SnowDDL
  • 👋Introduction
  • 🚩Getting started
  • 📋Main features
  • 🪤SnowDDL vs. Declarative DCM
  • In-depth guides
    • 👓Object identifiers
    • 📐Data types
    • 📦Object types
    • 🎭Role hierarchy
    • 🚧Permission model
    • 🔦Other guides
      • Administration user
      • Integrations
      • Inbound shares
      • Object OWNERSHIP
      • Safe & unsafe DDL
      • Dependency management
      • Short hash explained
      • Env Prefix explained
      • Team workflow
      • Limitations & workarounds
      • Fivetran
      • Airbyte
      • Encrypt user passwords
      • Iceberg Tables
  • Basic usage (CLI + YAML)
    • 💻CLI interface
    • 📦YAML configs
      • ACCOUNT PARAMETER
      • ACCOUNT POLICY
      • AGGREGATION POLICY
      • ALERT
      • AUTHENTICATION POLICY
      • BUSINESS ROLE
      • DATABASE
      • DATABASE ROLE
      • DYNAMIC TABLE
      • EVENT TABLE
      • EXTERNAL ACCESS INTEGRATION
      • EXTERNAL FUNCTION
      • EXTERNAL TABLE
      • FILE FORMAT
      • FUNCTION
      • HYBRID TABLE
      • ICEBERG TABLE
      • MASKING POLICY
      • MATERIALIZED VIEW
      • NETWORK POLICY
      • NETWORK RULE
      • PERMISSION MODEL
      • PIPE
      • PLACEHOLDER
      • PROCEDURE
      • PROJECTION POLICY
      • RESOURCE MONITOR
      • ROW ACCESS POLICY
      • SCHEMA
      • SECRET
      • SEQUENCE
      • SHARE (outbound)
      • STAGE
      • STAGE FILE
      • STREAM
      • TABLE
      • TASK
      • TECHNICAL ROLE
      • USER
      • VIEW
      • WAREHOUSE
    • 🏷️YAML placeholders
    • 📬YAML tag !include
    • 🔐YAML tag !decrypt
  • Single DB
    • 🦀Overview
  • Advanced usage (Python)
    • ⚙️Programmatic config
    • 🐍Architecture overview
      • 🔵Blueprints
      • 🟣Config
      • 🟠Parsers
      • 🟢Resolvers
      • 🔴Engine
    • 🏗️Query builder & formatter
  • Breaking changes log
    • 0.45.0 - March 2025
    • 0.41.0 - January 2025
    • 0.37.0 - December 2024
    • 0.36.0 - November 2024
    • 0.33.0 - October 2024
    • 0.27.0 - May 2024
  • Links
    • GitHub repository
    • PyPI package
    • YouTube tutorials
    • Changelog
    • LinkedIn profile
Powered by GitBook
On this page
  • Schema
  • Usage notes
  • Links
  1. Basic usage (CLI + YAML)
  2. YAML configs

ROW ACCESS POLICY

Config path: /<database>/<schema>/row_access_policy/<name>.yaml

Example:

arguments:
  status: VARCHAR(255)

body: |-
  status = 'Active'

references:
  - object_type: TABLE
    object_name: test_table_2
    columns: [status]

Schema

  • arguments (dict)

    • {key} (ident) - argument name

    • {value} (str) - argument data type

  • body (str) - policy SQL expression

  • references (dict)

    • object_type (str) - reference object type (e.g. TABLE, EXTERNAL_TABLE)

    • object_name (ident) - reference object name

    • columns (list)

      • {items} (ident) - reference column names

  • comment (str)

Usage notes

  2. Row access policies always return BOOLEAN.

  3. Snowflake documentation is incorrect. It is only possible to have one row access policy per object.

  4. If arguments of policy was changed, all references will be dropped, policy will be re-created from scratch, and all references will be restored. Also, when other objects are being re-created, such objects will initially lack policy references. Business users might be able to access objects without protection of policy in such case. There is no way to avoid it due to fundamental lack of transaction support for DDL queries in Snowflake. You may consider having weekly "safe maintenance" time slots to apply DDL when business users won't be able to access Snowflake account.

Links

PreviousRESOURCE MONITORNextSCHEMA

Last updated 7 months ago

Management of row access policies requires active warehouse due to unavoidable table function calls.

Parameter references is deprecated since 0.33.0. Use policy reference parameters directly in or configs instead.

📦
POLICY_REFERENCES
TABLE
VIEW
CREATE ROW ACCESS POLICY
SHOW ROW ACCESS POLICIES
DESC ROW ACCESS POLICY
Parser & JSON Schema (GitHub)