Use the Trust Center to set up sensitive data classification¶

Get started¶

To use a web interface to set up sensitive data classification, complete the following steps:

1. Sign in to Snowsight as a user with the required privileges.

2. In the navigation menu, select Governance & security » Trust Center.

3. Select the Data Security tab.

4. Select Get started.

5. In the Set up auto-classification dialog, do the following:

   1. Select the databases that you want to classify.

   2. Specify whether you want to auto-apply tags instead of just recommending them. For more information about tags and categories, see Core concepts of sensitive data classification.

6. Select Enable.

7. Select Close.

Based on this default set up, sensitive data classification has the following behavior:

• Reclassifies previously classified objects every 30 days.

• Scans data for all native semantic categories.

• Excludes views from classification.

• Bases classification on a sample of up to 10,000 randomly selected rows per table.

When the classification process is complete, you are ready to view the results.

Set up classification with advanced settings¶

To set up sensitive data classification with advanced settings, complete the following steps:

1. Sign in to Snowsight as a user with the required privileges.

2. In the navigation menu, select Governance & security » Trust Center.

3. Select the Data Security tab.

4. Select Settings.

5. Do one of the following:

   • If you’re fine-tuning existing classification settings, find the classification profile that contains the settings and select » Edit. If the first person to set up classification chose the default settings during setup, the profile is Default Snowflake profile.

   • If you are creating a new classification profile so different databases can be classified with different settings, select Create New.

6. Select the databases that you want to scan for sensitive data.

   If a database is greyed out, it’s associated with an existing classification profile and is already being classified. You’ll need to edit the existing classification profile to remove the database before you can classify it with the settings of a new profile.

7. Select Next.

8. If your account classifies sensitive data into custom categories, select the ones that you want to use.

9. Select Next.

10. If you don’t want tags automatically applied to columns containing sensitive data, deselect Auto-apply tags.

11. If you want to apply a user-defined tag in addition to a system tag on matching columns, do the following:

    1. In the Tag to apply column, select the user-defined tag/value pair that you want applied to sensitive data.

    2. In the Detected semantic categories column, select values of the SNOWFLAKE.CORE.SEMANTIC_CATEGORY tag. These can be native and custom semantic categories.

    For example, if you select PII = CONFIDENTIAL as the user-defined tag/value pair in Tag to apply, and then select the NAME semantic category in Detected semantic categories, when Snowflake assigns the SNOWFLAKE.CORE.SEMANTIC_CATEGORY = NAME system tag to a column, it also applies the PII = CONFIDENTIAL tag.

12. Select Next.

13. Specify the database, schema, and name of the classification profile where all of your settings will be saved.

14. Select the cadence at which previously classified objects are re-classified.

15. Specify if you want to exclude certain objects from the classification process. For information about excluding specific objects, see Excluding data from sensitive data classification.

16. Select Enable.

Review classification results¶

Only tables that need a manual decision appear in the review workflow. If Auto-apply tags is enabled on the classification profile, Snowflake applies system tags and any user-defined tags you configured, and those objects are marked as reviewed. If Auto-apply tags is not enabled, objects with recommended classifications and tags appear as needing review.

On the Trust Center Data Security tab, select the Dashboard tab. The Objects that need review tile shows how many tables still need you to accept or change recommendations. Open the review experience from that tile (or the equivalent control on the dashboard) to open the Review classification dialog. In the dialog you can:

• Use Search tables and the Database filter to find tables. Switch between the Pending review and Selected tabs to work through tables that need action or tables you have marked for batch updates.

• Select a table to inspect each column’s recommended CLASSIFICATION CATEGORY, TAGS (system and user-defined), and SAMPLE VALUES so you can confirm detections.

• Change recommended categories, add or adjust user-defined tags, and remove recommendations you do not want to apply.

• Select one or more tables, then select Save and apply tags to selected tables to apply your choices.

For high-level dashboard metrics, the full Sensitive objects list, and related tasks, see Use the Trust Center to view classification results.

Classify additional databases¶

You can classify additional databases with the same classification settings by editing an existing classification profile. To edit a classification profile:

1. Sign in to Snowsight as a user with the required privileges.

2. In the navigation menu, select Governance & security » Trust Center.

3. Select the Data Security tab.

4. Select Settings.

5. Find the classification profile in the list and select » Edit. If the first person to set up classification used the default settings, the classification profile is Default Snowflake profile.

6. On the first page that appears, select the additional databases.

7. Complete the setup.

Classification errors¶

When the classification process encounters errors for some objects, the Trust Center Dashboard tab shows a Classification errors tile with a count and warning indicator.

Select the Classification errors tile to open the Classification errors dialog. Use Search objects and the Database filter to narrow the list. The table lists each object, its database and schema, and the classification error message that explains why classification failed (for example data format issues, restrictions on secure objects, or SQL compilation errors for views). Select Close when you are finished.

For SQL examples that query the event table and other troubleshooting guidance, see Troubleshooting sensitive data classification.

Next steps¶

After sensitive data classification is set up and running, use the Trust Center Data Security tab to monitor outcomes:

• Review classification results and apply tags using the Dashboard tab and Objects that need review.

• Inspect classification errors using the Classification errors tile.

• For additional dashboards, the Sensitive objects list, and column detail, see Use the Trust Center to view classification results.

Access control requirements¶

Example: Allow a user to set up classification

To allow user mary to set up sensitive data classification and review classification findings, run the following commands:

USE ROLE ACCOUNTADMIN;
CREATE ROLE trust_center_admin_role;

GRANT APPLICATION ROLE SNOWFLAKE.TRUST_CENTER_ADMIN TO ROLE trust_center_admin_role;
GRANT EXECUTE AUTO CLASSIFICATION ON ACCOUNT TO ROLE trust_center_admin_role;
GRANT APPLY TAG ON ACCOUNT TO ROLE trust_center_admin_role;
GRANT USAGE ON DATABASE mydb TO ROLE trust_center_admin_role;

GRANT ROLE trust_center_admin_role TO USER mary;

Example: Allow user to review classification findings

If you want user joe to be able to review classification findings, but not be able to set up classification, run the following commands:

USE ROLE ACCOUNTADMIN;
CREATE ROLE trust_center_viewer_role;

GRANT APPLICATION ROLE SNOWFLAKE.TRUST_CENTER_VIEWER TO ROLE trust_center_viewer_role;

GRANT ROLE trust_center_viewer_role TO USER joe;