ACCOUNT_USAGE_USERS view. Policy synchronization might not process newly created users for up to two hours because Snowflake latency for this view can take up to two hours.

See the following sections: