Features
Row-level security (RLS) in Snowflake restricts the set of rows a user can access based on a policy you define and attach to tables or views.
Row-level security (RLS) in Snowflake lets you present different slices of the same table to different users without duplicating data, dramatically simplifying multi-tenant and compliance-driven architectures.
Row-level security is a fine-grained access-control mechanism that filters rows returned by a query according to policies you create. Unlike table- or column-level permissions, RLS ensures that every SELECT, UPDATE, or MERGE executed on the protected object automatically enforces the policy—no matter which SQL client or BI tool is used.
Modern data platforms often serve multiple customers, departments, or regulatory regions from a single Snowflake account. Without RLS you would need to manage dozens of derived tables or specialized views, leading to:
RLS solves these issues with centrally managed policies that scale across thousands of tables and virtual warehouses.
Behind the scenes, Snowflake turns each policy into a Boolean expression that is injected into every query plan referencing the protected object. The expression can reference:
CURRENT_ROLE(), CURRENT_USER())SESSION:<var_name>)If the predicate evaluates to TRUE, the row is returned; otherwise, the row is silently filtered out.
Start by defining who can see what. A simple pattern is a mapping table with user_name, tenant_id, and optional role columns.
CREATE OR REPLACE TABLE access_map (
user_name STRING,
tenant_id STRING,
allowed BOOLEAN DEFAULT TRUE
);
CREATE OR REPLACE ROW ACCESS POLICY tenant_rls
AS (tenant_id STRING)
RETURN CASE
WHEN EXISTS (
SELECT 1
FROM access_map m
WHERE m.user_name = CURRENT_USER()
AND m.tenant_id = tenant_id
AND m.allowed
) THEN TRUE
ELSE FALSE
END;
This policy checks the mapping table for a match between the current user and the row’s tenant_id.
ALTER TABLE raw_events
ADD ROW ACCESS POLICY tenant_rls ON (tenant_id);
Snowflake immediately begins enforcing the policy for every query on raw_events.
-- As user alice@acme.com
SELECT COUNT(*) FROM raw_events; -- Returns only ACME rows
-- As user bob@globex.com
SELECT COUNT(*) FROM raw_events; -- Returns only GLOBEX rows
Attach the same tenant_rls policy to hundreds of tables using scripting or Terraform. Because the predicate contains no table-specific references, it is reusable across your schema.
Combine RLS with masking policies to hide sensitive columns (e.g., PII) inside the permitted rows. This dual layer covers both horizontal and vertical security.
Set SESSION:as_of_date to implement time-travel-aware RLS, returning only rows valid for a given business date.
When you secure a base table, Snowflake automatically enforces the same policy on any view that selects from that table—no extra work required.
SECURITY schema and grant SELECT only to administrators.CURRENT_ROLE() rather than CURRENT_USER() when your organization relies on role-based access control.COMMENT ON POLICY so auditors can trace intent.SNOWFLAKE.ACCOUNT_USAGE.POLICY_REFERENCES to inventory coverage.RANDOM() break policy caching. Stick to deterministic logic.A Series-B SaaS company stores all customer events in raw_events with a tenant_id column. By applying the tenant_rls policy, customer success managers querying through Galaxy see only their own customer’s data, while internal analysts with elevated roles can see cross-tenant metrics. No code changes in the application layer were required.
Galaxy is a modern SQL editor that respects Snowflake’s permission model. Because the RLS predicate is enforced directly in Snowflake, every query executed from Galaxy automatically inherits the same protections. Power users can:
No additional configuration is needed inside Galaxy—simply log in with a role that has the right Snowflake grants.
Row-level security in Snowflake is a powerful, declarative way to safeguard sensitive data while maximising analyst agility. By following the design patterns and best practices above, you can implement scalable, auditable policies that work seamlessly with tools like Galaxy.
Without RLS, companies often duplicate tables or build complex view logic to serve different audiences. Snowflake’s native RLS simplifies multi-tenant designs, cuts storage costs, and ensures consistent enforcement across every SQL interface—critical for compliance with SOC 2, HIPAA, and GDPR.
Snowflake injects the predicate at plan time and caches results, so the overhead is usually negligible unless your predicate performs large joins or non-deterministic work.
Galaxy executes SQL exactly as Snowflake receives it. You can write and run CREATE POLICY or ALTER TABLE ADD ROW ACCESS POLICY statements in Galaxy’s editor, and the policies will function identically to any other client.
Policies applied to base tables automatically propagate to all views that reference those tables, ensuring consistent enforcement without extra configuration.
RLS filters out entire rows, while masking obfuscates individual column values. They can be combined for layered security.
.avif){kind=logo}
