Snowflake Data Source Connections¶
You can use Okera for policy enforcement of your Snowflake data. To do this, you must establish an Okera connection to your Snowflake database. For information on how to create a Snowflake data source connection, see Create a Snowflake Connection.
Note: If you use Okera's policy synchronization enforcement for Snowflake, you must configure your Snowflake environment before you create your Okera connection to Snowflake.
Okera supports two different policy enforcement mechanisms for Snowflake. (The character limit for Okera Snowflake policies is 5000 characters.)
This is the only policy enforcement mechanism available for SaaS customers.
Using policy synchronization enforcement, Okera functions as the central policy manager, pushing universal data access policies into Snowflake. This applies Okera's fine-grained access controls onto Snowflake objects, such as roles, permissions, and row access policies, allowing Snowflake to enforce policies defined and managed in Okera, while removing Okera from the Snowflake query execution path. Your Snowflake users can continue to use the full suite of Snowflake features, including Snowflake SQL, drivers, and tools, but the data they can access is governed by Okera.
When you change the Okera permissions for a Snowflake data source, the Snowflake connection must be synchronized with Snowflake so the Okera policy is applied to your Snowflake accounts. This synchronization occurs automatically at a specified interval, but can also be instigated manually, as needed.
Policy synchronization enforcement requires special configuration steps in Snowflake and in Okera before you can effectively create and use your Okera connection to Snowflake. For more information, see Policy Synchronization Enforcement Overview.
Okera's BI Gateway (pushdown processing) is the classic enforcement method for Snowflake. It pushes down full queries (including joins and aggregations) to Snowflake, while enforcing the complete access policy, as well as audit log entries. Note that this enforcement mechanism is designed for data read/
SELECTqueries and not
DDLoperations on the underlying Snowflake database.
This policy enforcement mechanism is not available to Okera SaaS customers.
For more information, see Use Snowflake BI Gateway Enforcement.