Access Control Pattern for Sensitive Objects in Snowflake

This document is a technical report that outlines a security pattern for managing access to sensitive objects within Snowflake's database architecture. It presents an approach to granting access to schemas containing sensitive data without creating a fork in the Role-Based Access Control (RBAC) hierarchy. The report details how this pattern simplifies the process of access requests by allowing users to request access to sensitive data without needing to manage multiple roles. It explains the hierarchical structure of objects in Snowflake, including databases, schemas, and tables, and how privileges are granted at each level. The document also describes the conditions under which this access pattern is most effective, emphasizing the role of identity governance and access management systems in controlling access. Additionally, it provides examples of role creation and access requests, illustrating how users can navigate the approval process for sensitive data access. The report concludes with guidance on potential misapplications and design principles enabled by this pattern.