Use feature policies to limit the objects an app can create¶
This topic describes how to use feature policies to limit the objects that a Snowflake Native App can create.
About feature policies¶
If an app is configured to use automated granting of privileges, the app can request to use the following privileges:
EXECUTE TASK
EXECUTE MANAGED TASK
CREATE WAREHOUSE
CREATE COMPUTE POOL
BIND SERVICE ENDPOINT
CREATE DATABASE
CREATE EXTERNAL ACCESS INTEGRATION
The consumer cannot revoke these privileges after the app is installed. However, feature policies allow consumers to limit the objects an app can create.
For example, if you do not want an app to create warehouses or compute pools, a consumer account administrator can create a feature policy that prohibits a particular app or all apps from creating warehouses or compute pools.
Feature policies allow consumers to restrict an app from creating or using the following objects:
COMPUTE POOLS
DATABASES
TASKS
WAREHOUSES
Note
External access integrations can’t be blocked using feature policies. Instead, consumers can choose to approve the endpoints for an app using app specifications.
Limitations¶
Feature policies are not supported on databases, schemas, or any objects within them that use replication. Feature policies are skipped for any object that is part of a replication group.
Workflow¶
The general workflow of using feature policies to limit the objects a app can create is:
View the listing for the app to determine the privileges the app is requesting.
If there are any objects you want to restrict, create a feature policy to block these objects.
For more information, see Create a new feature policy.
Apply the feature policy to the account or to a specific object.
For more information, see Assign a feature policy at the account level and Apply a feature policy to an app.
Feature policy precedence¶
Consumers can apply a feature policy to all applications in an account or a specified application. If there are feature policies applied to more than one of these, the most specific feature policy overrides more general feature policies. The following summarizes the order of precedence:
- Account:
Feature policies applied to an account are the most general feature policies. They are overridden by feature policies applied to a specific object, for example, an application
- Object:
Feature policies applied to a specific object override feature policies applied to the account.
Consumers can use this precedence to fine-tune the objects an app can create in their account. For example, a consumer can apply an account-level feature policy that prohibits all apps in the account from creating a database. If an app tries to create a database during installation, the installation fails.
However, consumers can also create a feature policy with no restrictions and apply tha feature policy to a specific app. That app would be allowed to create a database.
For more information, see Create a new feature policy.
Privileges required to use feature policies¶
The following table describes the privileges require to create and use feature policies:
Privilege |
Object |
Notes |
|---|---|---|
CREATE FEATURE POLICY |
SCHEMA |
Required to create a feature policy. This privilege must be granted on the schema containing the feature policy. |
APPLY FEATURE POLICY |
ACCOUNT |
|
APPLY or OWNERSHIP |
FEATURE POLICY |
Working with feature policies¶
Consumers can use Snowsight or SQL to manage the lifecycle of a feature policy.
Create a new feature policy¶
Consumers can create feature policies to prohibit an app from creating certain types of objects. The following example shows how to create a feature policy to prohibit an app from creating a database:
CREATE DATABASE feature_policy_db;
CREATE SCHEMA sch;
CREATE FEATURE POLICY block_create_db_policy
BLOCKED_OBJECT_TYPES_FOR_CREATION = (DATABASE);
Note
Feature policies must be created in a schema.
Consumers can also create a feature policy that doesn’t restrict creating objects, as shown in the following example:
CREATE FEATURE POLICY block_nothing_policy
BLOCKED_OBJECT_TYPES_FOR_CREATION = ();
Assign a feature policy at the account level¶
Consumers can apply a feature policy at the account level by using the ALTER ACCOUNT command, as shown in the following example:
ALTER ACCOUNT
SET FEATURE POLICY feature_policy_db.sch.block_create_db_policy
FOR ALL APPLICATIONS;
This command applies the block_create_db_policy policy for any app that is installed
in the account. After applying this policy, apps can no longer create databases.
Apply a feature policy to an app¶
To apply a feature policy when creating an app manually, use the WITH FEATURE POLICY clauase of the CREATE APPLICATION command, as shown in the following example:
CREATE APPLICATION hello_snowflake_app
WITH FEATURE POLICY = feature_policy_db.block_create_db_policy;
To app a feature policy to an app, use the ALTER APPLICATION command, as shown in the following example:
ALTER APPLICATION hello_snowflake_app
SET FEATURE POLICY feature_policy_db.block_create_db_policy;
Unapply a feature policy¶
To unapply a feature policy at the account level, use the ALTER ACCOUNT command, as shown in the following example:
ALTER ACCOUNT UNSET FEATURE POLICY FOR ALL APPLICATIONS;
To unapply a feature policy for a specific app, use the ALTER APPLICATION command, as shown in the following example:
ALTER APPLICATION FEATURE_POLICY_TEST_APP UNSET FEATURE POLICY;
Delete a feature policy¶
To delete a feature policy, use the DROP FEATURE POLICY command, as shown in the following example:
DROP FEATURE POLICY block_create_db_policy;
View information about feature policies¶
To view the feature policies in an account for which you have access privileges, use the SHOW FEATURE POLICIES command:
SHOW FEATURE POLICIES ON ACCOUNT;
To view the feature policies applied to an app, use the following command:
SHOW FEATURE POLICIES ON APPLICATION hello_snowflake_app;
To see information about a specific feature policy, use the DESCRIBE FEATURE POLICY, as shown in the following example:
DESCRIBE FEATURE POLICY feature_policy_db.block_create_db_policy;