-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathpolicies.sql
82 lines (68 loc) · 3.14 KB
/
policies.sql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
// https://docs.snowflake.com/en/user-guide/security-column-ddm-use
-- use role masking_admin;
-- USE DATABASE synapse_data_warehouse;
-- USE SCHEMA synapse;
-- CREATE MASKING POLICY IF NOT EXISTS email_mask AS (val string) returns string ->
-- CASE
-- WHEN current_role() IN ('SYSADMIN') THEN VAL
-- ELSE regexp_replace(val,'.+\@','*****@') -- leave email domain unmasked
-- END;
-- ALTER MASKING POLICY email_mask SET BODY ->
-- CASE
-- WHEN current_role() IN ('SYSADMIN') THEN VAL
-- ELSE '*****'
-- END;
USE ROLE SYSADMIN;
-- Add all policies into policy_db in case other database is blown away
CREATE DATABASE IF NOT EXISTS POLICY_DB;
USE DATABASE POLICY_DB;
USE ROLE ACCOUNTADMIN;
CREATE PASSWORD POLICY password_policy
PASSWORD_MIN_LENGTH = 14
PASSWORD_MAX_AGE_DAYS = 0;
ALTER ACCOUNT
SET PASSWORD POLICY password_policy;
CREATE SESSION POLICY admin_timeout_policy
SESSION_IDLE_TIMEOUT_MINS = 15,
SESSION_UI_IDLE_TIMEOUT_MINS = 15;
ALTER USER "[email protected]"
SET SESSION POLICY admin_timeout_policy;
ALTER USER "[email protected]"
SET SESSION POLICY admin_timeout_policy;
ALTER USER THOMASYU888
SET SESSION POLICY admin_timeout_policy;
ALTER USER "[email protected]"
SET SESSION POLICY admin_timeout_policy;
-- tag service accounts with account type service to not trigger security warning
CREATE TAG ACCOUNT_TYPE;
ALTER USER AD_SERVICE SET TAG ACCOUNT_TYPE = 'service';
ALTER USER DPE_SERVICE SET TAG ACCOUNT_TYPE = 'service';
ALTER USER SNOWFLAKE SET TAG ACCOUNT_TYPE = 'service';
ALTER USER thomasyu888 SET TAG ACCOUNT_TYPE = 'service';
-- Set up authentication policies
-- SHOW PARAMETERS LIKE 'ENABLE_IDENTIFIER_FIRST_LOGIN' IN ACCOUNT;
ALTER ACCOUNT SET ENABLE_IDENTIFIER_FIRST_LOGIN = TRUE;
-- SHOW PASSWORD POLICIES IN ACCOUNT;
-- SHOW SESSION POLICIES IN ACCOUNT;
-- SHOW AUTHENTICATION POLICIES IN ACCOUNT;
-- SHOW MASKING POLICIES IN ACCOUNT;
-- SHOW NETWORK RULES IN ACCOUNT;
-- Not including CLIENT_TYPES will enable all types for each auth policy
CREATE AUTHENTICATION POLICY IF NOT EXISTS service_account_authentication_policy
AUTHENTICATION_METHODS = ('PASSWORD');
CREATE AUTHENTICATION POLICY IF NOT EXISTS admin_authentication_policy
AUTHENTICATION_METHODS = ('SAML', 'PASSWORD')
SECURITY_INTEGRATIONS = ('GOOGLE_SSO', 'JUMPCLOUD');
CREATE AUTHENTICATION POLICY IF NOT EXISTS user_authentication_policy
AUTHENTICATION_METHODS = ('SAML')
// CLIENT_TYPES = ('SNOWFLAKE_UI', 'SNOWSQL', 'DRIVERS')
SECURITY_INTEGRATIONS = ('GOOGLE_SSO');
ALTER ACCOUNT SET AUTHENTICATION POLICY user_authentication_policy;
ALTER USER "[email protected]" SET AUTHENTICATION POLICY admin_authentication_policy;
ALTER USER "[email protected]" SET AUTHENTICATION POLICY admin_authentication_policy;
ALTER USER RECOVER_SERVICE SET AUTHENTICATION POLICY service_account_authentication_policy;
ALTER USER DPE_SERVICE SET AUTHENTICATION POLICY service_account_authentication_policy;
ALTER USER AD_SERVICE SET AUTHENTICATION POLICY service_account_authentication_policy;
ALTER USER THOMASYU888 SET AUTHENTICATION POLICY service_account_authentication_policy;
USE ROLE ACCOUNTADMIN;
ALTER ACCOUNT SET CORTEX_ENABLED_CROSS_REGION = 'ANY_REGION';