Feature policies¶
A feature policy controls which object types can be created in a given context. You can apply a feature policy to all native apps in an account, to a specific native app, or to all personal databases in an account.
Feature policies are schema-level objects. Before creating one, create a dedicated database and schema to store it.
For details on using feature policies with native apps, see Use feature policies to limit the objects an app can create.
For details on using feature policies with personal databases, see Use feature policies with personal databases.
Blockable object types¶
Account-level objects (native apps only)¶
When a native app is installed with automated granting of privileges, the app can receive privileges that let it create account-level objects such as warehouses, compute pools, and databases. Once granted, these privileges can’t be directly revoked by the consumer. A feature policy lets administrators prevent apps from exercising those privileges to create specific object types, without revoking the underlying privilege.
The following account-level object types can be blocked:
- COMPUTE_POOLS
- DATABASES
- WAREHOUSES
Note
Account-level object types have no effect when a feature policy is bound to personal databases. They apply only in a native app context.
Other blockable types¶
The following object types can be blocked in any context to which the policy is attached, whether that is native apps or personal databases:
- AGENTS
- APPLICATION_SERVICE
- ARTIFACT_REPOSITORY
- GIT_REPOSITORY
- MCP_SERVERS
- SCHEMA
- SECRET
- TASKS
- WORKSPACE
Privileges required to use feature policies¶
A role used to execute this operation must have the following privileges at a minimum:
| Privilege | Object | Notes |
|---|---|---|
| CREATE FEATURE POLICY | SCHEMA | Required to create a feature policy. This privilege must be granted on the schema containing the feature policy. |
| APPLY FEATURE POLICY | ACCOUNT | |
| APPLY or OWNERSHIP | FEATURE POLICY |
For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.
For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.
Create a feature policy¶
Use the CREATE FEATURE POLICY command to create a feature policy. The following example creates a policy that blocks task creation:
Note
Feature policies must be created within a schema.
You can also create a policy that doesn’t restrict any object types. This is useful for overriding a more general account-level policy on a specific app:
Apply a feature policy¶
To all native apps¶
To apply a feature policy to all native apps in the account, use the ALTER ACCOUNT command:
To replace an existing account-level policy without unsetting it first, use FORCE:
To unapply the policy from all native apps:
To a specific application¶
To apply a feature policy when installing an application, use the WITH FEATURE POLICY clause of
the CREATE APPLICATION command:
To apply a feature policy to an existing application, use the ALTER APPLICATION command:
To unapply the policy from a specific application:
A per-application policy overrides the account-level FOR ALL APPLICATIONS policy for that
application. See Feature policy precedence for details.
To all personal databases¶
To apply a feature policy to all personal databases in the account, use the
ALTER ACCOUNT command with ON ALL PERSONAL DATABASES:
To unapply the policy from all personal databases:
Note
The FOR ALL APPLICATIONS and ON ALL PERSONAL DATABASES bindings are independent. Setting or
unsetting one has no effect on the other.
Binding a feature policy to a specific personal database is not supported.
Feature policy precedence¶
Feature policies can be applied at the account level (covering all apps or all personal databases) or at the object level (a specific app). The most specific policy takes effect:
- Account:
Feature policies applied to an account are the most general. The
FOR ALL APPLICATIONSpolicy applies to every app unless a per-app policy overrides it. TheON ALL PERSONAL DATABASESpolicy applies to every personal database; there is no per-database override for personal databases.- Object:
A feature policy applied to a specific application overrides the account-level
FOR ALL APPLICATIONSpolicy for that application.
For example, an account-level policy can block database creation for all apps. A specific app can then have a separate policy with no restrictions, allowing that app to create databases while the restriction still applies to all other apps.
Delete a feature policy¶
Use the DROP FEATURE POLICY command:
A feature policy can’t be dropped if it’s currently applied to an object. Unapply it first using ALTER ACCOUNT or ALTER APPLICATION, then drop it.
View feature policies¶
To list the feature policies in the account that you have access to:
To list the feature policies applied to a specific application:
To view the details of a specific feature policy:
Identify feature policy references¶
The POLICY_REFERENCES Information Schema table function can identify feature policy references. There are two different syntax options:
-
Return a row for each object that has the specified feature policy assigned to it:
-
Return each feature policy assigned to the account:
Replication considerations¶
Feature policy references at the account level are replicated when the database containing the
policy is included in the replication group, for example by setting
ALLOWED_DATABASES = feature_policy_db.
If the account has already been replicated to a target account, do the following:
- Update the replication or failover group in the source account to include the databases and object types required to replicate the feature policy.
- Execute a refresh operation to update the target account.
Note
The feature policy must be in the same account as the account-level policy assignment.
If you don’t include the policy database in the replication group, Snowflake creates a dangling reference in the target account. The fully-qualified policy name points to the source account’s database, which doesn’t exist in the target account, so the policy isn’t enforced there.
For more information, see Replication considerations.