What is the permissions analyzer?
The permissions analyzer is an analytics layer on top of the data store's permissions configuration, providing a report showing actual usage of the permissions assigned in the data store, and surfacing cases of Over-Privileged users and groups/roles. Read here why Over-Privileges are a big risk.
How does the permissions analyzer work?
The permissions analyzer connects to the data store using credentials provided by the user, and reads the metadata information stored in logs and configuration. It then analyzes what users and roles have access to objects they do not use, to help you reach a better fit between your permissions and your actual usage, and reduce risk.
Snowflake DB pre-requisites
To use with Snowflake, you need the following:
- A Snowflake user with read-only access to the Snowflake metadata views
- An enabled virtual data warehouse for the user
- Network policy allowing the user to connect from Satori
Setting up the reader user
If you already have a reader user account, you do not need to set a new one specifically for Satori.
To set up a new reader user, run the following, placing the password in the placeholder:
// Creating the Satori user CREATE USER satori_reader PASSWORD='<CHOOSE_PASSWORD>'; // Creating the Satori role CREATE ROLE satori_reader_role; // Granting read-only privileges on the metadata views for the Satori role GRANT IMPORTED PRIVILEGES ON DATABASE snowflake TO satori_reader_role; // Granting the Satori role to the Satori user GRANT ROLE satori_reader_role TO USER satori_reader;
Setting up the virtual data warehouse
You can use an existing virtual data warehouse, or create a new one specifically for the Satori reader user:
// Create a warehouse specific to the Satori user CREATE WAREHOUSE satori_warehouse WITH WAREHOUSE_SIZE=XSMALL; // Enable the warehouse for the Satori user GRANT OPERATE ON WAREHOUSE satori_warehouse TO ROLE satori_reader_role;
Adding a network policy to allow connections from
If your Snowflake account has a network policy limiting traffic to specific subnets, you need to create a network policy allowing the Satori reader account to connect from the Satori network:
CREATE OR REPLACE NETWORK POLICY satori ALLOWED_IP_LIST=('220.127.116.11/32', '18.104.22.168/32', '22.214.171.124/32'); ALTER USER satori_reader SET NETWORK_POLICY = satori;
Using the permissions analyzer
To use the permissions analyzer, click 'Permissions' in the Satori management console, and click "Go!" in the introduction screen.
In the first configuration screen, fill the following details:
- Data store name (A friendly name to associate this data store by, such as "Snowflake Main")
- Hostname (The *.snowflakecomputing.com hostname of your snowflake account)
- Choose the closest GCP/AWS which Satori should use to analyze the data. If you don't have one in the same region as your snowflake, you can use another region, and contact your Satori account manager in case you need a Satori DAC to be configured in that region.
In the second configuration screen, fill the following details:
- Snowflake read-only username (as per the pre-requisites)
- Snowflake read-only password
- The name of the virtual data warehouse you configured for the user
You can now test the connection, and save it.
Once you save the configuration, Satori will immediately start synchronizing your Snowflake metadata, which may take a while, depending on your Snowflake DWH size & complexity.
Producing a new analytics report
Now that everything is set up, navigate to 'Permissions', where you can generate your first analytic report, with the following:
- Over privileged roles
- Over privileged users
- Inactive users
- Least used roles
- Least used tables
To drill down and view specific data to a certain role, click the hyperlink of that role. In the drill-down view you're able to see specific activity of that role done by different users and access to specific tables by that role.