Snowflake proof types and permissions
Note
Hyperproof connects to many third-party systems that frequently change, including the system interface. Contact your System Administrator or the third-party provider for assistance in meeting the requirements to integrate with Hyperproof and collect the proof you need.
When you create a Hypersync between Hyperproof and Snowflake, you can automatically collect the following proof types:
List of Users
Get View
Time Travel Configuration by Database
Time Travel Configuration for Databases
Snowflake notes on proof types
List of Users and Roles
Note
ACCOUNT_ADMINpermission is required for this proof type to access theACCOUNT_USAGEschema.If the service account has many roles, the default account role must be changed to one with the
ACCOUNT_ADMINpermission in the Snowflake web console.
Get View proof type
The Get View proof type allows you to retrieve views, reports, or queries that must be configured in the source app, i.e. Snowflake. This provides more flexibility with the information returned in the proof. For more information, refer to the official Snowflake documentation.
Additional documentation
Connecting to Snowflake
Note
When you configure the Hypersync, don't use the full URL for your Snowflake account in the Account Identifier field. Instead, use your Snowflake instance name. Using the full URL generates a Bad Request error.
For example, if your Snowflake URL is https://megatech-1234.snowflakecomputing.com use megatech-1234 as your account identifier.
Note
You only need to connect Hyperproof to the app once, and then you can create as many Hypersyncs as you need.
Additionally, you can create multiple Hypersyncs for a single control or label.
Configuring the Hypersync for Snowflake
Before setting up a Snowflake Hypersync, key pairs must be generated and assigned to a Snowflake user. A Snowflake admin with the following abilities can do this.
ACCOUNTADMINpermissionFamiliarity with running commands in Snowflake
OPENSSLavailable to generate key pairs
Configuring a limited access service account in Snowflake
It's recommended to create a service account user (e.g. HYPERPROOFCLIENT) that’s dedicated for use by the Hypersync so that it exists independently of a named person in your organization.
For explicit instructions on how to generate key pairs and assign them to a user, please refer to the official Snowflake documentation. See the note and tip below for additional information.
Note
In step 1 of the Snowflake documentation, generate an UNENCRYPTED private key. This private key, including -----BEGIN PRIVATE KEY----- all the way to and including -----END PRIVATE KEY-----, will be pasted into the Hypersync’s credentials.
Tip
Snowflake allows a user to have up to two (2) public keys to accommodate key rotation.
To configure a limited access service account:
In Snowflake, navigate to Admin > Users & Roles. Create a new role called
HYPERPROOFREADER.If using the 'List of Users' proof type, grant the
SECURITYADMINrole toHYPERPROOFREADER. If you are not using this proof type, you can skip this step.For the other proof types, grant the following privileges to
HYPERPROOFREADER:Get View
USAGEon the database or databases containing the view or views on which you want to reportUSAGEon the schemas that contain the view or views on which you want to reportSELECTon the view or views on which you want to report
Time Travel Configuration by Database
USAGEon the databases on which you want to reportUSAGEon the schemas within those databases
Time Travel Configuration for Databases
USAGEon the databases on which you want to report
Create a new user called
HYPERPOOFCLIENTand assign that user the role ofHYPERPROOFREADER.Tip
Be sure
HYPERPROOFCLIENTis assigned to a default warehouse and a default namespace.
Refer to Snowflake's Overview of Access Control documentation for more information.