Use the Trust Center to set up sensitive data classification¶

Trust Center lets you set up sensitive data classification in the Snowsight user interface, so you don’t have to write any SQL code. After it is set up, sensitive data classification automatically identifies which data in a database is sensitive and needs to be protected.

Get started¶

Note

The following steps apply only to the first user who accesses the Data Security tab in the Trust Center. If you aren’t the first user and want to set up classification, see Set up classification with advanced settings.

To use a web interface to set up sensitive data classification, complete the following steps:

Sign in to Snowsight as a user with the required privileges.
In the navigation menu, select Governance & security » Trust Center.
Select the Data Security tab.
Select Get started.
In the Set up auto-classification dialog, do the following:
1. Select the databases that you want to classify.
2. Specify whether you want to auto-apply tags instead of just recommending them. For more information about tags and categories, see Core concepts of sensitive data classification.
Select Enable.
Select Close.

Based on this default set up, sensitive data classification has the following behavior:

Reclassifies previously classified objects every 30 days.
Scans data for all native semantic categories.
Excludes views from classification.
Bases classification on a sample of up to 10,000 randomly selected rows per table.

When the classification process is complete, you are ready to view the results.

Set up classification with advanced settings¶

To set up sensitive data classification with advanced settings, complete the following steps:

Sign in to Snowsight as a user with the required privileges.
In the navigation menu, select Governance & security » Trust Center.
Select the Data Security tab.
Select Settings.
Do one of the following:
- If you’re fine-tuning existing classification settings, find the classification profile that contains the settings and select » Edit. If the first person to set up classification chose the default settings during setup, the profile is Default Snowflake profile.
- If you are creating a new classification profile so different databases can be classified with different settings, select Create New.
Select the databases that you want to scan for sensitive data.

If a database is greyed out, it’s associated with an existing classification profile and is already being classified. You’ll need to edit the existing classification profile to remove the database before you can classify it with the settings of a new profile.
Select Next.
If your account classifies sensitive data into custom categories, select the ones that you want to use.
Select Next.
If you don’t want tags automatically applied to columns containing sensitive data, deselect Auto-apply tags.
If you want to apply a user-defined tag in addition to a system tag on matching columns, do the following:
In the Tag to apply column, select the user-defined tag/value pair that you want applied to sensitive data.
In the Detected semantic categories column, select values of the SNOWFLAKE.CORE.SEMANTIC_CATEGORY tag. These can be native and custom semantic categories.

For example, if you select PII = CONFIDENTIAL as the user-defined tag/value pair in Tag to apply, and then select the NAME semantic category in Detected semantic categories, when Snowflake assigns the SNOWFLAKE.CORE.SEMANTIC_CATEGORY = NAME system tag to a column, it also applies the PII = CONFIDENTIAL tag.

Select Next.
Specify the database, schema, and name of the classification profile where all of your settings will be saved.
Select the cadence at which previously classified objects are re-classified.
Specify if you want to exclude certain objects from the classification process. For information about excluding specific objects, see Excluding data from sensitive data classification.
Select Enable.

Review classification results¶

Only tables that need a manual decision appear in the review workflow. If Auto-apply tags is enabled on the classification profile, Snowflake applies system tags and any user-defined tags you configured, and those objects are marked as reviewed. If Auto-apply tags is not enabled, objects with recommended classifications and tags appear as needing review.

On the Trust Center Data Security tab, select the Dashboard tab. The Objects that need review tile shows how many tables still need you to accept or change recommendations. Open the review experience from that tile (or the equivalent control on the dashboard) to open the Review classification dialog. In the dialog you can:

Use Search tables and the Database filter to find tables. Switch between the Pending review and Selected tabs to work through tables that need action or tables you have marked for batch updates.
Select a table to inspect each column’s recommended CLASSIFICATION CATEGORY, TAGS (system and user-defined), and SAMPLE VALUES so you can confirm detections.
Change recommended categories, add or adjust user-defined tags, and remove recommendations you do not want to apply.
Select one or more tables, then select Save and apply tags to selected tables to apply your choices.

For high-level dashboard metrics, the full Sensitive objects list, and related tasks, see Use the Trust Center to view classification results.

Classify additional databases¶

You can classify additional databases with the same classification settings by editing an existing classification profile. To edit a classification profile:

Sign in to Snowsight as a user with the required privileges.
In the navigation menu, select Governance & security » Trust Center.
Select the Data Security tab.
Select Settings.
Find the classification profile in the list and select » Edit. If the first person to set up classification used the default settings, the classification profile is Default Snowflake profile.
On the first page that appears, select the additional databases.
Complete the setup.

Classification errors¶

When the classification process encounters errors for some objects, the Trust Center Dashboard tab shows a Classification errors tile with a count and warning indicator.

Select the Classification errors tile to open the Classification errors dialog. Use Search objects and the Database filter to narrow the list. The table lists each object, its database and schema, and the classification error message that explains why classification failed (for example data format issues, restrictions on secure objects, or SQL compilation errors for views). Select Close when you are finished.

For SQL examples that query the event table and other troubleshooting guidance, see Troubleshooting sensitive data classification.

Sensitive Data Entitlement report¶

The Sensitive Data Entitlement report lets you view who can access sensitive data in your account. The report generates a view that includes a list of users who have an access control role that gives them privileges to tables that contain sensitive data. It lists the table, the user, the role, and the privilege on the table.

Enable the Sensitive Data Entitlement report¶

To enable the Sensitive Data Entitlement report, complete the following steps:

Sign in to Snowsight as a user with the required privileges.
In the navigation menu, select Governance & security » Trust Center.
Select the Data Security tab.
Select Settings.
In the Reporting section, locate Sensitive Data Entitlement report and select Enable.
In the Enable sensitive data entitlement report dialog, select a Report Cadence from the dropdown menu. Options include Daily, Weekly, Monthly, and Quarterly.
Select Enable report.

Note

Insights may take a couple moments to populate after enabling the report.

After enabling the report, you can view the status, frequency, and last run time in the Reporting section of the Settings tab. You can also select Run now to generate a report immediately, or select Settings to change the report cadence.

Entitlement report view¶

When an entitlement report runs, it stores its results in the ENTITLEMENT_REPORT view, which is located in the SNOWFLAKE.DATA_SECURITY schema. The view displays one row for each privilege on a table containing sensitive data that has been granted to a user or role.

The view contains the following columns:

Column Name	Data Type	Description
RUN_ID	VARCHAR	UUID generated for each run of the entitlement report.
CREATED_TIME	TIMESTAMP_LTZ	Timestamp when the entitlement report was generated.
TABLE_ID	NUMBER	System-generated ID of the table.
TABLE_CATALOG	VARCHAR	Database that contains the table with sensitive data.
TABLE_SCHEMA	VARCHAR	Fully qualified name of the schema containing the table.
TABLE_NAME	VARCHAR	Fully qualified name of the table containing sensitive data.
USER_ID	NUMBER	System-generated ID of the user.
USER_NAME	VARCHAR	User who has privileges on the table.
ROLE_ID	NUMBER	System-generated ID of the role.
ROLE_NAME	VARCHAR	Name of the role that has privileges on the table.
PRIVILEGE	VARCHAR	Name of the access control privilege.

Access the Entitlement report¶

You can run queries against the ENTITLEMENT_REPORT view to learn who has access to tables with sensitive data and what privileges are providing that access.

For example, to return a list of users who have access to sensitive data along with the privileges they have on each table, run the following query:

SELECT DISTINCT
   user_name,
   table_catalog,
   table_schema,
   table_name,
   privilege
FROM SNOWFLAKE.DATA_SECURITY.ENTITLEMENT_REPORT
ORDER BY user_name, table_catalog, table_schema, table_name, privilege;

If you want to get a list of the entitlement reports that have been generated, run the following query:

SELECT DISTINCT run_id, created_time
FROM SNOWFLAKE.DATA_SECURITY.ENTITLEMENT_REPORT;

Delete reports for a time range¶

To delete entitlement reports generated within a specific time range, call the DELETE_REPORT_DATA stored procedure. This procedure allows you to remove report data that was generated after a specified start timestamp and before a specified end timestamp.

You can use Snowflake functions like TO_TIMESTAMP_LTZ to specify the beginning and ending timestamps.

The following example deletes entitlement report data that was generated between January 1, 2025 and February 1, 2025:

CALL SNOWFLAKE.DATA_SECURITY.DELETE_REPORT_DATA(
  'entitlement_report',
  TO_TIMESTAMP_LTZ('2025-01-01'),
  TO_TIMESTAMP_LTZ('2025-02-01')
);

Next steps¶

After sensitive data classification is set up and running, use the Trust Center Data Security tab to monitor outcomes:

Review classification results and apply tags using the Dashboard tab and Objects that need review.
Inspect classification errors using the Classification errors tile.
For additional dashboards, the Sensitive objects list, and column detail, see Use the Trust Center to view classification results.
Generate a sensitive data entitlement report to see who can access sensitive tables.

Access control requirements¶

Note

The DATA_SECURITY_* application roles alone are not sufficient to access the Trust Center Data Security tab. You must have the SNOWFLAKE.TRUST_CENTER_VIEWER or SNOWFLAKE.TRUST_CENTER_ADMIN application role to use the Trust Center UI for classification. If your account previously relied on DATA_SECURITY_* roles, update your role grants accordingly.

Task	Required privileges/roles	Notes
Set up classification for a database	One of the following: SNOWFLAKE.TRUST_CENTER_VIEWER application role SNOWFLAKE.TRUST_CENTER_ADMIN application role
	EXECUTE AUTO CLASSIFICATION privilege on ACCOUNT
	APPLY TAG privilege on ACCOUNT
	USAGE on the database	More powerful privileges on the database meet this requirement.
Review classification insights and classified objects	One of the following: SNOWFLAKE.TRUST_CENTER_VIEWER application role SNOWFLAKE.TRUST_CENTER_ADMIN application role
Set up and generate an entitlement report	One of the following: SNOWFLAKE.DATA_SECURITY_ADMIN application role ACCOUNTADMIN role	The DATA_SECURITY_ADMIN role provides the ability to enable sensitive data reporting, configure and generate reports, and access the generated entitlement report.
View an entitlement report	One of the following: SNOWFLAKE.DATA_SECURITY_VIEWER application role SNOWFLAKE.DATA_SECURITY_ADMIN application role ACCOUNTADMIN role	The DATA_SECURITY_VIEWER role provides read-only access to the generated entitlement report.

Example: Allow a user to set up classification

To allow user mary to set up sensitive data classification and review classification findings, run the following commands:

USE ROLE ACCOUNTADMIN;
CREATE ROLE trust_center_admin_role;

GRANT APPLICATION ROLE SNOWFLAKE.TRUST_CENTER_ADMIN TO ROLE trust_center_admin_role;
GRANT EXECUTE AUTO CLASSIFICATION ON ACCOUNT TO ROLE trust_center_admin_role;
GRANT APPLY TAG ON ACCOUNT TO ROLE trust_center_admin_role;
GRANT USAGE ON DATABASE mydb TO ROLE trust_center_admin_role;

GRANT ROLE trust_center_admin_role TO USER mary;

Example: Allow user to review classification findings

If you want user joe to be able to review classification findings, but not be able to set up classification, run the following commands:

USE ROLE ACCOUNTADMIN;
CREATE ROLE trust_center_viewer_role;

GRANT APPLICATION ROLE SNOWFLAKE.TRUST_CENTER_VIEWER TO ROLE trust_center_viewer_role;

GRANT ROLE trust_center_viewer_role TO USER joe;

Example: Allow user to view an entitlement report

If you want user alex to be able to view an entitlement report, run the following commands:

USE ROLE ACCOUNTADMIN;

CREATE ROLE report_viewer;
GRANT APPLICATION ROLE SNOWFLAKE.DATA_SECURITY_VIEWER TO ROLE report_viewer;
GRANT ROLE report_viewer TO USER alex;