December 2022¶

The following new features, behavior changes, and updates (enhancements, fixes, etc.) have been introduced this month. If you have any questions about these additions, please contact Snowflake Support.

Important

Each release may include updates that require the web interface to be refreshed.

As a general practice, to ensure these updates do not impact your usage, we recommend refreshing the web interface after each Snowflake release has been deployed.

New Features¶

Access Control: Database Roles — Preview¶

With this release, we are pleased to announce preview support for database roles. Database roles are entities within a database to which privileges on securable objects in the same database can be granted and revoked. This feature is implemented via a new Snowflake object type, database role. Database roles are essentially the same as traditional roles created at the account level except for their scope. Privileges on any object in an account can be granted to account roles, but only privileges on objects within the same database can be granted to a database role.

Database roles are intended to satisfy the following use cases:

Ease of management	Database owners can independently manage access to securable objects within their own databases. Database owners can perform the following actions: Create and manage database roles. Grant privileges to database roles. Privileges on objects granted to the database roles must be scoped to objects contained in the database where the role exists. Privileges on objects in one database (e.g. tables or views) cannot be granted to database roles in another database. Any privilege, including OWNERSHIP, can be granted to database roles on objects in a database. Note that only an account role can hold the OWNERSHIP privilege on the database itself. Create or extend role hierarchies. Grant database roles to other database roles within the same database, and then grant the highest-level database roles in a database to account roles. For more information, refer to Database roles and role hierarchies. Note that granting a database role to an account role implicitly grants the USAGE privilege on the database that contains the database role. Granting the USAGE privilege on the database explicitly is not required.
Data Sharing	Data providers using Snowflake’s Secure Data Sharing feature can segment the securable objects in a share by creating multiple database roles in a database to share and granting privileges on a subset of the objects in the database to each database role. After creating a database from a share that includes database roles, data consumers grant each shared database role to one or more account-level roles in their own account. Without database roles, account administrators in data consumer accounts grant a single privilege, IMPORTED PRIVILEGES, to roles to allow their users to access all databases and database objects (tables, secure views, etc.) in a share. There is no option to allow different groups of users in a data consumer account to access a subset of the shared objects. This all or nothing approach requires data providers to create multiple shares to grant access to different objects in the same databases. Note Currently, database roles are not included in the replication of a primary database. As a result, cross-region data sharing is not supported when objects are granted to a share via database roles.

Ease of management

Database owners can independently manage access to securable objects within their own databases. Database owners can perform the following actions:

Create and manage database roles.
Grant privileges to database roles.

Privileges on objects granted to the database roles must be scoped to objects contained in the database where the role exists. Privileges on objects in one database (e.g. tables or views) cannot be granted to database roles in another database.

Any privilege, including OWNERSHIP, can be granted to database roles on objects in a database. Note that only an account role can hold the OWNERSHIP privilege on the database itself.
Create or extend role hierarchies. Grant database roles to other database roles within the same database, and then grant the highest-level database roles in a database to account roles. For more information, refer to Database roles and role hierarchies.

Note that granting a database role to an account role implicitly grants the USAGE privilege on the database that contains the database role. Granting the USAGE privilege on the database explicitly is not required.

Data Sharing

Data providers using Snowflake’s Secure Data Sharing feature can segment the securable objects in a share by creating multiple database roles in a database to share and granting privileges on a subset of the objects in the database to each database role.

After creating a database from a share that includes database roles, data consumers grant each shared database role to one or more account-level roles in their own account.

Without database roles, account administrators in data consumer accounts grant a single privilege, IMPORTED PRIVILEGES, to roles to allow their users to access all databases and database objects (tables, secure views, etc.) in a share. There is no option to allow different groups of users in a data consumer account to access a subset of the shared objects. This all or nothing approach requires data providers to create multiple shares to grant access to different objects in the same databases.

Note

Currently, database roles are not included in the replication of a primary database. As a result, cross-region data sharing is not supported when objects are granted to a share via database roles.

For details, refer to database roles.

Access Control: SNOWFLAKE Database Roles — Preview¶

With this release, we are pleased to announce preview support for SNOWFLAKE database roles. SNOWFLAKE database roles implement the concept of general database roles, but specifically for the SNOWFLAKE database. SNOWFLAKE database roles define a set of roles which can be used to provide fine grained access to the ACCOUNT_USAGE schema, READER_ACCOUNT_USAGE schema, ORGANIZATION_USAGE schema, DATA_SHARING_USAGE schema, and more.

SNOWFLAKE database roles will be rolled out to all accounts over the course of the week of December 12th, 2022. For more information refer to SNOWFLAKE database roles.

Snowflake Extension for Visual Studio Code — Preview¶

With this release, we are pleased to announce the preview of the Snowflake Extension for Visual Studio Code (VS Code). The Snowflake Extension for Visual Studio Code allows developers to access Snowflake from within the VS Code environment. The extension enables you to connect to Snowflake, write and execute sql queries, and view results without leaving VS Code. After sign-in, you’ll be able to see and change your active database, schema, role, and warehouse.

Snowflake Intellisence provides autocomplete support for database object names, built-in functions, and Snowflake SQL keywords. Using Intellisense, database, schema, and table name suggestions display as you type your query. Single or groups of queries can be executed, with results provided directly within VS Code itself.

For more information, refer to Snowflake Extension for Visual Studio Code.

Security Updates¶

Session Policies — Generally Available¶

With this release, Snowflake is pleased to announce the general availability of session policies. A session policy defines the idle session timeout period in minutes and provides the opportunity to override the default idle session timeout value of 4 hours. The idle session timeout refers to a period of inactivity with either the Snowflake web interface or client applications using Snowflake clients (e.g. SnowSQL, JDBC driver). When the idle session timeout period expires, users must re-authenticate to Snowflake.

The session policy can be set for an account or user and supports configurable idle timeout periods to address compliance requirements. If a user is associated with both an account and user-level session policy, the user-level session policy takes precedence.

This feature was announced in preview in November 2021. For more information, refer to Snowflake Sessions & Session Policies.

SQL Updates¶

New SQL Functions¶

The following function(s) were introduced in recent releases:

Function Category	New Function	Description
System Functions (Query), Table Functions	GET_QUERY_OPERATOR_STATS	Returns statistics about individual query operators within a query.

ALTER TAG Command: Add the FORCE Keyword to Replace a Masking Policy on a Tag in a Single Statement¶

Syntax	Keyword	Description
ALTER TAG <name> SET MASKING POLICY <masking_policy_name> [ FORCE ]	FORCE	Replaces a masking policy that is currently set on a tag with a different masking policy in a single statement. Note that using the FORCE keyword replaces the policy when a policy of the same data type is already set on the tag. If a masking policy is not currently set on the tag, specifying this keyword has no effect.

Syntax

Keyword

Description

ALTER TAG <name> SET MASKING POLICY <masking_policy_name> [ FORCE ]

FORCE

Replaces a masking policy that is currently set on a tag with a different masking policy in a single statement.

Note that using the FORCE keyword replaces the policy when a policy of the same data type is already set on the tag.

If a masking policy is not currently set on the tag, specifying this keyword has no effect.

Data Governance Updates¶

Replace a Masking Policy on a Tag in a Single Statement¶

With this release, Snowflake adds support to specify the FORCE keyword when replacing a masking policy that is currently set on a tag in a single statement with an ALTER TAG command. Prior to the FORCE keyword being available, replacing a masking policy on a tag required two separate statements:

Unset the existing policy.
Set the new policy.

Using the FORCE keyword removes the time interval between the UNSET and SET operations to ensure that column data remains protected while replacing a masking policy on a tag.

For details, refer to:

ALTER TAG Command: Add the FORCE Keyword to Replace a Masking Policy on a Tag in a Single Statement (in this topic)
Replace a masking policy on a tag (in the Snowflake documentation)

Documentation and Learning Resources¶

Table of Contents (TOC) Updates¶

To make it easier for developers to find content, we’ve introduced the following TOC changes:

Top-level Entry	Second-level Entry	Third-level Entry	Change
Developing Applications with Snowflake	Introduction to Developing Applications in Snowflake		Removed.
	Overview of Connectors, Drivers, and Client APIs		Removed.
	UDFs		Moved to: Application and Extension Development » Extending Snowflake with Functions and Procedures
	Snowpark		Moved to: Snowpark API
	External Functions		Moved to: Application and Extension Development » Extending Snowflake with Functions and Procedures
	Stored Procedures		Moved to: Application and Extension Development » Extending Snowflake with Functions and Procedures
	Protecting Sensitive Information with Secure UDFs and Stored Procedures		Moved to: Application and Extension Development » Extending Snowflake with Functions and Procedures » Design Guidelines and Constraints for Functions and Procedures
	Pushdown Optimization and Data Visibility		Moved to: Application and Extension Development » Extending Snowflake with Functions and Procedures » Design Guidelines and Constraints for Functions and Procedures
	Snowflake Scripting		Moved to: Snowflake Scripting Developer Guide
Connecting to Snowflake	Connectors & Drivers	Snowflake Connector for Kafka	Moved to: Application and Extension Development » Using Snowflake with Kafka and Spark
		Snowflake Connector for Spark	Moved to: Application and Extension Development » Using Snowflake with Kafka and Spark
		Snowflake Connector for Python	Moved to: Application and Extension Development » Drivers
		Node.js Driver	Moved to: Application and Extension Development » Drivers
		Go Snowflake Driver	Moved to: Application and Extension Development » Drivers
		.NET Driver	Moved to: Application and Extension Development » Drivers
		JDBC Driver	Moved to: Application and Extension Development » Drivers
		ODBC Driver	Moved to: Application and Extension Development » Drivers
		PHP PDO Driver for Snowflake	Moved to: Application and Extension Development » Drivers
		Snowflake SQL API	Moved to: Snowflake SQL API