Enabling sharing from a Business critical account to a non-business critical account¶
By default, Snowflake does not allow sharing data from a Business Critical to a non-Business Critical account. For more information, see Data sharing and Business critical accounts.
Snowflake provides the OVERRIDE SHARE RESTRICTIONS global privilege which is granted to the ACCOUNTADMIN role by default.
The OVERRIDE SHARE RESTRICTIONS global privilege can be granted to other roles (system-defined or custom). Then, users with the role can enable/disable the SHARE_RESTRICTIONS parameter for their provider account.
When the parameter is disabled, a Business Critical provider account can add a consumer account (with Non-Business Critical edition) to a share.
Snowflake is not responsible for ensuring that HIPAA (and HITRUST) accounts who engage in data sharing have a signed BAA with each other; this is at the discretion of the accounts that are sharing data. Note that failure to have a signed BAA may impact the HIPAA (and HITRUST) compliance of both accounts, particularly the provider account.
Also, if you have Business Critical account, to maintain the expected level of data protection provided by Business Critical, we strongly recommend considering the following before requesting Snowflake to enable Secure Data Sharing with non-Business Critical accounts:
Do not share sensitive data with non-Business Critical accounts.
Consider creating a second, non-Business Critical account where you store less sensitive data and share this data with non-Business Critical accounts.
If you are using Tri-Secret Secure with your Business Critical account and you share data with other accounts, Snowflake treats the data access from these accounts as if the access occurred from within your own account. Specifically, granting access to the consumer account may require Snowflake to access your AWS KMS.
These are only recommendations and are not enforced by Snowflake. The decision to share data is always at the discretion of the data provider and Snowflake does not assume any responsibility for data that is improperly shared.
The privilege can be granted by users with the ACCOUNTADMIN role.
The OVERRIDE SHARE RESTRICTIONS privilege cannot be regranted.
You must set the SHARE_RESTRICTIONS parameter each time you are adding a new non-Business Critical consumer account to the share belonging to a Business Critical provider.