Config path: /<database>/<schema>/row_access_policy/<name>.yaml


  status: VARCHAR(255)

body: |-
  status = 'Active'

  - object_type: TABLE
    object_name: test_table_2
    columns: [status]


  • arguments (dict)

    • {key} (ident) - argument name

    • {value} (str) - argument data type

  • body (str) - policy SQL expression

  • references (dict)

    • object_type (str) - reference object type (e.g. TABLE, EXTERNAL_TABLE)

    • object_name (ident) - reference object name

    • columns (list)

      • {items} (ident) - reference column names

  • comment (str)

Usage notes

  1. Management of row access policies requires active warehouse due to unavoidable POLICY_REFERENCES table function calls.

  2. Row access policies always return BOOLEAN.

  3. Snowflake documentation is incorrect. It is only possible to have one row access policy per object.

  4. If arguments of policy was changed, all references will be dropped, policy will be re-created from scratch, and all references will be restored. Also, when other objects are being re-created, such objects will initially lack policy references. Business users might be able to access objects without protection of policy in such case. There is no way to avoid it due to fundamental lack of transaction support for DDL queries in Snowflake. You may consider having weekly "safe maintenance" time slots to apply DDL when business users won't be able to access Snowflake account.

Last updated