Configure user attributes on a Snowflake connection

This document describes how and why to use attributes on your Snowflake connection. There are two attributes available on the Snowflake connection: Warehouse and Role.

Requirements

  • Admin privileges in your Sigma organization. See Account Types for more information.

Warehouse attribute

The Warehouse attribute allows you to dynamically change the value of the warehouse based on the user role. This is beneficial because it allows you to create separate warehouses for every client and easily monitor the compute costs incurred per client.

You can also monetize this by providing separate warehouses for large customers, rather than combining small and large customers in one warehouse.Β 

Once you configure attributes on the connection, you can pass the attribute to external users in a secure embed URL.

Role attribute

The Role attribute provides row-level security using the roles you configured in Snowflake, rather than manually recreating row-level security and security policies in Sigma. This feature allows you to bypass Oauth to dynamically deploy your Snowflake roles on the connection, in Sigma. You can dynamically change the role on your Snowflake connection with user attributes.

Once you configure attributes on the connection, you can pass the attribute to external users in a secure embed URL.

πŸ“˜

For embed users, you can set attributes on users and teams. For internal users, you can set attributes on teams.

Configure user attributes

In order to configure user attributes on a Snowflake warehouse connection, you must first create user attributes and assign them to teams. Depending on your use case, you can create a user attribute for a Warehouse, Role, or both.Β 

Follow the instructions below to configure user attributes.Β  For a more detailed explanation, see User Attributes.Β 

  1. In your Sigma Admin portal, go to User Attributes and click Create Attribute.Β 
  2. In the New Attribute section, enter a unique name in the Name field.
  3. In the Description field, describe the attribute. Optional.Β 
  4. In the Default Value field, enter a default value. Sigma will use the value defined here if no value is set for a team. Optional.Β 
  5. Click Create.
  6. After you click Create, the attribute appears under User Attributes.

Assign user attributes

Follow the steps below to assign a team to a User Attribute.Β 

  1. In the Teams Assigned section, click Assign Attribute to assign teams to this attribute.

  2. In the search bar, search for teams to assign this attribute to, or click in the search bar to view a list of your organization's teams. For more information, see Teams.

  3. Add a value in the Assigned Value field.Β 

  4. Click Assign. Your teams are now listed under Teams Assigned.

  5. To reorder the priority of teams, in the Teams Assigned section, place your cursor over the drag handle![thingy.png](doc:oops: Unable to fetch h1)under the Priority column, and drag and drop the team to the desired priority.Β  Β Β 

    πŸ“˜

    If a user is a member of multiple teams, use Priority to determine the team to which the user is subject to.

Set user attributes on a Snowflake connection

Configure a Warehouse or Role attribute to use in the steps below.Β 

  1. In the Administration Portal, go to Connections.

  2. Click Create Connection or open an existing connection.

  3. Click Snowflake.
    company apps

  4. Follow the general configuration instructions in the Connect to Snowflake document.
    company apps

  5. Click the More Menu on the Warehouse field to browse and select the warehouse attribute you previously configured.

    πŸ“˜

    You must deselect Oauth access.

    company apps

  6. Click the More Menu on the Role field to browse and select the role attribute you previously configured.

    You must deselect Oauth access.

    company apps

  7. Your Snowflake connection is configured to dynamically use the role set in Snowflake.Β 
    company apps


Use with secure embeds

Once you configure attributes on the connection, you can pass the attribute to external users in a secure embed URL. To use the role and warehouse attributes in an embed, you must add the parameters to the URL (Embed Path URL).Β Β 

πŸ“˜

For the Role attribute, this configuration enforces row-level security for the duration of the secure embed.

Add parameters to a secure embed URL

In order to pass attributes in secure embeds, you must add the parameters to the embed URL for both attributes.

In the embed URL, the attributes should be formatted as follows:

:ua\_{nameofattribute}=value\

//example
:ua_warehouse=wh

In the example below, the attribute is added at the end of the secure embed URL.

https://app.sigmacomputing.com/embed/1qmpD5yiMIRvb6dI8l4pzK
?:nonce=35df8548-c7e5-4d35-92da7f8114843999
&:session_length=3600
&:client_id=9319bfb04ae48af48bbee8f702669c085a38b6a73f43d32htd70a3cd6ee4h9iu
&:time=1654709460
&:external_user_id=12
&:external_user_team=Team%20A%2CTeam%20B
&:email=[[email protected]](mailto:[email protected])
&:account_type=explorer
&:mode=userbacked
&:ua_warehouse=wh1
&:signature=j323557c82b26103faf65314db41ebc51ea9n3a61795ef22f45ep0aed1f4182493

For more information, about adding parameters to a secure embed URL, see Embed URL parameters and Example embed API and URL.