Enabling Sharing from a Business Critical Account to a non-Business Critical Account

By default, Snowflake does not allow sharing data from a Business Critical to a non-Business Critical account. For more information, see Data Sharing and Business Critical Accounts.

Snowflake provides the OVERRIDE SHARE RESTRICTIONS global privilege which is granted to the ACCOUNTADMIN role by default.

The OVERRIDE SHARE RESTRICTIONS global privilege can be granted to other roles (system-defined or custom). Then, users with the role can enable/disable the SHARE_RESTRICTIONS parameter for their provider account.

When the parameter is disabled, a Business Critical provider account can add a consumer account (with Non-Business Critical edition) to a share.

Attention

Snowflake is not responsible for ensuring that HIPAA (and HITRUST) accounts who engage in data sharing have a signed BAA with each other; this is at the discretion of the accounts that are sharing data. Note that failure to have a signed BAA may impact the HIPAA (and HITRUST) compliance of both accounts, particularly the provider account.

Also, if you have Business Critical account, to maintain the expected level of data protection provided by Business Critical, we strongly recommend considering the following before requesting Snowflake to enable Secure Data Sharing with non-Business Critical accounts:

  • Do not share sensitive data with non-Business Critical accounts.

  • Consider creating a second, non-Business Critical account where you store less sensitive data and share this data with non-Business Critical accounts.

  • If you are using Tri-Secret Secure with your Business Critical account and you share data with other accounts, Snowflake treats the data access from these accounts as if the access occurred from within your own account. Specifically, granting access to the consumer account may require Snowflake to access your AWS KMS.

These are only recommendations and are not enforced by Snowflake. The decision to share data is always at the discretion of the data provider and Snowflake does not assume any responsibility for data that is improperly shared.

In this Topic:

Considerations

  • The privilege can be granted by users with the ACCOUNTADMIN role.

  • The OVERRIDE SHARE RESTRICTIONS privilege cannot be regranted.

  • You must set the SHARE_RESTRICTIONS parameter each time you are adding a new non-Business Critical consumer account to the share belonging to a Business Critical provider.

Granting the OVERRIDE SHARE RESTRICTIONS Privilege to Another Role

To grant OVERRIDE SHARE RESTRICTIONS to a role, use the ACCOUNTADMIN role and the GRANT <privileges> … TO ROLE command.

Syntax:

GRANT OVERRIDE SHARE RESTRICTIONS ON ACCOUNT TO ROLE <role_name>

Where:

<role_name> is the role to which the privilege is granted.

For example:

-- grant the privilege to the SYSADMIN role
use role accountadmin;
grant override share restrictions on account to role sysadmin;

-- SYSADMIN can now add a consumer account to a share with the SHARE_RESTRICTIONS parameter set to false
use role sysadmin;
alter share <share_name> add accounts = <consumer_account_name> SHARE_RESTRICTIONS=false;