Configuring the Snowflake integration for Veza Lifecycle Management.
The Veza integration for Snowflake enables automated user lifecycle management, with support for user provisioning and de-provisioning, role assignment management, and attribute synchronization.
SYNC_IDENTITIES
Synchronizes identity attributes between systems, with options to create new identities and update existing ones
✅
MANAGE_RELATIONSHIPS
Controls role assignments for identities
✅
DEPROVISION_IDENTITY
Safely removes or disables access for identities
✅
SOURCE_OF_IDENTITY
Snowflake can act as a target system for identity lifecycle policies from other sources
✅
This document includes steps to enable the Snowflake integration for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.
You will need administrative access in Veza to configure the integration and USERADMIN role or equivalent privileges in Snowflake.
Ensure you have an existing Snowflake integration in Veza or add a new one for use with Lifecycle Management.
Verify your Snowflake integration has completed at least one successful extraction
The Snowflake integration will need the additional required privileges:
CREATE USER privilege on the account for user provisioning
GRANT ROLE privilege for role assignments
OWNERSHIP privilege on target roles for role management
Access to a warehouse for executing queries during lifecycle operations
Important: The Snowflake user account used for Lifecycle Management operations should have USERADMIN role or higher privileges to ensure proper user and role management capabilities.
To enable the integration:
In Veza, go to the Integrations overview
Search for or create a Snowflake integration
Check the box to Enable usage for Lifecycle Management
Configure the extraction schedule to ensure your Snowflake data remains current:
Go to Veza Administration > System Settings
In Pipeline > Extraction Interval, set your preferred interval
Optionally, set a custom override for Snowflake in the Active Overrides section
To verify the health of the Lifecycle Management data source:
Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled
Snowflake can be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.
The integration supports the following lifecycle management Actions:
Primary action for user management (creating or updating users):
User names must be unique and follow Snowflake identifier naming conventions
Login names are used for authentication and must be unique
Passwords are automatically generated and set to require change on first login
Users are created with appropriate default settings for the Snowflake environment
The following attributes can be synchronized:
Role assignment management for users:
Add and remove role assignments for users
Synchronize role memberships from source systems
Support for direct role grants to users
Roles must exist in Snowflake before assignment
Within Snowflake, roles can be associated with:
Database and schema access permissions
Table and view privileges
Warehouse usage rights
Administrative privileges for account management
When a user is deprovisioned:
User account is disabled (set DISABLED = TRUE)
Role assignments are removed to revoke access
User attributes are preserved for audit purposes
Account can be reactivated if needed for compliance requirements
Automated provisioning when a new employee joins:
Create User Account: Sync identity attributes from HR system to create Snowflake user with name and login details
Assign Department Role: Grant role based on department attribute (e.g., SALES_ANALYST, DATA_ENGINEER)
Set Default Role: Configure default role for the user's session
Add Email and Comments: Populate user profile with contact information and descriptive notes
Managing access when employees change roles:
Update User Attributes: Sync changed attributes like email or comments
Remove Old Roles: Revoke previous role assignments that are no longer appropriate
Grant New Roles: Assign roles appropriate for the new position
Update Default Role: Change the user's default role for new sessions
Secure access removal when employees leave:
Disable Account: Set user account to disabled status
Revoke All Roles: Remove all role assignments to eliminate data access
Preserve Audit Trail: Maintain user record and history for compliance
Optional Cleanup: Remove user completely with DROP USER if no audit trail is needed