Snowflake Native Guide
Learn more about the benefits of Satori for Snowflake and Schedule a demo meeting
It only takes a few minutes to get started with Satori. What you need is listed here:
- Access to Satori's management console.
- The hostname of your Snowflake data store, for example:
abc123.snowflakecomputing.com.
Step 1 - Adding a Snowflake Data Store to Satori
Perform the following steps to connect Satori to your Snowflake account:
- Login to Satori's management console.
- Go to the Data Stores view and click Plus button.
- Select the Snowflake option.
- Enter an informative name for the data store, for example: Sales Data Warehouse.
- Enter the hostname of your Snowflake account, for example:
abc123.snowflakecomputing.com - Select the Data Access Controller that you want to control this Snowflake account by choosing the cloud provider and region of the DAC.
- Click Create.
You will be redirected to the Data Stores list
Step 2 - Configuring the Snowflake Native Integration
- Click on the new data store you created and click the Integration Settings tab.
- Check the Native Integration checkbox.
-
Enter the following connection settings to generate the setup instructions:
- Username - A new Snowflake user instance with this name will be created for Satori to connect to your Snowflake account.
- Account Name - The Snowflake account name uniquely identifies a Snowflake account within your organization. For example:
myorg-account123 - Warehouse for Satori Queries - Satori uses this warehouse to build the data inventory, classify data and set access policies for users. By default, warehouse names are case insensitive. To use a case-sensitive warehouse name enclose it with double quotes. For example:
"Default Warehouse" - Role - A new Snowflake role with this name is created for Satori to connect to your Snowflake account.
Step 3 - Once you have Entered the Connection Settings
- Select Generate Setup Instructions.
- Copy the generated setup statements and execute them in your Snowflake account.
- Click on Test Connection to make sure the connection settings are correct.
Feature Support Matrix
Not all Satori features are supported by the Standard Snowflake edition. The following table lists all the Satori features and their corresponding Snowflake edition:
| Feature | Required Snowflake Edition |
|---|---|
| Audit Log | Standard (basic information), Enterprise (detailed information) |
| User Access Rules | Standard |
| Dynamic Masking | Enterprise |
| Data Filtering | Enterprise |
Satori Snowflake Roles Design
Satori maps dataset access levels to Snowflake by creating three roles for each dataset, corresponding to the three Satori access levels: read, read-write and full access. Satori uses two options for granting the dataset roles to users, depending on what type of user access rules are created on the dataset.
User-Specific Roles
When creating a user access rule for a specific user, for example: john.smith@acme.com or SRV_ETL_BOT, Satori creates a role for the user with the following naming convention: SATORI__USERNAME.
The SATORI__USERNAME role is granted with the dataset role that corresponds to the access level specified in the access rule.
It is common for users to be represented in Satori by their email address while in Snowflake they are sometimes represented differently. This situation requires mapping satori users to local snowflake users.
Existing Roles
When creating a user access rule for an existing Snowflake role, Satori grants the role with the dataset role that corresponds to the access level specified in the access rule.
In the following example, the SRV_DBT_CORE_PRD role is granted full access to the Customer Demographics dataset in Satori:
Snowflake Warehouse Permissions
To successfully use data in Snowflake, users require permission to access the tables or views where the data is located, and usage permissions to a Snowflake compute warehouse that execute their queries.
When you create datasets to control access to tables or views in a Snowflake account, you can also grant usage permissions on warehouses by including them in the dataset.
Alternatively, to grant users with usage permissions to a default warehouse, you can uncomment the section in the setup instructions that grants USAGE permissions to a Snowflake warehouse to the SATORI_BASE_ROLE which is granted to all users by default.
Mapping Satori Users to Local Snowflake Users
Snowflake user objects are identified by unique names. By default, user names are case insensitive and do not contain special characters. In the event that your Snowflake user names are not email addresses, you need to map between your Satori user names and your Snowflake user names.
IMPORTANT NOTE: Satori will not be able to control access to specific users on Snowflake.
The recommended approach to define this mapping is to add a user attribute to the Satori application in your identity provider, and set the name of this attribute in the Data Store Username Mapping option in the Integration Settings of the Snowflake data store in the Satori management console.
Permission and Policy Resolution
The following section explains how Satori selects the correct access rule or security policy when multple options are avaiable:
Creating Multiple User Access Rules
In most cases, users are granted access to data using a single user access rule for each dataset. However, users can be granted access to data using more than one user access rule for the same Snowflake object.
For example: When one access rule is configured on the user and another access rule is configured on a group the user is a member of, or when creating datasets that include the same Snowflake objects.
Enforcing Multiple Masking Profiles
When multiple masking profiles are enforced, Satori merges the masking rules of all relevant profiles. When more than one masking rule is applied to the same data store location, Satori selects the most accurate masking rule.
For example, when one masking rule is defined on a classification category such as PII, and a second masking rule is defined on a classifier such as EMAIL, Satori will choose the second masking rule.
Enforcing Multiple Data Filtering Policies
When multiple data filtering policies are enforced on the same data store location, Satori merges the policies using a union of the list of values.
For example, when one filtering policy allows a user to view the US and CA values for the country field, and a second filtering policy allows a user to view the FR and UK values for the same field, the user sees all four values: US, CA, FR and UK.
Known Limitations
Common Expression Language (CEL)
The native Snowflake integration only supports CEL expressions that lookup a single user attribute. For example: userAttr("countries").
Data Sharing
Satori does not support controlling access to databases in a consumer account that were shared from a provider account. Such databases will not be listed in the Satori data inventory and cannot be included in datasets.