Data Sharing

Feature	X Region/Cloud	Paid Option?	Public Option?	Usage Metrics	VPS	Provider Profile?
Direct Share	N	N	-	N	N	N
Listing	Y	Y	Y	Y	Must enable	Y
Direct Exchange	N	N	-	N	N	Y

• Sharable objects: Tables (Regular, Dynamic, External, Iceberg), Secure Views, Secure UDFs, Secure Materialized Views, Application Packages
  • supports non-secure sharing
• Sharing options: Direct Share or Listing
• HIPAA accounts cannot share with non-HIPAA accounts,
  • PHI data can only be direct shared
  • must sign business associate agreement BAA with Snowflake and the consumer
• Tri-Secret Secure data protection is allowed as if, access occurring from provider account
• provider can create a share that can selectively include: tables, external tables, secure views, secure materialized views and secure UDFs
• current_account() for row-level security
• invoker_share(): name of the current share (for dynamic data masking)
• is_database_role_in_session() allows providers to define roles to define security granularity, and access is controlled by consumer accounts

Direct Share

• Steps
  1. Create a share
  2. grants permissions either directly to the share, and/or to 1+ database roles and granting database roles to the share
     • grant USAGE on the database and all schemas which contains the objects being shared
     • if a secure view references objects contained in other databases, grant REFERENCE_USAGE
     • grant permission on the object (e.g. SELECT on tables/views)
  3. alter share to add consumer accounts
• reference_usage permission cannot be granted to a database role
• database role cannot be granted to a share if:
  • if a database role has future grants
  • has permissions other than read-only
  • database role that inherit another database role cannot be granted to a share
• Cannot transfer ownership of a SHARE
• Cannot share from BC to non-BC account, need to set SHARE_RESTRICTION=FALSE per share

Listing

• Availability options: private or public
• Access options: Free, Limited Trial, Paid
  • Snowflake pricing models: usage by query, or subscription
• Listing Types:
  • Organizational: uses internal Marketplace
  • Marketplace: available to all, including private connectivity except VPS customers
  • Data Exchange: available to those consumers who are invited by the provider
• Provider profile is required except for free-private listings
• Stripe account required for paid accounts
• Limitations on listings from Gov region:
  • cannot offer paid or personalized listings
  • cannot offer application packages
  • must use cross-cloud auto-fulfillment
• Managing with SQL requires manifest

Auto Fulfillment

• limited to 10 TB
• for free listings, either auto-fulfillment or manual product data fulfillment
• for paid listings, use auto-fulfillment
• for limited sharing, Snowsight detects and enables auto-fulfillment; cannot manually replicate
• refresh after initial auto-fulfillment
  • interval based, from 1 minute to 8 days
  • schedule based, at a specific timestamp
  • triggered, use system$trigger_listing_refresh to trigger a refresh

Data Exchange

• Snowflake account that hosts the exchange is the exchange admin.

• Terminology:

  • Data Exchange Admin: ACCOUNTADMIN (default) or IMPORTED PRIVILEGES can manage the exchange:
    • add/remove members: as providers and/or consumers
    • provider profile approval requests
    • show categories
  • Data Exchange Providers:
    • must have a provider Profile. A region must be associated with one provider profile
    • create, define (personalized v/s free) and publish Listing
    • grant access to personalized listing from consumers who reside in other regions
  • Data Exchange Consumers:
    • Discover/browse listings
    • Use marketplace or data exchanges
    • consume datasets
  • Listing: Can be either personalized or free
    • Steps: create, configure, submit for approval (by Snowflalke) and publish

• Exchange Provider Privileges:

  • create listing, create share,