Dealing with huge amounts of information that must be secure but still accessible to the right people when needed is a challenge for most organisations. Snowflake, the data cloud platform, provides a powerful framework to manage data safely and efficiently. This blog will explain this access control framework, its importance and some best practices for setting this up within Snowflake.
How does access control work in Snowflake?
Access control is the cornerstone of data security in any system. In Snowflake, access control ensures that users have the appropriate level of access to data and resources, minimising the risk of data breaches and ensuring compliance with regulatory requirements. Snowflake’s access control framework combines elements of Discretionary Access Control (DAC) and Role-Based Access Control (RBAC).
Discretionary Access Control (DAC) in Snowflake lets data owners control who can access their data. Owners of an object have the power to grant or revoke permissions based on their needs, offering flexibility and promoting collaboration. This approach allows for precise management of access, ensuring that only authorised users can view or modify specific data. DAC helps maintain data security while allowing for tailored access permissions, making it easier to align access with organisational requirements and individual responsibilities.
Role-based access control (RBAC) is a method for managing user access in an organisation by assigning permissions based on roles rather than individual users. It limits access based on a user's role within the organisation.
RBAC is a powerful and flexible access control model that offers several advantages:
1. Granular Access Control: RBAC allows for fine-grained control over access rights, ensuring that users have only the permissions they need to perform their tasks (the principle of least privilege). This minimises the risk of unauthorised access and potential data breaches, thus enhancing data security.
2. Simplified Administration: Administrators can manage access rights more efficiently by grouping permissions into roles. Instead of assigning permissions individually to users, roles can be assigned and modified as needed, streamlining the process.
3. Scalability: As organisations grow and evolve, their access control needs become more complex. RBAC scales well with organisational changes, allowing for the creation of new roles and adjustment of existing ones to accommodate new requirements.
4. Compliance and Auditing: RBAC helps organisations meet regulatory compliance requirements by providing a clear and auditable access control structure. Roles and permissions can be documented and reviewed to ensure compliance with policies and standards.
For example, a finance role grants access to finance-related data, while a marketing role provides access to only marketing-related data. Employees often have multiple roles, allowing your setup to be flexible so that access can be adjusted when needed. Roles are often based on factors like authority level, responsibilities, or experience. Snowflake combines this setup with the fact that only one role is the owner of an object and controls access to that object. In our example, a finance-related table would be owned by the finance role.
Downsides to the combination of Discretionary Access Control (DAC) and Role-Based Access Control (RBAC) that Snowflake uses are difficult to find. Since object ownership is a powerful tool, it’s important to spend time developing an ownership matrix that matches the structure of your organisation. The same applies to the roles and role hierarchy used with your Snowflake setup. However, this is a small price to pay to ensure a well-setup, easy-to-use and most of all secure platform.
Key elements of access control
Securable objects
In Snowflake, securable objects like tables, views, functions, and stages are organised in a hierarchy within logical containers. At the top level is the customer organisation, followed by the account(s) within the organisation. This account consists of multiple warehouses, databases, roles and other account objects. Within a database, one or more schemas can be created with their schema objects, like tables, views,...
Roles
Roles in Snowflake are the primary way of managing access to objects. By granting roles to a user or another role, you can easily create a flexible and scalable hierarchy of access permissions. This hierarchy allows for fine-grained control over who can access and perform operations on various data objects.
A role hierarchy
A role hierarchy in Snowflake consists of both system-defined roles and custom ones.
In this example, the system-defined roles are shown in blue. The USERADMIN role, for example, is used to create and manage users and other roles. That means that this role is the parent of any custom role we create afterwards.
The four custom roles we’ve created can be split into two groups. The first group of roles, containing the “ENGINEER and ANALYST roles are intended to be assigned to individuals, who have a similar role within our organisation. With the engineer role, I’m allowed to create and alter objects in our Snowflake account. The ANALYST role allows the assignee to only view already created objects. The second group with the T_INGEST and T_REPORT roles, are the technical roles which will be used by application users to ingest data or refresh reports in our reporting tool.
Privileges
Privileges are Snowflake’s way of allowing access to objects created in the account. For each securable object, there is a set of privileges that can be granted on it. Snowflake allows granting both on already existing objects as well as on future objects to be created in your database and/or schema. This page provides a very detailed overview of which privileges can be granted on which Snowflake objects.
An example of an access control privilege is allowing our previously created ANALYST role to view all tables that are created within the reporting database. In an SQL query this would be:
grant select ON all tables in database REPORTING to role ANALYST;
Important to know is that, within your role hierarchy, parent roles inherit the privileges granted to their child roles. In our setup, this would mean that the top role (ACCOUNTADMIN) inherits the privileges granted to all other roles. For example, selecting all tables in database REPORTING which we’ve just granted to the ANALYST role.
Users
The final element of access control within Snowflake is the users, which can be created for individuals or applications. According to best practices, users should be created (and owned) by the USERADMIN role. Security-wise there are multiple ways a user can access the Snowflake account, for a simple user-password combination with or without multi-factor authentication (MFA) for additional security to key-pair authentication and single-sign-on (SSO). If you’re interested in learning more about Snowflake security, check out this blog.
The importance of access control in Snowflake
Implementing Role-Based Access Control (RBAC) in Snowflake is crucial for several key reasons:
- Data Security: ensure that only authorised users can access and transform sensitive data, protecting it from unauthorised access.
- Operational Efficiency: good access control reduces the risk of accidental data changes, resulting in more accurate and reliable data operations.
- Regulatory Compliance: RBAC helps organisations meet data protection regulations like GDPR by providing clear access policies and audit trails.
- Cost Management: Controlling access to resources helps manage and optimise usage, preventing unnecessary costs.
- Risk Mitigation: In case of a security incident, RBAC limits potential damage by restricting access to sensitive data and critical resources.
Discretionary Access Control (DAC) in Snowflake offers several advantages:
- Flexibility: Data owners can easily grant or revoke access based on current needs, allowing for adaptable and dynamic access management.
- Collaboration: By letting data owners share access, this creates a collaborative environment while maintaining control over who can see or modify data.
- Granular Control: DAC provides detailed, fine-tuned access permissions, ensuring that only authorised users can interact with specific data.
- Security: Owners can tailor access to safeguard sensitive information, reducing the risk of unauthorised data exposure.
Snowflake Access Control: Best practices
Implementing effective access control requires careful planning and ongoing management. As a start define clear roles and responsibilities. Identify the different roles within your organisation and make sure that each role has the minimum necessary permissions to perform its tasks. Based on these defined roles, create a clean role hierarchy to simplify permission management. Create higher-level roles that contain common permissions and inherit permissions from lower-level roles.
When granting privileges, keep the principle of least privilege in mind: grant users the minimum level of access required for their tasks. Avoid granting excessive permissions that could be exploited in the event of a security breach. Also, limit granting system-defined roles to users, only a very limited set of people should have these kinds of rights on your account.
Access control needs change over time as your organisation and the roles within it evolve or new tools or use cases emerge. Regularly review and update roles and permissions to ensure they remain aligned with your current requirements. And finally and most importantly, make sure that the users of your data platform understand the importance of access control and how to use the system securely. Provide training and resources to help users follow best practices and avoid common pitfalls.
To optimise access control even further, it’s worth it to do a deep dive into topics such as data access policies, data classification and secure data sharing. More on these topics in a future Biztory blog.
Conclusion
Snowflake's access control model is a powerful tool for managing data access in a secure, scalable, and efficient manner. By leveraging roles and privileges, you can ensure that the users of your data platform have the right access to perform their jobs while protecting sensitive data and meeting compliance requirements. Implementing best practices and regularly auditing your access control setup will help maintain a robust and secure environment.
Need a little help getting started? We’re more than happy to have a chat about access control and security best practices and how to start implementing them.
Author
Let's discuss your data challenges
