Astrato supports security integration with Snowflake; this allows customers to use their existing authentication and authorization configuration, including roles, as they have applied them to their Snowflake platform.
Organizations using an Okta integration for Single Sign-On (SSO) with Snowflake can enable Enterprise Authentication so that each user of Astrato is individually identified in Snowflake and served only the content they are permitted to see.
Through a single Astrato dashboard or workbook, permissions and access according to your Security protocols apply to:
table or view levels
individual rows or columns
data masking for specific users (e.g. linked to geographic restrictions)
length of time Astrato caches a user's credentials.
All these features work with the ID protocol (IdP) that you’ve set up so that a single workbook in Astrato shows a different set of data for each user.
Using Snowflake's row-level permissions and data masking in Astrato
Row-level permissions in Snowflake allow customers to restrict the rows in a table to specific users. Once Security integration is configured between Astrato and SnowFlake, no further permissions set up is required in Astrato workbooks.
All queries sent from Astrato automatically pass through permissions configured in Snowflake and are applied to the results.
In the diagram in Example 1, Jeremy can only see Europe’s sales data and Olivia can only see North America’s data based on the permissions configured in Snowflake.
Example 1 - Row-level security using SSO
In addition to row-level permissions, data masking can be applied in Snowflake based on the user's permissions.
In Example 2 Angelika and Peter have access to the same HR dashboard created in a single workbook in Astrato, but Peter isn't allowed to see personal data.
Example 2 - Data masking using SSO in Snowflake applied to a dashboard in Astrato.
Creating access integration in Snowflake for Astrato
Connect to your Snowflake tenant
On a worksheet in Snowflake, run a query to create an OAuth connection that pulls in your client ID and client secret.
The rest of the steps are the same for setting up Enterprise Authentication in Astrato.