Tags enables data stewards to track sensitive data for compliance, discovery, protection, and resource usage use cases through either a centralized or decentralized data governance management approach.
In this Topic:
What is a Tag?¶
A tag is a schema-level object that can be associated to another Snowflake object. A tag can be assigned an arbitrary string value upon
associating the tag to a Snowflake object. Snowflake stores the tag and its string value as a key-value pair in the form
key = 'value'.
In this example,
cost_center = 'sales',
cost_center is the tag and
'sales' is the string value. The tag must be unique for your
schema and the tag value is always a string.
A single tag can be assigned to different object types at the same time (e.g. warehouse and table simultaneously). At the time of
association to the Snowflake object, the tag string value can be duplicated or remain unique. For example, multiple tables can be assigned
cost_center tag and the tag can always have the string value be
'sales'. Alternatively, the string value could be different
'finance'). After defining the tags and assigning tags to Snowflake objects, tags can be
queried to track usage on the objects to facilitate data governance operations, such as tracking, auditing, and reporting.
Snowflake supports assigning tags to the following Snowflake objects and columns:
Because tags can be assigned to tables, views, and columns, setting a tag and then querying the tag enables the discovery of a multitude of database objects and columns that contain sensitive information. Upon discovery, data stewards can determine how best to make that data available, such as selective filtering using row access policies, or using masking policies to determine whether the data is tokenized, fully masked, partially masked, or unmasked.
Assigning tags to warehouses enables accurate resource usage tracking. Querying tags on resources allows for easy resource grouping by cost center or other organization units. Additionally, the tag can facilitate analyzing relatively short-term business activities, such as projects, to provide a more granular insight into what, when, and how resources were used.
Snowflake recommends defining the tag keys as closely as possible to the securable object hierarchy in your Snowflake environment. A tag is inherited based on the Snowflake securable object hierarchy.
Tag inheritance means that if a tag is applied to a table, the tag also applies to the columns in that table. This behavior is referred to as tag lineage.
The inherited tag can be overridden on a given object. If a table column inherits the tag
cost_center = 'sales', the tag can be
replaced with a more specific tag such as
cost_center = 'sales_na', where
na specifies the North America sales cost center.
Additionally, a new tag can be applied to the table column (e.g.
classification = 'secret').
After defining the tag keys and assigning tags to Snowflake objects, track the tags, tag references, and tag lineage using the specified table functions or query the views as shown in Implementing Tags (in this topic).
- Ease of Use
Define a tag once and apply it to as many different objects as desirable.
- Tag Lineage
Since tags are inherited, applying the tag to objects higher in the securable objects hierarchy results in the tag being applied to all child objects. For example, if a tag is set on a table, the tag will be inherited by all columns in that table.
- Consistent Assignment with Replication
Snowflake replicates tags and their associations within the primary database to the secondary database.
For more information, see Replication (in this topic).
- Sensitive Data Tracking and Resource Usage
Tags simplify identifying sensitive data (e.g. PII, Secret) and bring visibility to Snowflake resource usage. With data and metadata in the same system, analysts can quickly determine which resources consume the most Snowflake credits based on the tag definition (e.g.
- Centralized or Decentralized Management
Tags supports different management approaches to facilitate compliance with internal and external regulatory requirements.
In a centralized approach, the
tag_admincustom role creates and applies tags to Snowflake objects.
In a decentralized approach, individual teams apply tags to Snowflake objects and the
tag_admincustom role creates tags to ensure consistent tag naming.