Skip to main content

Data Security and Snowflake Privileges

Spendview for Snowflake is a free module from observability, a core component of our platform.

Spendview for Snowflake ensures your sensitive data is maintained and protected from inappropriate access. We do not store your data or metadata. We only access Snowflake data share and historical data to provide calculation results that run at your Snowflake instance and back to observability.

Spendview for Snowflake uses a Snowflake role granted two database roles on Snowflake data share, providing visibility into policy-related and historical usage information, respectively.

The below diagram shows the workflow to have a read-only privilege to a subset of the ACCOUNT_USAGE schema in Snowflake data share:

account-settings __shadow__

  • A new user is used to connect to the customer's Snowflake account. By default, the new user DATAOPS_OBS is created via our script and is used to connect to the Snowflake account. You can customize the new user name as needed.
  • The new Snowflake role DATAOPS_OBS_VIEWER is granted to this user, letting them log in to Snowflake and have access per the role privileges.
  • The two database roles GOVERNANCE_VIEWER and USAGE_VIEWER are granted to the new user DATAOPS_OBS, or whatever username you used.

See the Snowflake documentation ACCOUNT_USAGE VIEWS by Database Role for more details about the privileges to query the ACCOUNT_USAGE views in the shared database.