Home Database Security: RBAC, Network Policies, Authentication, and Data Masking
Advanced 3 min · July 17, 2026

Security: RBAC, Network Policies, Authentication, and Data Masking

Master Snowflake security with RBAC, network policies, authentication, and dynamic data masking.

N
Naren Founder & Principal Engineer

20+ years shipping high-throughput database systems. Written from production experience, not tutorials.

Follow
Production
production tested
July 17, 2026
last updated
2,439
articles · all by Naren
Before you start⏱ 20-25 min read
  • Basic understanding of SQL (SELECT, GRANT, CREATE).
  • A Snowflake account with ACCOUNTADMIN access.
  • Familiarity with cloud security concepts (IP addresses, authentication).
 ● Production Incident 🔎 Debug Guide ⚙ Triage Commands
Quick Answer
  • RBAC uses roles and privileges to control access.
  • Network policies restrict access by IP address.
  • Authentication options include SSO, MFA, and key-pair auth.
  • Dynamic data masking hides sensitive data at query time.
  • Always follow least privilege principle.
✦ Definition~90s read
What is Security?

Snowflake security is a multi-layered framework that uses RBAC, network policies, authentication methods, and data masking to protect your data warehouse.

Think of Snowflake as a high-security office building.
Plain-English First

Think of Snowflake as a high-security office building. RBAC is like assigning badges (roles) that let you enter certain floors. Network policies are like a guest list at the entrance—only allowed IPs can enter. Authentication is showing your ID (password, SSO, or key). Data masking is like a privacy screen on your laptop—some data appears blurred unless you have special clearance.

In today's data-driven world, securing your cloud data warehouse is paramount. Snowflake offers a robust security model that includes role-based access control (RBAC), network policies, multiple authentication methods, and dynamic data masking. Whether you're a data engineer, DBA, or security architect, understanding these features is essential to protect sensitive data from unauthorized access and comply with regulations like GDPR, HIPAA, or SOC 2.

Imagine you're building a multi-tenant analytics platform. You need to ensure that each customer can only see their own data, that only trusted IP addresses can connect, and that passwords are never exposed. Snowflake's security features let you implement these requirements with minimal overhead.

In this tutorial, you'll learn how to create roles and grant privileges, set up network policies to whitelist IP ranges, configure authentication methods including SSO and key-pair authentication, and apply dynamic data masking to obfuscate sensitive columns. We'll walk through production-ready examples and share real-world incidents that highlight common pitfalls. By the end, you'll be equipped to design a secure Snowflake environment that scales with your organization.

Understanding RBAC in Snowflake

Role-Based Access Control (RBAC) is the foundation of Snowflake's security model. Instead of granting privileges directly to users, you create roles, assign privileges to those roles, and then grant the roles to users. This simplifies management and enforces least privilege.

Snowflake has a hierarchy of system-defined roles: ORGADMIN, ACCOUNTADMIN, SECURITYADMIN, USERADMIN, SYSADMIN, and PUBLIC. You can also create custom roles. Roles can be granted to other roles, forming a hierarchy where a role inherits privileges from its parent roles.

Let's create a custom role for a data analyst that can only read from a specific schema.

rbac_setup.sqlSQL
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
-- Create a custom role
CREATE ROLE analyst_role;

-- Grant usage on the database and schema
GRANT USAGE ON DATABASE sales_db TO ROLE analyst_role;
GRANT USAGE ON SCHEMA sales_db.public TO ROLE analyst_role;

-- Grant SELECT on all tables in the schema
GRANT SELECT ON ALL TABLES IN SCHEMA sales_db.public TO ROLE analyst_role;

-- Grant the role to a user
GRANT ROLE analyst_role TO USER jane_doe;

-- Verify grants
SHOW GRANTS TO ROLE analyst_role;
Output
| privilege | object_name | grantee |
|-----------|-------------|---------------|
| USAGE | sales_db | ANALYST_ROLE |
| USAGE | sales_db.public | ANALYST_ROLE |
| SELECT | sales_db.public.TABLE1 | ANALYST_ROLE |
| SELECT | sales_db.public.TABLE2 | ANALYST_ROLE |
💡Best Practice: Use Role Hierarchy
📊 Production Insight
In production, avoid granting OWNERSHIP on schemas to custom roles. Ownership cascades and can lead to unintended privilege escalation. Use MANAGE GRANTS for administrative tasks instead.
🎯 Key Takeaway
RBAC centralizes permission management. Always grant privileges to roles, not users, and use role hierarchies to reduce duplication.

Configuring Network Policies

Network policies allow you to restrict access to your Snowflake account based on IP addresses. This is crucial for preventing unauthorized access from outside your corporate network.

You can create a network policy that specifies allowed IP lists and blocked IP lists. The policy can be applied at the account level or to individual users. When applied to a user, it overrides the account-level policy.

Let's create a network policy that only allows access from a specific IP range and blocks a known malicious IP.

network_policy.sqlSQL
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
-- Create a network policy
CREATE NETWORK POLICY corporate_policy
  ALLOWED_IP_LIST = ('192.168.1.0/24', '10.0.0.0/8')
  BLOCKED_IP_LIST = ('203.0.113.5');

-- Set the policy at the account level
ALTER ACCOUNT SET NETWORK_POLICY = corporate_policy;

-- Or set it for a specific user (overrides account policy)
ALTER USER jane_doe SET NETWORK_POLICY = corporate_policy;

-- View current network policies
SHOW NETWORK POLICIES;

-- Describe a policy
DESCRIBE NETWORK POLICY corporate_policy;
Output
| name | allowed_ip_list | blocked_ip_list | comment |
|------------------|------------------------------|-----------------|---------|
| CORPORATE_POLICY | 192.168.1.0/24, 10.0.0.0/8 | 203.0.113.5 | |
⚠ Don't Lock Yourself Out
📊 Production Insight
In production, combine network policies with VPN or VPC peering. For users who need access from dynamic IPs, consider using a bastion host or a VPN with a static IP.
🎯 Key Takeaway
Network policies add a critical layer of defense. Use them to restrict access to trusted IP ranges and block known bad actors.

Authentication Methods: SSO, MFA, and Key-Pair

Snowflake supports multiple authentication methods: password, SAML SSO, OAuth, and key-pair authentication. For production, you should enforce strong authentication like SSO with MFA or key-pair authentication for service accounts.

SAML SSO integrates with identity providers like Okta or Azure AD. Key-pair authentication uses RSA keys and is ideal for automated processes. Let's configure key-pair authentication for a service user.

keypair_auth.sqlSQL
1
2
3
4
5
6
7
8
9
10
11
12
13
-- Generate RSA key pair (outside Snowflake, e.g., openssl)
-- openssl genrsa -out private_key.pem 2048
-- openssl rsa -in private_key.pem -pubout -out public_key.pem

-- Set the public key for a user
ALTER USER service_user SET RSA_PUBLIC_KEY='MIIBCgKCAQEA...';

-- Verify the key fingerprint
DESCRIBE USER service_user;

-- To use the key, configure the Snowflake client with the private key
-- Example with SnowSQL:
-- snowsql -a account -u service_user --private-key-path private_key.pem
Output
| name | rsa_public_key_fp |
|--------------|-------------------|
| SERVICE_USER | SHA256:... |
🔥MFA for Interactive Users
📊 Production Insight
Rotate keys regularly. For key-pair auth, you can set a second public key to enable zero-downtime rotation: ALTER USER ... SET RSA_PUBLIC_KEY_2='...'.
🎯 Key Takeaway
Choose authentication based on use case: SSO with MFA for humans, key-pair for services. Avoid long-lived passwords.

Implementing Dynamic Data Masking

Dynamic Data Masking (DDM) allows you to obfuscate sensitive data at query time based on the user's role. The underlying data remains unchanged, but the masked values are returned to unauthorized users.

You create a masking policy that defines conditions (e.g., role) and the masking function. Then you apply the policy to a column. Let's mask the email column for non-admin users.

data_masking.sqlSQL
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
-- Create a masking policy that shows full email only to admin roles
CREATE MASKING POLICY email_mask AS (val STRING) RETURNS STRING ->
  CASE
    WHEN CURRENT_ROLE() IN ('ACCOUNTADMIN', 'SECURITYADMIN') THEN val
    ELSE REGEXP_REPLACE(val, '.@', '****@')
  END;

-- Apply the policy to the email column in the customers table
ALTER TABLE customers MODIFY COLUMN email SET MASKING POLICY email_mask;

-- Test as a non-admin user
SELECT email FROM customers LIMIT 1;
-- Output: ****@example.com

-- Test as admin
SELECT email FROM customers LIMIT 1;
-- Output: john.doe@example.com
Output
For non-admin: '****@example.com'
For admin: 'john.doe@example.com'
💡Use Conditional Masking
📊 Production Insight
Be careful with performance: masking functions are evaluated for every row. For large tables, consider using materialized views with pre-masked data or row access policies for more efficient filtering.
🎯 Key Takeaway
DDM protects sensitive data without altering the source. Use it to comply with data privacy regulations while maintaining usability for authorized users.

Best Practices for Secure Snowflake Deployments

Beyond the basics, here are key best practices: 1. Least Privilege: Grant only necessary privileges. Regularly audit with SHOW GRANTS. 2. Separation of Duties: Use different roles for admin, security, and data access. 3. Network Security: Use network policies and VPC peering. Enable MFA for all human users. 4. Data Protection: Use DDM and row access policies. Encrypt data at rest and in transit (default). 5. Audit Logging: Enable account usage and query history. Monitor for suspicious activity. 6. Automated Compliance: Use Snowflake's built-in compliance features like object tagging and access history.

Let's set up a simple audit query to see who accessed sensitive tables.

audit_query.sqlSQL
1
2
3
4
5
6
-- View query history for sensitive tables
SELECT query_text, user_name, role_name, start_time
FROM snowflake.account_usage.query_history
WHERE query_text ILIKE '%customers%'
ORDER BY start_time DESC
LIMIT 10;
Output
| query_text | user_name | role_name | start_time |
|-------------------------------------------------|-----------|----------------|---------------------|
| SELECT * FROM customers WHERE email = '...' | JANE_DOE | ANALYST_ROLE | 2025-03-15 10:30:00 |
| SELECT COUNT(*) FROM customers | JOHN_SMITH| ACCOUNTADMIN | 2025-03-15 09:15:00 |
⚠ Don't Forget Object-Level Security
📊 Production Insight
Use Snowflake's ACCESS_HISTORY view to track which users accessed which columns. This helps in forensic analysis and compliance reporting.
🎯 Key Takeaway
Security is a continuous process. Implement monitoring, regular audits, and automated compliance checks.

Troubleshooting Common Security Issues

Even with careful planning, issues arise. Here are common problems and solutions: - User cannot see a table: Check if the user's role has USAGE on the database and schema, and SELECT on the table. Use SHOW GRANTS TO ROLE <role>. - Network policy blocking legitimate users: Verify the allowed IP list. Remember that IPv4 and IPv6 are separate. - Key-pair authentication fails: Ensure the public key is correctly set and the private key is in PEM format. Check the fingerprint. - Data masking not applied: Confirm the masking policy is attached to the column and the user's role does not satisfy the condition.

Let's debug a scenario where a user cannot see a table.

debug_privileges.sqlSQL
1
2
3
4
5
6
7
8
9
10
11
-- Check user's roles
SHOW ROLES FOR USER jane_doe;

-- Check grants on the table
SHOW GRANTS ON TABLE sales_db.public.orders;

-- Check if the role has the necessary privileges
SHOW GRANTS TO ROLE analyst_role;

-- If missing, grant
GRANT SELECT ON TABLE sales_db.public.orders TO ROLE analyst_role;
Output
| role |
|---------------|
| ANALYST_ROLE |
| PUBLIC |
| privilege | object_name | grantee |
|-----------|-------------|---------------|
| SELECT | orders | ANALYST_ROLE |
🔥Use INFORMATION_SCHEMA
📊 Production Insight
Automate privilege checks in your CI/CD pipeline. For example, run a script that verifies that no role has excessive privileges after deployment.
🎯 Key Takeaway
Systematic debugging: check user roles, object grants, and network policies. Use SHOW commands and INFORMATION_SCHEMA views.
● Production incidentPOST-MORTEMseverity: high

The Overly Permissive Role That Exposed Customer Data

Symptom
Users from different tenants could see each other's data in shared dashboards.
Assumption
The developer assumed that granting SELECT on a schema would only apply to future tables, not existing ones.
Root cause
The role had been granted ownership on the schema, which cascaded privileges to all tables, including those containing sensitive data.
Fix
Revoked excessive privileges, implemented row-level security using secure views, and enforced least privilege with custom roles.
Key lesson
  • Always use the principle of least privilege: grant only necessary permissions.
  • Regularly audit role grants and ownership.
  • Use secure views or row access policies to isolate tenant data.
  • Avoid granting ownership on schemas to non-admin roles.
  • Implement automated checks in CI/CD to prevent privilege escalation.
Production debug guideSymptom to Action4 entries
Symptom · 01
User gets 'Insufficient privileges' error
Fix
Check the user's roles and granted privileges using SHOW GRANTS TO USER <username>; and verify role hierarchy.
Symptom · 02
Connection refused from certain IPs
Fix
Review network policies with SHOW NETWORK POLICIES; and DESCRIBE NETWORK POLICY <name>; to see allowed IP lists.
Symptom · 03
Authentication fails with key-pair
Fix
Verify the public key fingerprint in Snowflake matches the private key using ALTER USER <user> SET RSA_PUBLIC_KEY_FP = '<fingerprint>';.
Symptom · 04
Masked data appears unmasked
Fix
Check the masking policy's conditions and the user's role using SHOW MASKING POLICIES; and DESCRIBE MASKING POLICY <name>;.
★ Quick Debug Cheat SheetCommon security issues and immediate actions.
Insufficient privileges
Immediate action
Check role grants
Commands
SHOW GRANTS TO USER <username>;
SHOW GRANTS OF ROLE <rolename>;
Fix now
Grant the missing privilege using GRANT <privilege> ON <object> TO ROLE <role>;
Connection blocked by network policy+
Immediate action
Check network policy
Commands
SHOW NETWORK POLICIES;
DESCRIBE NETWORK POLICY <name>;
Fix now
Add your IP to the allowed list: ALTER NETWORK POLICY <name> SET ALLOWED_IP_LIST = ('<ip>');
Key-pair auth failing+
Immediate action
Verify public key
Commands
DESCRIBE USER <username>;
SELECT * FROM TABLE(INFORMATION_SCHEMA.USERS) WHERE NAME='<username>';
Fix now
Set the correct public key: ALTER USER <user> SET RSA_PUBLIC_KEY='<key>';
Data masking not applied+
Immediate action
Check masking policy
Commands
SHOW MASKING POLICIES;
DESCRIBE MASKING POLICY <name>;
Fix now
Ensure the policy is attached to the column: ALTER TABLE <table> MODIFY COLUMN <col> SET MASKING POLICY <policy>;
FeaturePurposeGranularityPerformance Impact
RBACAccess controlObject-levelLow
Network PoliciesIP restrictionAccount/user-levelNone
AuthenticationIdentity verificationUser-levelNone
Data MaskingData obfuscationColumn-levelModerate (per-row function)
Row Access PoliciesRow filteringRow-levelModerate (per-row filter)
⚙ Quick Reference
6 commands from this guide
FileCommand / CodePurpose
rbac_setup.sqlCREATE ROLE analyst_role;Understanding RBAC in Snowflake
network_policy.sqlCREATE NETWORK POLICY corporate_policyConfiguring Network Policies
keypair_auth.sqlALTER USER service_user SET RSA_PUBLIC_KEY='MIIBCgKCAQEA...';Authentication Methods
data_masking.sqlCREATE MASKING POLICY email_mask AS (val STRING) RETURNS STRING ->Implementing Dynamic Data Masking
audit_query.sqlSELECT query_text, user_name, role_name, start_timeBest Practices for Secure Snowflake Deployments
debug_privileges.sqlSHOW ROLES FOR USER jane_doe;Troubleshooting Common Security Issues

Key takeaways

1
Implement RBAC with custom roles and role hierarchies to enforce least privilege.
2
Use network policies to restrict access by IP and combine with VPN for extra security.
3
Choose authentication methods based on use case
SSO with MFA for humans, key-pair for services.
4
Apply dynamic data masking to protect sensitive data at query time without altering the source.
5
Regularly audit privileges and access history to detect and remediate security issues.

Common mistakes to avoid

5 patterns
×

Granting OWNERSHIP on a schema to a custom role.

×

Applying a network policy without including your current IP.

×

Using the same role for both human users and service accounts.

×

Forgetting to grant USAGE on the database and schema before granting SELECT on tables.

×

Assuming masking policies hide column metadata.

INTERVIEW PREP · PRACTICE MODE

Interview Questions on This Topic

Q01SENIOR
Explain how RBAC works in Snowflake and how you would set up a role for ...
Q02JUNIOR
How do you configure a network policy to allow only a specific IP range?
Q03SENIOR
What is dynamic data masking and how would you implement it to hide emai...
Q04SENIOR
Describe a scenario where key-pair authentication is preferred over SSO.
Q05SENIOR
How would you audit which users accessed sensitive data in Snowflake?
Q01 of 05SENIOR

Explain how RBAC works in Snowflake and how you would set up a role for a data analyst.

ANSWER
RBAC uses roles to manage privileges. Create a role, grant USAGE on database and schema, grant SELECT on tables, then grant the role to the user. Use role hierarchy to simplify.
FAQ · 5 QUESTIONS

Frequently Asked Questions

01
What is the difference between a role and a user in Snowflake?
02
Can I apply multiple masking policies to the same column?
03
How do I revoke a network policy from a user?
04
Is key-pair authentication more secure than password?
05
Can I use row-level security in Snowflake?
N
Naren Founder & Principal Engineer

20+ years shipping high-throughput database systems. Written from production experience, not tutorials.

Follow
Verified
production tested
July 17, 2026
last updated
2,439
articles · all by Naren
🔥

That's Snowflake. Mark it forged?

3 min read · try the examples if you haven't

Previous
Data Sharing, Listings, and the Marketplace
10 / 33 · Snowflake
Next
Query Optimization: Clustering Keys, Search Optimization, and Profiling