Skip to content

Introduction

The Snowflake access control package can deploy technical roles and functional roles based on metadata. It can manage privileges of functional roles by using metadata describing the desired state, CLOE will automatically calculate the difference to the latest deployment and make necessary changes to Snowflake.

Technical roles include read/write/execute/owner for each schema. It uses CLOE database metadata as an input to deploy technical roles in Snowflake. It can be used in conjunction with the Snowflake crawler to create a full circle of Crawling > Create & Update database metadata > Create & Remove roles > Deploy. Deleted roles in metadata will automatically be detected and CLOE will drop them in Snowflake.

Functional role names can be defined and will be deployed by CLOE. In addition, grants to warehouses and grants on read/write/execute/owner and additional grants can be defined per role and will automatically tracked by CLOE over time and deployed to Snowflake.

Benefits

  • Automatic creation of technical roles based on Snowflake role concept
  • Easy deployment of technical and functional roles
  • Declarative, define your desired state and CLOE does the rest. No need for manual change scripts.
  • Fully integrated into Azure DevOps Pipelines

Flow

The exact deployer flow might differ based on use case and infrastructure.

snowflake-access-control-flow.png