1 of 1

Snowflake Password Policies

Veza’s support for Snowflake Password Policies

Veza supports discovery of Snowflake Password Policies, providing visibility into password security controls and user assignments. This feature helps you audit password policy coverage, identify security gaps, and ensure compliance with organizational standards.

Setup Requirements

Password Policy discovery can be enabled as an optional feature when adding or editing a Snowflake integration. The Snowflake integration must have read access to the required system views (see below).

Go to the Veza Integrations page
Create or edit a Snowflake integration configuration
Enable the Gather Password Policies option and save the configuration

Password Policies will be automatically discovered during your next scheduled extraction.

Note that this feature requires the MONITOR ON ACCOUNT permission on your Snowflake account. This permission is broader than standard Veza permissions and is only needed for Password Policy extraction.

Grant MONITOR ON ACCOUNT Privilege

Whether using standard integration (direct access to the snowflake system database) or an alternative system database, add this permission to your existing Veza role:

-- Enable Password Policy extraction
grant monitor on account to role <veza_role>;

Replace <veza_role> with your actual Veza role name. If you choose not to grant this permission, all other Snowflake integration functionality will work normally, but Password Policies will not be discovered.

Alternative System Database

If you're using an alternative system database, the Password Policy view is already included in the main setup script. For existing alternative database configurations created before this feature, add these statements:

-- Create Password Policy view
create view VEZA_SNOWFLAKE_DB.ACCOUNT_USAGE.PASSWORD_POLICIES
  as select name, schema, database, owner, owner_role_type,
    comment, created, last_altered, password_min_length, password_max_length, password_min_upper_case_chars,
    password_min_lower_case_chars, password_min_numeric_chars, password_min_special_chars, password_min_age_days,
    password_max_age_days, password_max_retries, password_lockout_time_mins, password_history, deleted
    from SNOWFLAKE.ACCOUNT_USAGE.PASSWORD_POLICIES;
  
-- Grant permissions
grant select on view VEZA_SNOWFLAKE_DB.ACCOUNT_USAGE.PASSWORD_POLICIES to role <ROLE_NAME>;
grant monitor on account to role <ROLE_NAME>;

Replace <ROLE_NAME> with your Veza role name.

Using Password Policy Discovery

Once the permissions are configured, Password Policies will be automatically discovered during your next scheduled extraction. You can then:

Search for "Snowflake Password Policy" entities in Graph Search or Query Builder
Query relationships between users and their password policies
Apply attribute filters to identify policies by strength requirements
Include password policy context in Access Reviews

Overview

Password Policies can be applied at two levels in Snowflake:

Account-level Password Policies: Apply to all users unless overridden by user-specific policies. These provide baseline password requirements for the entire Snowflake account.
User-level Password Policies: Apply to specific users and take precedence over account-level policies. These allow for more granular control over password requirements for individual users.

Password Policy Precedence

Snowflake follows a specific precedence order for Password Policies:

User-level Password Policies: Take highest precedence
Account-level Password Policies: Apply when no user-level policy is assigned

When Veza processes Password Policies, it automatically applies account-level policies to all users who don't have a specific user-level policy assigned. This ensures comprehensive visibility into which Password Policy is actually active for each user.

Graph Relationships

Password Policies create several types of relationships in the Veza authorization graph:

User to Password Policy Relationships

Users are connected to Password Policies that apply to them:

SnowflakeUser --- HAS_PASSWORD_POLICY --> SnowflakePasswordPolicy

Account to Password Policy Relationships

The Snowflake account is connected to all Password Policies:

SnowflakeAccount --- HAS_PASSWORD_POLICY --> SnowflakePasswordPolicy

Entity Properties

Snowflake Password Policy

Attribute

Description

policy_name

Password Policy name

database_name

Database containing the policy

schema_name

Schema containing the policy

owner

Owner of the policy

owner_role_type

Type of role that owns the policy

comment

Policy description or comment

created_at

When the policy was created

updated_at

When the policy was last modified

password_min_length

Minimum password length requirement

password_max_length

Maximum password length requirement

password_min_upper_case_chars

Minimum number of uppercase characters required

password_min_lower_case_chars

Minimum number of lowercase characters required

password_min_numeric_chars

Minimum number of numeric characters required

password_min_special_chars

Minimum number of special characters required

password_min_age_days

Minimum password age in days before it can be changed

password_max_age_days

Maximum password age in days before it must be changed

password_max_retries

Maximum number of login attempts before account lockout

password_lockout_time_mins

Duration of account lockout in minutes after max retries

password_history

Number of previous passwords that cannot be reused

Use Cases

The following examples demonstrate common queries for analyzing Password Policy relationships and assignments based on Snowflake's two-level policy system.

Consider a Snowflake environment with the following Password Policies:

"SECURITY_DB.POLICIES.ADMIN_STRICT" - Strict policy for administrative users requiring 16+ character passwords with complex requirements
"SECURITY_DB.POLICIES.COMPANY_STANDARD" - Standard account-level policy for regular users with moderate security requirements
"SECURITY_DB.POLICIES.SERVICE_ACCOUNT" - Policy for service accounts with different complexity requirements

And the following user assignments:

ADMIN_USER: Has user-level assignment to "SECURITY_DB.POLICIES.ADMIN_STRICT"
ANALYST_USER: No user-level assignment (inherits account-level "SECURITY_DB.POLICIES.COMPANY_STANDARD")
ETL_SERVICE_USER: Has user-level assignment to "SECURITY_DB.POLICIES.SERVICE_ACCOUNT"

Use Case 1: Find all users with Password Policies assigned

Query for users who have password security controls:

SHOW SnowflakeUser
RELATED TO SnowflakePasswordPolicy;

Results: All users with either user-level or account-level password policies

Use Case 2: Identify users with user-level Password Policy assignments

Query to find users with explicit user-level password policies (as opposed to inheriting account-level policies):

SHOW SnowflakeUser { username, email, is_active }
RELATED TO SnowflakePasswordPolicy
WHERE policy_name = 'SECURITY_DB.POLICIES.ADMIN_STRICT';

Results: Users assigned to the specified user-level password policy

Use Case 3: Audit password policy coverage

Query to ensure all users have password policy assignments:

SHOW SnowflakeUser { username, email, created_at, is_active }
NOT RELATED TO SnowflakePasswordPolicy;

Results: Users without any password policy assignments (indicating potential security gaps)

Use Case 4: Find Password Policies with weak security requirements

Query to identify policies that may not meet security standards:

Show SnowflakePasswordPolicy
WHERE password_min_length < 12
OR password_max_age_days > 90
OR password_min_upper_case_chars = 0

Results: Password policies that don't meet minimum security requirements