Skip to main content

Snowflake proof types and permissions

Note

Hyperproof connects to many third-party systems that frequently change, including the system interface. Contact your System Administrator or the third-party provider for assistance meeting the requirements to integrate with Hyperproof and collect the proof you need.

When you create a Hypersync between Hyperproof and Snowflake, you can automatically collect proof based on the following services:

  • List of Users

  • List of Users and Roles

    Note

    ACCOUNT_ADMIN permission is required for this proof type to access the ACCOUNT_USAGE schema.

    If the service account has many roles, the default account role must be changed to one with the ACCOUNT_ADMIN permission in the Snowflake web console.

  • Get View

  • Time Travel Configuration by Database

  • Time Travel Configuration for Databases

Note

When you configure the Hypersync, don't use the full URL for your Snowflake account in the Account Identifier field. Instead, use your Snowflake instance name. Using the full URL generates a Bad Request error.

For example, if your Snowflake URL is https://megatech-1234.snowflakecomputing.com use megatech-1234 as your account identifier.

Additional documentation

Note

You only need to connect Hyperproof to the app once, and then you can create as many Hypersyncs as you need. Additionally, you can create multiple Hypersyncs for a single control or label.

Configuring the Snowflake Hypersync

Before setting up a Snowflake Hypersync, key pairs must be generated and assigned to a Snowflake user. A Snowflake admin with the following abilities can do this.

  • ACCOUNTADMIN permission

  • familiarity with running commands in Snowflake

  • OPENSSL available to generate key pairs

Configuring a limited access service account in Snowflake

It's recommended to create a service account user (e.g. HYPERPROOFCLIENT) that’s dedicated for use by the Hypersync so that it exists independently of a named person in your organization.

For explicit instructions on how to generate key pairs and assign them to a user, please refer to the official Snowflake documentation. See the note and tip below for additional information.

Note

In step 1 of the Snowflake documentation, generate an UNENCRYPTED private key. This private key, including -----BEGIN PRIVATE KEY----- all the way to and including -----END PRIVATE KEY-----, will be pasted into the Hypersync’s credentials.

Tip

Snowflake allows a user to have up to two (2) public keys to accommodate key rotation.

How to configure a limited access service account

  1. In Snowflake, navigate to Admin > Users & Roles. Create a new role called HYPERPROOFREADER.

  2. If using the 'List of Users' proof type, grant the SECURITYADMIN role to HYPERPROOFREADER. If you are not using this proof type, you can skip this step.

  3. For the other proof types, grant the following privileges to HYPERPROOFREADER:

    • Get View

      • USAGE on the database or databases containing the view or views on which you want to report

      • USAGE on the schemas that contain the view or views on which you want to report

      • SELECT on the view or views on which you want to report

    • Time Travel Configuration by Database

      • USAGE on the databases on which you want to report

      • USAGE on the schemas within those databases

    • Time Travel Configuration for Databases

      • USAGE on the databases on which you want to report

  4. Create a new user called HYPERPOOFCLIENT and assign that user the role of HYPERPROOFREADER.

    Tip

    Be sure HYPERPROOFCLIENT is assigned to a default warehouse and a default namespace.

Refer to Snowflake's Overview of Access Control documentation for more information.

Get View proof type

The Get View proof type allows you to retrieve views, reports, or queries that must be configured in the source app, i.e. Snowflake. This provides more flexibility with the information returned in the proof. For more information, refer to the official Snowflake documentation.