createRowAccessPolicy

Creates a new row access policy in Snowflake. Row access policies control which rows can be accessed based on the policy expression and arguments mapped to table columns.

This change type supports automatic rollback, which will generate a dropRowAccessPolicy change.

Note: This change type does not support database inspection features (snapshot, diff, diff-changelog, and generate-changelog commands).

Available Attributes

Attribute	Type	Description	Required
`catalogName`	String	Name of the catalog (database) where the policy will be created	No
`schemaName`	String	Name of the schema where the policy will be created	No
`policyName`	String	Name of the row access policy to create	Yes
`replaceIfExists`	Boolean	If true, replaces the policy if it already exists using `OR REPLACE`. Only one of `replaceIfExists` or `ifNotExists` can be set to `true` (they are mutually exclusive).	No*
`ifNotExists`	Boolean	If true, only creates the policy if it doesn't already exist using `IF NOT EXISTS`. Only one of `replaceIfExists` or `ifNotExists` can be set to `true` (they are mutually exclusive).	No*
`comment`	String	Descriptive comment for the policy	No
`policyArguments`	MapWrapper	Key-value pairs defining policy arguments (name -> data type). At least one argument required. Each policy argument must have a non-empty name and data type.	Yes
`policyBody`	String	Boolean expression that determines row access using the policy arguments	Yes

<?xml version="1.0" encoding="UTF-8"?>
<databaseChangeLog
  xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
  xmlns:pro-snowflake="http://www.liquibase.org/xml/ns/pro-snowflake"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog
        http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-latest.xsd
        http://www.liquibase.org/xml/ns/pro-snowflake
        http://www.liquibase.org/xml/ns/pro-snowflake/liquibase-pro-snowflake-latest.xsd">
  <!-- Basic policy -->
  <changeSet id="create-row-access-policy-basic" author="examples">
    <pro-snowflake:createRowAccessPolicy policyName="ADMIN_ONLY_POLICY">
      <pro-snowflake:policyArguments>
        <pro-snowflake:entry key="user_id" value="NUMBER"/>
      </pro-snowflake:policyArguments>
      <pro-snowflake:policyBody>CURRENT_ROLE() = 'ADMIN'</pro-snowflake:policyBody>
    </pro-snowflake:createRowAccessPolicy>
  </changeSet>
  <!-- Policy with OR REPLACE and comment -->
  <changeSet id="create-row-access-policy-replace" author="examples">
    <pro-snowflake:createRowAccessPolicy
                policyName="DEPARTMENT_ACCESS_POLICY"
                replaceIfExists="true"
                comment="Row access based on department and role">
      <pro-snowflake:policyArguments>
        <pro-snowflake:entry key="dept_id" value="VARCHAR"/>
        <pro-snowflake:entry key="access_level" value="NUMBER"/>
      </pro-snowflake:policyArguments>
      <pro-snowflake:policyBody>(dept_id = CURRENT_USER() AND access_level >= 3) OR CURRENT_ROLE() IN ('ADMIN', 'HR')</pro-snowflake:policyBody>
    </pro-snowflake:createRowAccessPolicy>
  </changeSet>
  <!-- Policy with IF NOT EXISTS -->
  <changeSet id="create-row-access-policy-if-not-exists" author="examples">
    <pro-snowflake:createRowAccessPolicy
                policyName="TENANT_ISOLATION_POLICY"
                ifNotExists="true">
      <pro-snowflake:policyArguments>
        <pro-snowflake:entry key="tenant_id" value="VARCHAR(50)"/>
      </pro-snowflake:policyArguments>
      <pro-snowflake:policyBody>tenant_id = CURRENT_USER()</pro-snowflake:policyBody>
    </pro-snowflake:createRowAccessPolicy>
  </changeSet>
</databaseChangeLog>

<?xml version="1.0" encoding="UTF-8"?>
<databaseChangeLog
  xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
  xmlns:pro-snowflake="http://www.liquibase.org/xml/ns/pro-snowflake"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog
        http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-latest.xsd
        http://www.liquibase.org/xml/ns/pro-snowflake
        http://www.liquibase.org/xml/ns/pro-snowflake/liquibase-pro-snowflake-latest.xsd">
  <!-- Basic policy -->
  <changeSet id="create-row-access-policy-basic" author="examples">
    <pro-snowflake:createRowAccessPolicy policyName="ADMIN_ONLY_POLICY">
      <pro-snowflake:policyArguments>
        <pro-snowflake:entry key="user_id" value="NUMBER"/>
      </pro-snowflake:policyArguments>
      <pro-snowflake:policyBody>CURRENT_ROLE() = 'ADMIN'</pro-snowflake:policyBody>
    </pro-snowflake:createRowAccessPolicy>
  </changeSet>
  <!-- Policy with OR REPLACE and comment -->
  <changeSet id="create-row-access-policy-replace" author="examples">
    <pro-snowflake:createRowAccessPolicy
                policyName="DEPARTMENT_ACCESS_POLICY"
                replaceIfExists="true"
                comment="Row access based on department and role">
      <pro-snowflake:policyArguments>
        <pro-snowflake:entry key="dept_id" value="VARCHAR"/>
        <pro-snowflake:entry key="access_level" value="NUMBER"/>
      </pro-snowflake:policyArguments>
      <pro-snowflake:policyBody>(dept_id = CURRENT_USER() AND access_level >= 3) OR CURRENT_ROLE() IN ('ADMIN', 'HR')</pro-snowflake:policyBody>
    </pro-snowflake:createRowAccessPolicy>
  </changeSet>
  <!-- Policy with IF NOT EXISTS -->
  <changeSet id="create-row-access-policy-if-not-exists" author="examples">
    <pro-snowflake:createRowAccessPolicy
                policyName="TENANT_ISOLATION_POLICY"
                ifNotExists="true">
      <pro-snowflake:policyArguments>
        <pro-snowflake:entry key="tenant_id" value="VARCHAR(50)"/>
      </pro-snowflake:policyArguments>
      <pro-snowflake:policyBody>tenant_id = CURRENT_USER()</pro-snowflake:policyBody>
    </pro-snowflake:createRowAccessPolicy>
  </changeSet>
</databaseChangeLog>

createRowAccessPolicy

Available Attributes

XML

JSON

YAML

SQL

More like this