In this writeup, we explain how you can extend your Azure Active Directory (AAD) and Snowflake User management syncing and automation including roles, with the objective of eliminating or even minimizing manual efforts to assign users their correct roles in Snowflake post AAD sync completion.
Common acronyms used throughout this article
AAD – Azure Active Directory
RBAC - Role Based Access Control
SSO – Single Sign On
Azure Active Directory
Microsoft Active Directory and Azure Active Directory (referred as AAD) is Microsoft’s Cloud based identity and access management service which helps employees to seamlessly use SSO for Office 365 Apps and thousands of Cloud SaaS applications. Snowflake is one of them. More information about AAD can be accessed here.
Snowflake is Cloud Data Platform from Snowflake Computing. Snowflake is a consumption-based offering that enables creation of different data workloads such as Data Engineering, Data Lake, Data Warehouse, Data Applications, Data Science and Data Sharing. More information about Snowflake Cloud Data Platform can be found here.
Conceptually, AAD sync with Snowflake works as described below
Any AAD Group assigned for Snowflake Provisioning is created as ROLE in Snowflake.
Users that get added to AAD Group are automatically synced/created in Snowflake as USERS.
Apart from default PUBLIC and AD Group role, no other roles are granted to users added from AD.
User default context still needs to be set manually using ALTER USER DDL statements.
What indigoChart’ s extended automation provides:
RBAC architecture creation from AAD Groups itself.
Categorization of users in AAD groups specific to their technical or business functions.
RBAC control on AAD side, considering RBAC as more business than IT driven.
“Deny by default” approach in setting your security policies for Data Governance matrix
Snowflake sync and default roles assignment using our automation utility. No manual context setup for users.
Efficient user and role management across Business and Technical operations
Single Point for user and role management i.e. through Azure Active Directory
Additional privileges management at Snowflake level
How to get started
1. A Data Governance Matrix can be created to address Business, Operations, and IT User groups of the organization.
2.The suggested user groups can be defined as below and more can be added based on organization specific requirements:
· CXO Management
· IT Operations and Support
· IT Data and Analytics
· Data Science
· Service Accounts
3. Additionally, customized metadata table needs to be created to manage COLUMN and ROW level masking policies for target business user groups which is a setup required for RBAC. This will be explained in a forthcoming blog as part of granular access management with Snowflake.
Suggested AAD Groups:
indigoChart’ s User Sync automations is a scheduled process running in Snowflake to SYNC to new users and roles added in AAD. This automation reads through AAD Groups to understand which default role and virtual warehouses needs to be assigned to Users.
How indigoChart AAD sync extender can help:
Once AAD Snowflake sync process enables “Groups and Users” creation, the indigoChart automated sync process Stored Procedure (extender) in Snowflake, assigns users to their respective Snowflake Role, Virtual Warehouse, and Default Context (Database and Schema).
Maintains repository of the users’ grants information, as in when they get assigned.
Sends notification via email to user upon successful user creation after assigning default context to user using SSO sign in.