addRowAccessPolicyOnTable
Adds a row access policy to a table in Snowflake. The policy arguments must map to specific table columns to filter row-level access based on the policy expression.
Note: Automatic rollback drops the policy from the table.
Known limitation: This change type does not support database inspection features (snapshot, diff, diff-changelog, and generate-changelog commands).
Available attributes
Attribute | Type | Description | Required |
|---|---|---|---|
| String | Name of the catalog (database) containing the table | No |
| String | Name of the schema containing the table | No |
| String | Name of the table to apply the policy to | Yes |
| String | Name of the catalog containing the policy (cross-schema) | No |
| String | Name of the schema containing the policy (cross-schema) | No |
| String | Name of the row access policy to apply | Yes |
| Nested | Wrapper for columns that map to policy arguments | Yes |
column attributes (nested in rowAccessPolicyColumns)
Attribute | Type | Description | Required |
|---|---|---|---|
| String | Name of the table column to map to policy | Yes |
<?xml version="1.0" encoding="UTF-8"?>
<databaseChangeLog
xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
xmlns:pro-snowflake="http://www.liquibase.org/xml/ns/pro-snowflake"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog
http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-latest.xsd
http://www.liquibase.org/xml/ns/pro-snowflake
http://www.liquibase.org/xml/ns/pro-snowflake/liquibase-pro-snowflake-latest.xsd">
<!-- Add policy with single column -->
<changeSet id="add-policy-single-column" author="examples">
<pro-snowflake:addRowAccessPolicyOnTable
tableName="EMPLOYEES"
policyName="TENANT_ISOLATION_POLICY">
<pro-snowflake:rowAccessPolicyColumns>
<pro-snowflake:column columnName="tenant_id"/>
</pro-snowflake:rowAccessPolicyColumns>
</pro-snowflake:addRowAccessPolicyOnTable>
</changeSet>
<!-- Add policy with multiple columns -->
<changeSet id="add-policy-multiple-columns" author="examples">
<pro-snowflake:addRowAccessPolicyOnTable
tableName="SALES_DATA"
policyName="DEPARTMENT_ACCESS_POLICY">
<pro-snowflake:rowAccessPolicyColumns>
<pro-snowflake:column columnName="department_id"/>
<pro-snowflake:column columnName="access_level"/>
</pro-snowflake:rowAccessPolicyColumns>
</pro-snowflake:addRowAccessPolicyOnTable>
</changeSet>
<!-- Add cross-schema policy -->
<changeSet id="add-policy-cross-schema" author="examples">
<pro-snowflake:addRowAccessPolicyOnTable
tableName="FINANCIAL_RECORDS"
policySchemaName="SECURITY"
policyName="FINANCE_ACCESS_POLICY">
<pro-snowflake:rowAccessPolicyColumns>
<pro-snowflake:column columnName="user_id"/>
</pro-snowflake:rowAccessPolicyColumns>
</pro-snowflake:addRowAccessPolicyOnTable>
</changeSet>
</databaseChangeLog>