Snowflake Secure Role-Based Access Control & External Sharing

Hello and welcome to XQ! Today, I will guide you through a comprehensive walkthrough on how to externally share an XQ encrypted Snowflake database table. In this tutorial, you'll learn the intricate process of securely sharing sensitive data while maintaining individual encryption for each row.

XQ + Snowflake adds security and governance at the data level, enabling secure external sharing. We do this by applying role-based access control

This solves the problem of secure data transfer between Snowflake partners.

Through the XQ Automated External Key store, this video illustrates how you can secure role-based access at the data object level.

XQ is a zero-trust data security platform that protects, enforces policies and monitors data beyond the bounds of a single environment.

Step 1: Encryption Setup

Take a look at the XQ-encrypted Snowflake database table, where the first name, last name, email, and phone number fields are all uniquely encrypted with each row having its unique key.

Step 2: Sharing With External Reader User

To begin, we need to share this encrypted table with an external reader user. Navigate to the data section, followed by private sharing and reader accounts.

1. Create a New Reader Account: Click on the 'New' button in the top right corner. Input an account name, a username, password, and confirm the password. Click the 'Create Account' button.

Step 3: Share With External User

Share the locator URL along with the authentication credentials you provided with the external user.

1. Allow Access: In the 'Shared with You' tab, click 'Share' and create a direct share. Select the database table you want to share. Input the reader account you just created. Click 'Create Share.'

Now, the external user can log in to the Snowflake account and access the shared table.

Step 4: Accessing The Shared Data

1. Import Shared Database: Go to the URL provided to the external user. Use the authentication credentials to sign in. Import the shared database by clicking on the data section, private sharing, and selecting the specific database.

Step 5: Decrypting Shared Values

All shared values are still uniquely encrypted using XQ. To decrypt these values, utilize Snowflake's Snow Park environment.

1. Setup Snow Park Environment: Set up a Python Snow Park environment with connection parameters. Use the Execute Python SDK to authorize yourself to XQ for decryption.

Step 6: Authorizing External User

Authorize the external user to access encrypted data.

1. Add External User to XQ Team: Under the team section, click the '+' sign to add a new team member. Add the external user's email address. Confirm the invitation through email.

Step 7: Revoking Access

As an administrator, you have control over individual users' access.

1. Revoke Access: Edit the user info and delete the contact to revoke access.

Step 8: Compliance Monitoring

Monitor access attempts and maintain compliance.

1. Monitor Access: Check the communications log for detailed access attempts. Revoke access on individual row items if needed.

By following these steps, you've successfully shared and controlled access to an XQ encrypted Snowflake database table externally. This process ensures secure data sharing while maintaining compliance and control over user access. Feel free to explore additional features and roles within XQ to tailor this process to your specific needs. Happy data sharing!

Set up an XQ developer account: https://manage.xqmsg.com

Developer docs available here: https://xq.stoplight.io/docs/xqmsg

Get started with the XQ Python SDK: https://github.com/XQ-Message-Inc/pysdk-core