Data
Reader small image

You're reading from  Snowflake Cookbook

Product typeBook
Published inFeb 2021
Reading LevelBeginner
PublisherPackt
ISBN-139781800560611
Edition1st Edition
Languages
Python
Tools
Cloud Foundry
Concepts
Data Science
Right arrow
Authors (2):
Hamid Mahmood Qureshi
Hamid Mahmood Qureshi
author image
Hamid Mahmood Qureshi

Hamid Qureshi is a senior cloud and data warehouse professional with almost two decades of total experience, having architected, designed, and led the implementation of several data warehouse and business intelligence solutions. He has extensive experience and certifications across various data analytics platforms, ranging from Teradata, Oracle, and Hadoop to modern, cloud-based tools such as Snowflake. Having worked extensively with traditional technologies, combined with his knowledge of modern platforms, he has accumulated substantial practical expertise in data warehousing and analytics in Snowflake, which he has subsequently captured in his publications.
Read more about Hamid Mahmood Qureshi

Hammad Sharif
Hammad Sharif
author image
Hammad Sharif

Hammad Sharif is an experienced data architect with more than a decade of experience in the information domain, covering governance, warehousing, data lakes, streaming data, and machine learning. He has worked with a leading data warehouse vendor for a decade as part of a professional services organization, advising customers in telco, retail, life sciences, and financial industries located in Asia, Europe, and Australia during presales and post-sales implementation cycles. Hammad holds an MSc. in computer science and has published conference papers in the domains of machine learning, sensor networks, software engineering, and remote sensing.
Read more about Hammad Sharif

View More author details
Right arrow

Chapter 5: Data Protection and Security in Snowflake

For any data analytics solution, securing access to data is of paramount importance. There are two components to this security: authentication (that is, letting a user connect) and authorization (that is, what objects a connected user has access to). Snowflake provides discretionary access control and role-based access control through out-of-the-box and custom roles. This chapter will explore techniques for setting up role hierarchies, adding custom roles, and setting default roles for users.

The following recipes will be covered in this chapter:

  • Setting up custom roles and completing the role hierarchy
  • Configuring and assigning a default role to a user
  • Delineating user management from security and role management
  • Configuring custom roles for managing access to highly secure data
  • Setting up development, testing, pre-production, and production database hierarchies and roles
  • Safeguarding the ACCOUNTADMIN...

Technical requirements

The chapter assumes that you have a Snowflake account already set up.

The code for this chapter can be found at https://github.com/PacktPublishing/Snowflake-Cookbook/tree/master/Chapter05.

Setting up custom roles and completing the role hierarchy

In this recipe, we will introduce new custom roles and learn how and why to complete the role hierarchy. We will also understand how the role hierarchy works in Snowflake.

Getting ready

Before proceeding with this recipe, please ensure that the user you will use has access to the SECURITYADMIN role. Note that this recipe's steps can be run either in the Snowflake web UI or the SnowSQL command-line client.

How to do it…

To create a new custom role, we need to have access to the SECURITYADMIN role, using which we will create a new custom role:

  1. We will start by creating a database called DEV:
    USE ROLE SYSADMIN;
CREATE DATABASE DEV;

    The database should be created successfully.

  2. Next, we will create a table called CUSTOMER, which we will use to grant privileges on:
    USE DATABASE DEV;
CREATE TABLE CUSTOMER
( ID STRING,
NAME STRING);

    The table should be created successfully.

  3. Now, change your role to...

Configuring and assigning a default role to a user

In this recipe, we will assign a default role to a user and understand the sequence in which the default role is determined for a session.

Getting ready

Before proceeding with this recipe, please ensure that the user you will use has access to the SECURITYADMIN role. Note that this recipe's steps can be run in either the Snowflake web UI or the SnowSQL command-line client.

How to do it…

To create a new user and grant a default role, we need to log in as a user who has access to the SECURITYADMIN role, using which we will create a new user:

  1. Create a new user, which we will call marketing_user1. Notice that no role has been granted to the user, and no default role has been specified:
    USE ROLE SECURITYADMIN;
CREATE USER marketing_user1 PASSWORD='password123' MUST_CHANGE_PASSWORD = TRUE;

    The user will be created successfully

  2. Now, log in as marketing_user1 and run the following query to view what...

Delineating user management from security and role management

In this recipe, we will be using Snowflake's built-in roles to isolate access for operational teams that create users and roles and security teams that manage and control the access rights. The USERADMIN Snowflake role provides privileges for creating and managing users without requiring a higher privilege as with SECURITYADMIN. Therefore, the USERADMIN role can be granted to the operations team responsible for onboarding and offboarding users to your Snowflake instance.

Getting ready

Before proceeding with this recipe, please ensure that the user you will modify can use the SECURITYADMIN role. Note that this recipe's steps can be run in either the Snowflake web UI or the SnowSQL command-line client.

How to do it…

We will create a new user to whom we will grant the USERADMIN role:

  1. Create a new database that will be used to demonstrate privilege management:
    USE ROLE SYSADMIN;
CREATE DATABASE...

Configuring custom roles for managing access to highly secure data

In this recipe, we will explore securing access to highly confidential data through a custom role. We will also explore how we can deny access to specific datasets to even the administrative users.

Getting ready

Before proceeding with this recipe, please ensure that the user you will use can use the SECURITYADMIN role. Note that this recipe's steps can be run in either the Snowflake web UI or the SnowSQL command-line client.

How to do it…

We will create a new custom role and demonstrate how it can be configured to control access to sensitive data:

  1. Let's start by creating the database that will hold the sensitive data. In this database, we will also create a table that contains salary information:
    USE ROLE SYSADMIN;
CREATE DATABASE sensitive_data;
CREATE TABLE SALARY
(
  EMP_ID INTEGER,
  SALARY NUMBER
);

    You should see the database and the table created successfully...

Setting up development, testing, pre-production, and production database hierarchies and roles

This recipe will walk you through the setup of different environments, such as development, testing, pre-production and production databases, and schemas, and configuring custom roles for managing access.

Getting ready

Before proceeding with this recipe, please ensure that the user you will use can use the SECURITYADMIN role. Note that this recipe's steps can be run in either the Snowflake web UI or the SnowSQL command-line client.

How to do it…

We will demonstrate the creation of development and production databases, roles, and users. The same concept can be extended if other environments are needed:

  1. Let's start by creating a new user who will act as a DBA for the development environment:
    USE ROLE SECURITYADMIN;
CREATE USER dev_dba_1
PASSWORD = 'password123' 
DEFAULT_ROLE = DEV_DBA_ROLE
MUST_CHANGE_PASSWORD = TRUE;

    The user is created with a success...

Safeguarding the ACCOUNTADMIN role and users in the ACCOUNTADMIN role

This recipe will walk you through techniques to safeguard the ACCOUNTADMIN role from unauthorized access and introduce redundancy in the role membership. The recipe will then walk you through the process of securing users in the ACCOUNTADMIN role through multi-factor authentication (MFA).

Getting ready

Before proceeding with this recipe, please ensure that you have access to the ACCOUNTADMIN user. Note that the steps in this recipe should be run through the Snowflake web UI.

How to do it…

To introduce redundancy in the ACCOUNTADMIN role, we will create a new user and grant that user the ACCOUNTADMIN role. Next, we will enable MFA for the newly created user:

  1. Create a new user that we will give the ACCOUTNADMIN role using the syntax that follows. Make sure that you provide a valid email address for the user. The email address will be used in the next steps to set up MFA:
    USE ROLE SECURITYADMIN...
lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 6 of 12
Next Chapter
You have been reading a chapter from
Snowflake Cookbook
Published in: Feb 2021Publisher: PacktISBN-13: 9781800560611
© 2021 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Authors (2)

author image
Hamid Mahmood Qureshi

Hamid Qureshi is a senior cloud and data warehouse professional with almost two decades of total experience, having architected, designed, and led the implementation of several data warehouse and business intelligence solutions. He has extensive experience and certifications across various data analytics platforms, ranging from Teradata, Oracle, and Hadoop to modern, cloud-based tools such as Snowflake. Having worked extensively with traditional technologies, combined with his knowledge of modern platforms, he has accumulated substantial practical expertise in data warehousing and analytics in Snowflake, which he has subsequently captured in his publications.
Read more about Hamid Mahmood Qureshi

author image
Hammad Sharif

Hammad Sharif is an experienced data architect with more than a decade of experience in the information domain, covering governance, warehousing, data lakes, streaming data, and machine learning. He has worked with a leading data warehouse vendor for a decade as part of a professional services organization, advising customers in telco, retail, life sciences, and financial industries located in Asia, Europe, and Australia during presales and post-sales implementation cycles. Hammad holds an MSc. in computer science and has published conference papers in the domains of machine learning, sensor networks, software engineering, and remote sensing.
Read more about Hammad Sharif

Personalised recommendations for you

Based on your interests and search pattern

Et al.

Et al.

Ever wonder why speech recognition systems don't understand the Scottish accent, or what would happen if an astronaut only ate mac 'n' cheese, or other spurious reflections you'd have at a bar? We did, then collated those deliberations into absurd research articles with fake figures and methodologies inspired by even more fictionally absurd studies.

BookAug 2023230 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages4
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages1
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Mastering Tableau 2023

Mastering Tableau 2023

This book is a comprehensive resource to mastering your Tableau skills and becoming a BI expert. As you progress, you will learn how to build advanced dashboards and improve your storytelling to derive key business insight, as well as make you well-versed with advanced functionalities of Tableau in the business intelligence domain.

BookAug 2023684 pages
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages5
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages2
Data Engineering with AWS

Data Engineering with AWS

Embark on a journey to master data engineering pipelines on AWS! Our book offers a hands-on experience of AWS services for ingesting, transforming, and consuming data. Whether you're an absolute beginner or someone with basic data engineering experience, this guide is an indispensable resource.

BookOct 2023636 pages5
Modern Data Architecture on AWS

Modern Data Architecture on AWS

Every organization wants an agile, performant, and cost-effective data platform that meets all their current and future business needs. Purpose-built AWS analytics services and their features play a big part in building such a modern data platform. This book brings to you all the design and architectural patterns that’ll help you achieve this goal.

BookAug 2023420 pages5
Practical Guide to Applied Conformal Prediction in Python

Practical Guide to Applied Conformal Prediction in Python

Discover the power of Conformal Prediction with the "Practical Guide to Applied Conformal Prediction in Python." Master the latest techniques to quantify uncertainty in machine learning and computer vision models, and seamlessly apply them to your industry applications.

BookDec 2023240 pages
TinyML Cookbook

TinyML Cookbook

With over 70 project-based recipes, the TinyML Cookbook is a practical guide that will help you to get the most out of your microcontrollers. It provides a comprehensive understanding of the theoretical foundations while giving you hands-on experience training ML models for deployment on Arduino Nano 33 BLE Sense, Raspberry Pi Pico, and SparkFun RedBoard Artemis Nano microcontrollers.

BookNov 2023664 pages