By skyforbes 
The security in all data platforms is one of the main headaches of the IT & Data Architects, overall taking into consideration the latest breaches of security that has been produced. The impact of a security breach is every time bigger than ever not only reputational, we have seen that the trustibility in your client affects directly to your business and economics.
All the dataplatforms are working strongly on that, but here we will see how in Snowflake you will be able to avoid that users can download that information directly into its local or specific data storage internal/externally. There are basically two methods:
- Disable download data from Snowsight — Disabling download option locally
- Security Management to unloading data to cloud data storage
Disabling download option
Here we can see that the user can see sensitive data and has the option to download that data:
Our objective will disable that button!
The bundle:
We will review our bundle, it has to be configured on 2025_01:
SELECT SYSTEM$SHOW_ACTIVE_BEHAVIOR_CHANGE_BUNDLES();
In case you are not on this bundle, you can change it like this:
SELECT SYSTEM$ENABLE_BEHAVIOR_CHANGE_BUNDLE('2025_01');
Once we have checked the correct bundle, we are going to disable this option. Currently, we can disable it ONLY at ACCOUNT level, so you will have to take it into consideration.
Take into consideration that sometimes, some changes are not reflected on the BUNDLES due to there are too much of them), for more about it, check here.
Disabling the button
It has been recently published that new parameter, that can be established on ACCOUNT and USER level.
We are going to review how is it currently setup:
show parameters like '%DISABLE_UI_DOWNLOAD_BUTTON%' in account;
So we are going to disable it, executing the below command:
ALTER ACCOUNT <your_account> SET DISABLE_UI_DOWNLOAD_BUTTON = FALSE;
In order to know what is your current account, you can do the below:
select current_account();
So we can see how it has been disabled:
We will check that it has been correctly disable it:
If you only want to apply it on a specifiy USER, you have to avoid using it on ACCOUNT, and apply the same methodology.
But you have to use the below:
ALTER USER <your_user> SET DISABLE_UI_DOWNLOAD_BUTTON = FALSE;
Ensuring changes apply everyone by the way
In order to be effective that change, you have to logout and login again. But if you have to be sure that apply for all your company, you should create a session policy for your account, that will restrict the along time a session can keep alive. This is other measure very important to take into consideration, and I talk better on below article. If you
An example of creation of session policy can be this:
-- create session policy
CREATE SESSION POLICY mydb.policies.session_policy_prod_1
SESSION_UI_IDLE_TIMEOUT_MINS = 30
COMMENT = 'session policy for use in the prod_1 environment for UI'
;
--apply session policy
ALTER ACCOUNT SET SESSION POLICY mydb.policies.session_policy_prod_1;
Now, we are gonna to be sure that after inactivity of 30 minutes, or logout, that changes will apply.
On that case, I will logout and login again, and check for the availability of this button:
Now, you can see that the Download button has been disable it, and not visible.
Take into consideration that Account parameters can be set only at the account level by users with the appropriate administrator role.
Security Management to unloading data to cloud data storage
The objective on that point that anyone could be able to unload bulk data to any target, whatever is: internal/external stage or directly into cloud location.
So that these will our objective:
1- We will force to everyone to use an storage integration SI to unload data, so you can do it directly not than using a SI.
2- We will restrict the people can create/manage storage integration, this prevent that anyone can autocreate their SI and use it to unload data.
So we will see what are the parameters involved on that security capability:
-- PARAMETERS to FORCE the usage storage integration
show parameters like '%REQUIRE%' in account;
-- PARAMETERS to PREVENT unload directly to stages/locations
show parameters like '%PREVENT_UNLOAD%' in account;
Again, we are going to change that parameters based on the above ACCCOUNT we want to restrict:
ALTER ACCOUNT NVB26030 SET REQUIRE_STORAGE_INTEGRATION_FOR_STAGE_CREATION = true;
ALTER ACCOUNT NVB26030 SET REQUIRE_STORAGE_INTEGRATION_FOR_STAGE_OPERATION = true;
ALTER ACCOUNT NVB26030 SET PREVENT_UNLOAD_TO_INLINE_URL = true;
ALTER ACCOUNT NVB26030 SET PREVENT_UNLOAD_TO_INTERNAL_STAGES = TRUE;
Based on the current bundle 2025_01, the below parameters can be set at USER level as well, once it has been implemented.
An example abou unable to do restricted actions
Unload to stages:
Creating external stages:
Unable to unload directly to locations (wo using Storage Integration):
So, right now you can do the previous actions always you can use storage integrations. To do this, apply correctly the RBAC privileges to the appropriate roles. This is not covered on this article, but if you are interested to include it, clap this article and let me know so I will do it.
Conclusions
As we have seen, you can include security capabilities and restrict the exfiltration of data. Not only by using programmatic methods, so you can feel comfortable allowing Snowsight UI, in order to visualize and providing self-service for a widebroand of people. This will provide more usable of your data, so it will open new use cases for your data platform. Unfortunately, there are some best practices you can apply in order to avoid getting info as avoiding to take photos from your screen computer if you are visualizang, don’t let your computer alone with open session, etc…
In addition, there are other security capabilities that Snowflake provides and you have to take into consideration to make safer your data than ever. Check my other security articles here on medium.
About me
As a Subject Matter Expert on different Data Technologies, with 20+ years of experience in Data Adventures, I lead and advisor teams to get the best approaches and apply best practices.
I am a Snowflake DataHero 2025, Snowflake Architect, Snowflake Spotlight Squad Team Member 2024 and Snowflake Barcelona User Group — Chapter.
As Data Vault Certified Practitioner, I have been leading Data Vault Architecures using Metadata Driven methodologies.
If you want to know more in detail about the aspects seen here, or other ones, you can follow me here on Medium || Linked-in here.
Learn more SNOWFLAKE: Security — Manage download / unload data