# Snowflake Row Access Policies Row Access Policies are a [Snowflake Enterprise Edition feature](https://docs.snowflake.com/en/user-guide/security-row-intro) for implementing row-level security by dynamically filtering rows of data based on user roles and access privileges. The Veza integration for [Snowflake](/4yItIzMvkpAvMVFAamTf/integrations/integrations/snowflake.md) discovers Row Access Policies to help visualize which users and roles have row-level access to tables and views. ### Supported Row Access Policy Features Veza currently supports a limited subset of Row Access Policy functionality: #### Supported Context Functions * `CURRENT_ROLE()` * `CURRENT_USER()` * `IS_APPLICATION_ROLE_IN_SESSION()` * `IS_ROLE_IN_SESSION()` #### Supported Operators At present, simple row filtering cases are supported, with operators: * `=` (equals) * `<>` (not equals) * `IN` * `NOT IN` #### Supported Policy Expressions Examples of supported policy conditions: * `'ROLE_A' = CURRENT_ROLE()` * `'ROLE_A' <> CURRENT_ROLE()` * `CURRENT_ROLE() IN ('ROLE_A', 'ROLE_B', 'ROLE_C')` * `CURRENT_ROLE() NOT IN ('ROLE_A', 'ROLE_B', 'ROLE_C')` * `'USER_A' = CURRENT_USER()` * `'USER_A' <> CURRENT_USER()` * `CURRENT_USER() IN ('USER_A', 'USER_B', 'USER_C')` * `CURRENT_USER() NOT IN ('USER_A', 'USER_B', 'USER_C')` * `IS_ROLE_IN_SESSION('ROLE_A')` * `NOT IS_ROLE_IN_SESSION('ROLE_A')` * `IS_APPLICATION_ROLE_IN_SESSION('ROLE_A')` * `NOT IS_APPLICATION_ROLE_IN_SESSION('ROLE_A')` ### Graph Relationships Row Access Policies create two types of relationships in the Veza Access Graph: #### Resource Relationships These relationships are always created when a Row Access Policy is discovered: ![Access Policies to Snowflake Resources](/files/A91ZxUWba6xgd450AGiy) * `SnowflakeRowAccessPolicy` --- `ON_TABLE_RESOURCE` --> `SnowflakeTable` * `SnowflakeRowAccessPolicy` --- `ON_VIEW_RESOURCE` --> `SnowflakeView` #### Access Relationships These relationships are created when Veza can successfully parse a Row Access Policy: ![Graph Search: Users and Roles to Access Policies](/files/zpu6VsP8jYGd5ow7nrWv) * `SnowflakeRole` --- `RECEIVES_UNMASKED_DATA_FROM_ROW_ACCESS_POLICY` --> `SnowflakeRowAccessPolicy` * `SnowflakeUser` --- `RECEIVES_UNMASKED_DATA_FROM_ROW_ACCESS_POLICY` --> `SnowflakeRowAccessPolicy` If a policy cannot be successfully parsed, Veza creates a `RECEIVES_UNMASKED_DATA_FROM_ROW_ACCESS_POLICY` edge between the `PUBLIC` role and the Row Access Policy, similar to how unrecognized Masking Policies are handled. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/snowflake/snowflake-row-access-policies.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.