1. Executive Summary

Problem: Most Snowflake governance implementations fail at scale due to manual role management, lack of automation, missing data classification, and weak cost controls.

Recommended approach/pattern: Adopt a layered governance model combining:

• RBAC (Role-Based Access Control)
• Tag-Based Governance (ABAC)
• Dynamic Data Masking
• Automated Cost Control & Monitoring

Where it fits (best use cases):

• Multi-team data platforms
• Regulated environments (PII, financial data)
• Large-scale analytics workloads
• Self-service BI environments

Key outcomes: A scalable, automated, and audit-ready governance framework suitable for enterprise production environments.

What the reader can implement: A practical governance framework using Snowflake-native features without external tooling.

---

2. Background

As organizations centralize data into Snowflake, multiple teams — data engineers, analysts, and business users — begin accessing shared datasets.

This introduces challenges:

• Who should access what data?
• How do we protect sensitive information like PII?
• How do we control warehouse costs?

Snowflake provides built-in governance capabilities that allow us to solve these problems without adding external complexity.

---

3. Problem

3.1 Symptoms

• Over-permissioned roles (users have more access than needed)
• Sensitive data exposed to unauthorized users
• Lack of visibility into who accessed what
• Increasing Snowflake costs due to uncontrolled warehouse usage

3.2 Impact

• Security and compliance risks
• Data breaches or regulatory violations
• Poor governance and auditability
• High operational costs

---

4. Requirements & Assumptions

4.1 Data & SLA

• Data volume: GB–TB scale
• Mixed workloads: Batch + near real-time
• Environments: Dev, UAT, Production

4.2 Security & Compliance

• Data sensitivity: PII, financial, operational data
• Access model: Role-based with least privilege

4.3 Tooling & Constraints

• Snowflake-native governance preferred
• Minimal external dependencies
• Multi-team collaboration

---

5. Recommended Architecture

5.1 High-Level Governance Model

• Access Layer (RBAC) → Who can access
• Policy Layer (Tags + Masking) → What they can see
• Compute Layer (Warehouses + Cost Controls) → How resources are used
• Monitoring Layer (Audit + Alerts) → Who did what

5.2 Architecture Diagram

5.3 Options

Option A: Native Snowflake Governance Features

Use built-in Snowflake capabilities such as RBAC, Dynamic Data Masking, Row Access Policies, and Resource Monitors.

Advantages

• No external tools or infrastructure required
• Centralized governance within Snowflake
• Strong integration with Snowflake security model
• Low operational and maintenance overhead
• Real-time enforcement of access and masking policies

Option B: External Governance & Security Tools

Use external tools such as data governance platforms, IAM systems, or third-party cost monitoring solutions.

Examples:

• Collibra / Alation (Data Governance)
• Azure Purview / AWS Lake Formation
• Custom monitoring tools for cost tracking

Advantages

• Advanced governance workflows and cataloging
• Cross-platform data governance (multi-cloud, multi-data sources)
• More customization and enterprise-wide policy enforcement
• Integration with enterprise IAM and compliance tools

Selection Guide

Choose Native Snowflake Governance when:

• Data is primarily stored and processed within Snowflake
• You want simpler architecture with minimal dependencies
• Real-time access control and masking is required
• Teams prefer platform-native security and governance
• Cost control needs to be tightly integrated with compute usage

Choose External Governance Tools when:

• You have a multi-platform data ecosystem (Snowflake + others)
• Enterprise-wide data catalog and lineage is required
• Advanced compliance workflows (GDPR, HIPAA, etc.) are needed
• Centralized governance across multiple systems is a priority

---

6. Implementation

6.1 Setup

Create the required Snowflake environment for governance:

• Databases and schemas for secure data layers
• Warehouses for controlled compute usage
• Roles and access policies for RBAC
• Masking and row access policies for sensitive data

Example:

-- Create governance roles
CREATE ROLE DATA_ANALYST;
CREATE ROLE DATA_ENGINEER;
CREATE ROLE SECURITY_ADMIN;

-- Access roles
CREATE ROLE PII_ACCESS;
CREATE ROLE READ_ONLY;

-- Warehouse isolation
CREATE WAREHOUSE BI_WH;
CREATE WAREHOUSE ETL_WH;

External objects may include:

• Identity providers (Azure AD / Okta)
• Secret management systems (Key Vault, AWS Secrets Manager)
• Monitoring and alerting tools

6.2 Core Build Steps

• Design RBAC hierarchy
  • Create roles for different user groups
  • Assign least privilege access
• Apply access controls
  • Grant database, schema, and table-level permissions
  • Avoid direct user-level grants
• Implement data masking
  • Define masking policies for sensitive columns
  • Apply policies to tables
• Enable cost controls
  • Configure warehouse auto-suspend
  • Set up resource monitors

Example: RBAC Setup

GRANT USAGE ON DATABASE GOVERNANCE_DB TO ROLE ANALYST_ROLE;
GRANT USAGE ON SCHEMA GOVERNANCE_DB.SECURE_LAYER TO ROLE ANALYST_ROLE;
GRANT SELECT ON ALL TABLES IN SCHEMA GOVERNANCE_DB.SECURE_LAYER TO ROLE ANALYST_ROLE;

Example: Tag-Based Governance (NEW – Critical)

-- Create classification tag
CREATE TAG data_classification;
-- Apply tag to sensitive column
ALTER TABLE CUSTOMERS MODIFY COLUMN EMAIL SET TAG data_classification = 'PII';

Example: Dynamic Masking Using Tags

CREATE MASKING POLICY pii_mask AS (val STRING)
RETURNS STRING ->
CASE 
    WHEN CURRENT_ROLE() IN ('PII_ACCESS') THEN val
    ELSE '****'
END;

ALTER TAG data_classification SET MASKING POLICY pii_mask;

Example: Masking Policy

CREATE MASKING POLICY email_mask AS (val STRING)
RETURNS STRING ->
CASE 
    WHEN CURRENT_ROLE() IN ('ADMIN_ROLE') THEN val
    ELSE '****@****.com'
END;

Apply masking:

ALTER TABLE CUSTOMERS MODIFY COLUMN EMAIL SET MASKING POLICY email_mask;

Example: Automation & Future Grants (NEW)

-- Automatically grant access to new tables
GRANT SELECT ON FUTURE TABLES IN SCHEMA GOVERNANCE_DB.SECURE_LAYER TO ROLE READ_ONLY;

Example: Cost Control (Resource Monitor)

ALTER SESSION SET QUERY_TAG = 'BI_DASHBOARD';
CREATE RESOURCE MONITOR team_budget
WITH CREDIT_QUOTA = 500;

6.3 Configuration Defaults

• Access strategy: Role-based access with least privilege
• Masking strategy: Column-level dynamic masking for PII data
• Warehouse usage: Auto-suspend enabled to minimize idle cost
• Monitoring: Query history and access logs enabled
• Error handling:
  • Audit failed queries
  • Track unauthorized access attempts
  • Monitor policy violations

---

7. Validation & Testing

7.1 Governance Validation

Access Control Validation (RBAC)

Ensure users and roles have the correct level of access.

SHOW GRANTS TO ROLE ANALYST_ROLE;

Validate that:

• Only required privileges are granted
• No excessive or unintended access exists

Unauthorized Access Check

Identify users accessing restricted objects.

SELECT *
FROM SNOWFLAKE.ACCOUNT_USAGE.ACCESS_HISTORY
WHERE OBJECT_NAME = 'CUSTOMERS'
AND DIRECT_OBJECTS_ACCESSED IS NOT NULL;

Helps detect:

• Unauthorized access attempts
• Misconfigured roles

Masking Policy Validation

Ensure sensitive data is masked correctly for non-privileged roles.

SELECT EMAIL FROM CUSTOMERS;

Validate:

• Masked output for analysts
• Full visibility for admin roles

Unmasked Sensitive Data Check

Identify columns missing masking policies.

SELECT COLUMN_NAME
FROM INFORMATION_SCHEMA.COLUMNS
WHERE TABLE_NAME = 'CUSTOMERS'
AND COLUMN_NAME IN ('EMAIL', 'PHONE')
AND COLUMN_DEFAULT IS NULL;

Helps ensure:

• All sensitive fields are protected
• No accidental exposure of PII

Warehouse Usage & Cost Validation

Monitor warehouse usage to detect inefficiencies.

SELECT *
FROM SNOWFLAKE.ACCOUNT_USAGE.WAREHOUSE_METERING_HISTORY
ORDER BY START_TIME DESC;

Helps identify:

• Long-running queries
• Idle warehouse costs

Resource Monitor Validation

Ensure cost limits are enforced.

SHOW RESOURCE MONITORS;

Validate:

• Credit limits are set
• Alerts are configured

7.2 Reconciliation

Periodically validate governance consistency across the platform:

• Compare role grants vs expected access model
• Validate masked vs unmasked data access across roles
• Reconcile warehouse usage with expected workloads
• Ensure audit logs align with user activity

Example: Compare role access consistency

SHOW GRANTS ON DATABASE GOVERNANCE_DB;

Governance Drift Detection (NEW)

SELECT *
FROM SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_ROLES
WHERE GRANTED_ON = 'TABLE'
AND PRIVILEGE NOT IN ('SELECT');

Tag Coverage Validation (NEW)

SELECT COLUMN_NAME
FROM INFORMATION_SCHEMA.COLUMNS
WHERE TABLE_SCHEMA = 'SECURE_LAYER'
AND COLUMN_NAME NOT IN (
    SELECT COLUMN_NAME FROM TAG_REFERENCES
);

---

8. Security & Access

Key Controls:

• RBAC enforcement
• Column-level masking
• Secure views
• Query auditing

Separation of Duties:

• Data Engineers → Build pipelines
• Security Team → Manage roles and policies
• Analysts → Consume curated data

---

9. Performance & Cost

9.1 Performance Considerations

• Use appropriate warehouse size
• Optimize queries
• Use result caching

9.2 Cost Drivers

• Warehouse compute time
• Query complexity
• Data scanning

9.3 Cost Controls

• Workload isolation:
  • ETL → Large warehouse
  • BI → Small warehouse
• Query tagging for cost attribution
• Department-level budgeting using resource monitors

---

10. Operations & Monitoring

10.1 What to Monitor

• Role changes
• Policy violations
• Cost spikes

10.2 Alerting

• Unauthorized access
• Budget threshold breach

10. Runbook (Top Issues)

• Issue: Governance drift (unexpected access)
  Run audit queries, compare with baseline roles, revoke unauthorized privileges.
• Issue: New tables missing masking
  Validate tag coverage; enforce tagging via automation.
• Issue: Sensitive data exposed via data sharing
  Use secure views instead of direct table sharing; validate masking in shares.
• Issue: Cost spike from BI workloads
  Check query tags, isolate workloads, resize warehouse.

---

11. Common Pitfalls

• Relying only on RBAC (missing tag-based governance)
• Manual role and grant management
• Not automating governance for new objects
• Ignoring identity provider integration
• Weak cost attribution (no query tagging)

---

12. Variations / Use Cases

• Multi-tenant data platforms
• Self-service BI environments
• Regulated industries (Finance, Healthcare)
• Data sharing across teams

---

13. Next Steps

• Implement tag-based data classification strategy
• Automate RBAC and masking using future grants + policies
• Integrate Snowflake with enterprise identity provider (Azure AD/Okta)
• Build governance dashboards for access, masking, and cost monitoring
• Establish CI/CD pipelines for governance deployment

---

14. Appendix

Full Scripts

1. Sample Table Setup

CREATE OR REPLACE TABLE CUSTOMERS (
    customer_id STRING,
    customer_name STRING,
    email STRING,
    phone STRING, 
    created_at TIMESTAMP
);

2. RBAC Role Setup

CREATE ROLE ANALYST_ROLE;
CREATE ROLE ENGINEER_ROLE;
CREATE ROLE ADMIN_ROLE;

-- Role hierarchy
GRANT ROLE ANALYST_ROLE TO ROLE ENGINEER_ROLE;
GRANT ROLE ENGINEER_ROLE TO ROLE ADMIN_ROLE;

-- Grant access
GRANT USAGE ON DATABASE GOVERNANCE_DB TO ROLE ANALYST_ROLE;
GRANT USAGE ON SCHEMA GOVERNANCE_DB.SECURE_LAYER TO ROLE ANALYST_ROLE;
GRANT SELECT ON ALL TABLES IN SCHEMA GOVERNANCE_DB.SECURE_LAYER TO ROLE ANALYST_ROLE;

3. Masking Policy Example

CREATE MASKING POLICY email_mask AS (val STRING)
RETURNS STRING ->
CASE 
    WHEN CURRENT_ROLE() IN ('ADMIN_ROLE') THEN val
    ELSE '****@****.com'
END;

Apply masking:

ALTER TABLE CUSTOMERS MODIFY COLUMN EMAIL SET MASKING POLICY email_mask;

4. Row-Level Security (Optional)

CREATE ROW ACCESS POLICY region_policy AS (region STRING)
RETURNS BOOLEAN ->
CURRENT_ROLE() IN ('ADMIN_ROLE')
OR region = CURRENT_ROLE();

Config Samples

1. Warehouse Configuration

CREATE WAREHOUSE GOVERNANCE_WH
WITH WAREHOUSE_SIZE = 'SMALL'
    AUTO_SUSPEND = 60
    AUTO_RESUME = TRUE;

2. Resource Monitor (Cost Control)

CREATE RESOURCE MONITOR gov_monitor
WITH CREDIT_QUOTA = 100;
ALTER WAREHOUSE GOVERNANCE_WH
SET RESOURCE_MONITOR = gov_monitor;

3. Access Monitoring Query

SELECT *
FROM SNOWFLAKE.ACCOUNT_USAGE.ACCESS_HISTORY
ORDER BY EVENT_TIMESTAMP DESC;

4. Cost Monitoring Query

SELECT *
FROM SNOWFLAKE.ACCOUNT_USAGE.WAREHOUSE_METERING_HISTORY
ORDER BY START_TIME DESC;

5. Error Handling Pattern

• Use secure views to restrict direct table access
• Log unauthorized access attempts using audit tables
• Monitor failed queries and permission errors
• Enable alerting for cost spikes and access violations

Glossary

Term	Definition
RBAC	Role-Based Access Control used to manage permissions
Masking Policy	Dynamic data masking to protect sensitive data
Row Access Policy	Restricts data access at row level
Resource Monitor	Controls and tracks Snowflake credit usage
Warehouse	Compute resource used to execute queries
Secure View	View that enforces additional security constraints
ACCOUNT_USAGE	Snowflake schema for monitoring usage and access
Least Privilege	Granting only the minimum required access
Data Governance	Framework for managing data security, access, and compliance