0 0
Read Time:3 Minute, 0 Second

SHARE Restrictions: Imagine a situation in a state-of-the-art healthcare facility where Snowflake is employed to meet its varied data analytics needs. The organization is divided into two key segments: the Research Division, operating on a Business Edition Snowflake account, and the Clinical Division, constrained to a Snowflake Enterprise Edition due to budget limitations. The Research Division has a lot of patient records, data from clinical trials, and important medical research. They want to work together with the Clinical Division, but they can’t share data on an account with a lower Snowflake Edition than the Provider account due to data security and rules.

To tackle this challenge, Snowflake’s Edition-Based Sharing Restrictions step in as the solution. Snowflake offers the OVERRIDE SHARE RESTRICTIONS global privilege, initially bestowed upon the ACCOUNTADMIN role by default. As a result, people with these roles can control the SHARE_RESTRICTIONS setting for their provider accounts. Once the parameter is disabled, the Business-Critical provider account gains the flexibility to include a consumer account with a Non-Business Critical edition in the share.

Implementation

Step1: Create two Accounts with Business-Critical Edition and Enterprise Edition respectively.

Accounts Screenshot

Step2: Login to the Business-Critical Snowflake Account create a new User, role and assign the required privileges using ACCOUNTADMIN.

New User: SHARE_USER
Role Name: MANAGE_SHARE
Privileges: CREATE SHARE, DATABASE, MONITOR (for WH), SCHEMA

/* Create Role, Users and Assign the privileges */

CREATE or REPLACE user SHARE_USER password = 'Thakurji@2020' default_role = MANAGE_SHARE must_change_password = false;

CREATE or replace ROLE MANAGE_SHARE;
GRANT CREATE DATABASE ON ACCOUNT TO role MANAGE_SHARE;
GRANT USAGE on warehouse COMPUTE_WH to role MANAGE_SHARE;
GRANT CREATE SHARE ON ACCOUNT TO role MANAGE_SHARE;
GRANT ROLE MANAGE_SHARE TO USER SHARE_USER;

Step3: Login to the Business-Critical Snowflake Account with new User.

/* create the DB, Tables and Share object */

Create or replace database RESEARCH_DB;
create table CUSTOMER_DETAILS as select * from SNOWFLAKE_SAMPLE_DATA.TPCH_SF1000.CUSTOMER LIMIT 100;

CREATE share CUSTOMER_OBJECT;
grant usage on database RESEARCH_DB to share CUSTOMER_OBJECT;
grant usage on schema RESEARCH_DB.PUBLIC to share CUSTOMER_OBJECT;
grant SELECT on table RESEARCH_DB.PUBLIC.CUSTOMER_DETAILS to share CUSTOMER_OBJECT;
show grants to share CUSTOMER_OBJECT;

Step4: Try to add Enterprise account to SHARE Object

ALTER SHARE CUSTOMER_OBJECT ADD ACCOUNTS = NW11551;

Share Restriction Error

As we have noticed Snowflake reported error while sharing the Objects from Business Critical to Non-Business Critical.

Below are two task that needs to be performed at the Business-Critical side:

  • Grant OVERRIDE SHARE RESTRICTIONS global privilege to new Role.
  • Secondly, Disable SHARE RESTRICTIONS parameter.

Step5: Login to Business Critical with ACCOUNTADMIN and run the below grant command.

GRANT OVERRIDE SHARE RESTRICTIONS ON ACCOUNT TO ROLE MANAGE_SHARE;

Step6: Login to Business Critical with a new user i.e. SHARE_USER and run the command with SHARE_RESTRICTION parameter.

ALTER SHARE CUSTOMER_OBJECT ADD ACCOUNTS = NW11551 SHARE_RESTRICTIONS=FALSE;

Import Database

Result outcomes: Verify the data inside the Enterprise account.

We can see using the SHARE_RESTRICTIONS parameter, we can Enable Data Share with Business-Critical Account to Non business Critical.

/* Query the shared table in Enterprise */

Verify data

With Edition-Based Sharing Restrictions and the OVERRIDE SHARE RESTRICTIONS privilege, Snowflake empowers organizations to share data securely while upholding the highest standards of data integrity and security.

Average Rating

5 Star
0%
4 Star
0%
3 Star
0%
2 Star
0%
1 Star
0%

Leave a Reply

Your email address will not be published. Required fields are marked *