πŸŽ‰ 75% of content is free forever β€” Unlock Premium from $10/mo β†’
CW
Search courses…
πŸ’Ό Servicesℹ️ Aboutβœ‰οΈ ContactView Pricing Plansfrom $10

Access Control: RBAC, DAC, Masking Policies & Row Access

🟒 Free Lesson

Advertisement

Access Control: RBAC, DAC, Masking Policies & Row Access

Architecture Diagram 1: Access Control Hierarchy

Architecture Diagram 2: Dynamic Data Masking Flow

Architecture Diagram 3: RBAC Role Hierarchy Tree

Role-Based Access Control HierarchyACCOUNTADMINSECURITYADMINUSERADMINSYSADMINCustom Roles (Analytics, ETL)Functional Roles (Dev, QA)

Architecture Diagram 4: Dynamic Data Masking Flow

Dynamic Data Masking PipelineQuery ParsingIdentify columnsCurrent rolePolicy LookupCached in memoryCASE expressionTransformFull / Partial / HashNullificationMasked ResultRole-specific viewZero storage cost

Architecture Diagram 5: Row-Level Security Implementation


RBAC is Snowflake's primary access model where permissions are granted to roles, and roles are assigned to users. Users inherit all permissions from assigned roles. The hierarchy includes ACCOUNTADMIN β†’ SECURITYADMIN β†’ USERADMIN β†’ SYSADMIN β†’ custom roles, enabling centralized permission management.

Dynamic Data Masking provides column-level security by transforming data at query time based on the executing role. Unlike static masking, it preserves original data while presenting different views per role β€” full masking, partial masking, hashing, or nullification.

Row-Level Security (RLS) restricts which rows users can query based on role, user attributes, or session context. Row access policies return TRUE/FALSE per row, filtering entire rows from results β€” ensuring users only see authorized data subsets.

Masking Policy Evaluation
masked_value=masking_policy(original_value,current_role,context)masked\_value = masking\_policy(original\_value, current\_role, context)

Limit ACCOUNTADMIN to 2–3 named users for break-glass scenarios. Use SECURITYADMIN for daily security operations. Create functional roles (analyst, developer) and organizational roles (marketing, finance) for clear separation of duties.

  • RBAC: Permissions β†’ Roles β†’ Users (hierarchical inheritance)
  • Dynamic Masking: Column-level security with role-based transformation
  • Row-Level Security: Row filtering based on role/session context
  • Least privilege: Grant minimum necessary permissions; audit quarterly
  • Separation of duties: No single user has both administrative and operational privileges


Detailed Explanation

What is RBAC?

Role-Based Access Control is Snowflake's primary access model: permissions β†’ roles β†’ users.


RBAC Structure

  • Predefined system hierarchy: ACCOUNTADMIN β†’ SECURITYADMIN β†’ USERADMIN β†’ SYSADMIN
  • ACCOUNTADMIN β€” break-glass only (limit to 2–3 named users)
  • Custom roles inherit from system roles or other custom roles
  • Supports organizational hierarchies (department β†’ team β†’ individual)

Discretionary Access Control (DAC)

  • Object-level permissions for fine-grained scenarios
  • Privileges: SELECT, INSERT, UPDATE, DELETE, USAGE
  • GRANT OPTION controls privilege redistribution
  • Useful for temporary access or when RBAC is too coarse

Dynamic Data Masking

  • Column-level security β€” transforms data at query time per role
  • Zero storage overhead β€” original data preserved
  • Masking strategies:
StrategyExampleUse Case
Full masking***Highly sensitive
Partial maskingXX-XX-1234Semi-sensitive
Hash maskingSHA-256Joining on sensitive data
NullificationNULLInvisible data

Row-Level Security (RLS)

  • Filters entire rows from query results based on role/context
  • Policies return TRUE/FALSE per row
  • Essential for multi-tenant applications

Best Practices

  1. Least privilege β€” grant minimum necessary permissions; audit quarterly
  2. Role hierarchies β€” functional roles (analyst, developer) + organizational roles (marketing, finance)
  3. Separation of duties β€” no single user has both admin and operational privileges
  4. Document roles β€” maintain registry with purpose, users, and permissions

Key Takeaway: Limit ACCOUNTADMIN to 2–3 users. Use SECURITYADMIN for daily security operations. Audit access patterns quarterly.

Key Concepts Table

Access ModelGranularityManagementUse Case
RBACRole-levelCentralizedOrganization-wide permissions
DACObject-levelDistributedSpecific access grants
Dynamic MaskingColumn-levelCentralizedData privacy compliance
Row-Level SecurityRow-levelCentralizedMulti-tenant data isolation
System RolePurposeKey PrivilegesTypical Users
ACCOUNTADMINAccount managementEverythingCTO, Security Lead
SECURITYADMINSecurity managementGrants, UsersSecurity Team
USERADMINUser managementUsers, RolesHR, IT Admin
SYSADMINResource managementDB, WarehouseData Engineers
Masking TypeData PreservationQuery PerformanceUse Case
Full MaskingNoneHighHighly sensitive data
Partial MaskingPartialHighSemi-sensitive data
Hash MaskingHash onlyMediumJoining on sensitive data
Null MaskingNoneHighInvisible data

Code Examples

-- Example 1: Create custom roles
CREATE ROLE analytics_role;
CREATE ROLE etl_role;
CREATE ROLE reporting_role;

-- Grant roles to parent role
GRANT ROLE analytics_role TO ROLE sysadmin;
GRANT ROLE etl_role TO ROLE sysadmin;
GRANT ROLE reporting_role TO ROLE sysadmin;

-- Example 2: Grant database privileges
GRANT USAGE ON DATABASE analytics_db TO ROLE analytics_role;
GRANT USAGE ON SCHEMA analytics_db.prod TO ROLE analytics_role;
GRANT SELECT ON ALL TABLES IN SCHEMA analytics_db.prod TO ROLE analytics_role;

-- Example 3: Create masking policy
CREATE OR REPLACE MASKING POLICY ssn_mask AS (val STRING)
RETURNS STRING ->
CASE
    WHEN CURRENT_ROLE() IN ('hr_role', 'security_admin') THEN val
    WHEN CURRENT_ROLE() = 'support_role' THEN 'XXX-XX-' || RIGHT(val, 4)
    ELSE '***-**-****'
END;

-- Apply masking policy to column
ALTER TABLE customer_pii MODIFY COLUMN ssn SET MASKING POLICY ssn_mask;

-- Example 4: Create row access policy
CREATE OR REPLACE ROW ACCESS POLICY regional_access AS (col_region VARCHAR)
RETURNS BOOLEAN ->
CASE
    WHEN CURRENT_ROLE() = 'executive_role' THEN TRUE
    WHEN CURRENT_ROLE() = 'regional_mgr_role'
      AND col_region = CURRENT_ACCOUNT_REGION() THEN TRUE
    ELSE FALSE
END;

-- Apply row access policy to table
ALTER TABLE sales_data ADD ROW ACCESS POLICY regional_access ON (region);

-- Example 5: Grant masking policy usage
GRANT USAGE ON MASKING POLICY ssn_mask TO ROLE analytics_role;

-- Example 6: Create resource monitor with security
CREATE RESOURCE MONITOR security_monitor
    WITH
    CREDIT_QUOTA = 1000
    FREQUENCY = MONTHLY
    TRIGGERS
        ON 100% DO NOTIFY
        ON 100% DO SUSPEND_IMMEDIATELY;

-- Example 7: Monitor access patterns
SELECT 
    user_name,
    role_name,
    query_start_time,
    query_text,
    database_name,
    schema_name
FROM SNOWFLAKE.ACCOUNT_USAGE.QUERY_HISTORY
WHERE query_start_time >= DATEADD(day, -7, CURRENT_TIMESTAMP())
  AND role_name IN ('analytics_role', 'etl_role', 'reporting_role')
ORDER BY query_start_time DESC;

-- Example 8: Audit role assignments
SELECT 
    grantee_name,
    granted_to,
    grant_option,
    created_on
FROM SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_ROLES
WHERE deleted_on IS NULL
ORDER BY grantee_name;

-- Example 9: Dynamic masking with multiple conditions
CREATE OR REPLACE MASKING POLICY pii_mask AS (val STRING, data_type STRING)
RETURNS STRING ->
CASE
    WHEN CURRENT_ROLE() = 'executive_role' THEN val
    WHEN CURRENT_ROLE() = 'hr_role' AND data_type = 'ssn' THEN val
    WHEN CURRENT_ROLE() = 'marketing_role' AND data_type = 'email'
      THEN CONCAT(LEFT(val, 1), '***@***.com')
    WHEN CURRENT_ROLE() = 'support_role' AND data_type = 'ssn'
      THEN CONCAT('***-**-', RIGHT(val, 4))
    WHEN CURRENT_ROLE() = 'analytics_role' THEN '***'
    ELSE '***'
END;

-- Example 10: Row-level security with complex logic
CREATE OR REPLACE ROW ACCESS POLICY department_access AS (
    col_department VARCHAR,
    col_amount NUMBER
)
RETURNS BOOLEAN ->
CASE
    WHEN CURRENT_ROLE() = 'executive_role' THEN TRUE
    WHEN CURRENT_ROLE() = 'dept_head_role'
      AND col_department = CURRENT_ACCOUNT_DEPARTMENT() THEN TRUE
    WHEN CURRENT_ROLE() = 'analyst_role'
      AND col_amount < 10000 THEN TRUE
    WHEN CURRENT_ROLE() = 'team_lead_role'
      AND col_department = CURRENT_ACCOUNT_DEPARTMENT()
      AND col_amount < 50000 THEN TRUE
    ELSE FALSE
END;

Performance Metrics

MetricTargetWarningCritical
Permission Check Latency< 1ms1-5ms> 5ms
Masking Policy Evaluation< 0.5ms0.5-2ms> 2ms
Row Access Policy Evaluation< 1ms1-5ms> 5ms
Role Assignment Count< 5/user5-10/user> 10/user
Policy Count per Table< 1010-20> 20

Best Practices

  1. Implement least privilege: Grant users only the minimum permissions necessary for their job functions. Regularly review and adjust permissions.

  2. Use role hierarchies: Create functional roles for specific job functions and organizational roles for business units. Grant permissions to functional roles.

  3. Limit ACCOUNTADMIN: Restrict ACCOUNTADMIN access to 2-3 named users for break-glass scenarios only. Use SECURITYADMIN for daily security operations.

  4. Document all roles: Maintain a role registry describing each role's purpose, typical users, and granted permissions. Update documentation regularly.

  5. Audit access patterns: Regularly review query history, role assignments, and permission grants to detect anomalies and ensure compliance.

  6. Implement dynamic masking: Apply masking policies to sensitive columns (PII, financial data) to protect data while enabling broad access.

  7. Use row-level security: Implement RLS for multi-tenant applications or scenarios where different users should see different data subsets.

  8. Separate duties: Ensure no single user has both administrative and operational privileges. Implement separation of duties for critical functions.

  9. Monitor security events: Set up alerts for failed login attempts, permission changes, and unusual query patterns.

  10. Regular security reviews: Conduct quarterly access reviews to ensure permissions remain appropriate and compliant with policies.


See Also

⭐

Premium Content

Access Control: RBAC, DAC, Masking Policies & Row Access

Unlock this lesson and 900+ advanced tutorials with a Premium plan.

🎯End-to-end Projects
πŸ’ΌInterview Prep
πŸ“œCertificates
🀝Community Access

Already a member? Log in

Need Expert Snowflake Help?

Get personalized tutoring, project support, or professional consulting.

Advertisement