How to Use Snowflake Object Tagging for Better Data Governance

Metadata-driven governance in Snowflake has emerged as a critical component for organizations aiming to manage their data effectively. At the core of this approach lies Snowflake Object Tagging, a feature that empowers companies to implement flexible, and robust access management and maintain discoverability. While building Select Star’s automated data catalog, we’ve invested in understanding how to integrate and automate Snowflake object tagging. In this post, we’ll share best practices for leveraging object tags to enhance your data governance strategy and improve discoverability, classification, and policy enforcement within Snowflake.

Table of Contents
‍

• What is Snowflake Object Tagging and How Does It Work?
• Why Do Companies Use Snowflake Object Tags?
• Snowflake's Automated Tag Management Features
• Decoupling Tag Management for Data Governance
• The Power of Snowflake Tags for Access Management

What is Snowflake Object Tagging and How Does It Work?

Snowflake Object Tagging is Snowflake’s Data Governance feature that enables users to attach key-value metadata to various objects within their Snowflake environment. These tags serve as descriptors, providing additional context and information about the tagged objects. The tagging system in Snowflake is designed to be flexible and scalable, adapting to the needs of diverse data governance strategies.

A key aspect of Snowflake Object Tagging is the concept of tag inheritance and propagation. When a tag is applied at a higher level in the object hierarchy, such as a database or schema, it automatically cascades down to the objects contained within. This inheritance mechanism streamlines the process of applying consistent metadata across related data assets.

To illustrate how tags are defined and applied, consider the following SQL example:

-- Create a tag
CREATE TAG sensitivity;

-- Apply the tag to a table
ALTER TABLE customer_data SET TAG sensitivity = 'high';

This simple action adds metadata that can be leveraged for various governance purposes.

Why Do Companies Use Snowflake Object Tags?

Organizations can leverage Snowflake Object Tags to address a variety of data management challenges. These tags serve as powerful tools, enabling companies to implement sophisticated governance strategies, enhance security measures, and streamline compliance processes. By attaching metadata to various objects within the Snowflake environment, businesses can unlock new capabilities and gain greater control over their data assets.

Here are some of the key use cases for Snowflake Object Tags:

Dynamic Data Masking & Row Access Policies: Tags enable the implementation of flexible security measures that can adapt to changing data sensitivity levels without requiring constant policy updates.

Sensitive Data Discovery & Classification: By tagging columns or tables with classification information, organizations can easily identify and manage sensitive data across their Snowflake environment.

Data Sharing & Compliance: Tags help ensure that only appropriate data is shared with external partners or used for specific purposes, aiding in compliance with regulations like GDPR or CCPA.

Cost Tracking & Resource Management: By tagging resources with cost center or project information, companies can more accurately allocate and manage their Snowflake usage and expenses.

The power of tags lies in their ability to enable automation in these use cases. For instance, a masking policy can be dynamically applied based on tag values:

CREATE MASKING POLICY pii_mask AS (val string) RETURNS string ->
  CASE WHEN CURRENT_ROLE() IN ('ANALYST') AND GET_TAG('sensitivity') = 'high'
    THEN '********'
  ELSE val
  END;

This policy automatically masks data for users in the ANALYST role when accessing columns tagged with a 'high' sensitivity level.

Snowflake's Automated Tag Management Features

Snowflake offers several built-in capabilities designed to simplify and enhance the process of tag management. These features are designed to reduce manual effort, increase efficiency, and provide greater control over metadata across the Snowflake environment. 

1. Tag Inheritance: When you assign a tag to a schema or database, you can specify that it should be inherited by all child objects (including future ones). Some limitations include the following:
   • Tag inheritance does not work for individual columns.
   • You cannot modify or remove an inherited tag directly from the child object. To change or remove the tag, you must update or drop it at the parent level.
   • If you manually assign a tag to a child object, it overrides the inherited tag of the same name.

2. Column-Level Propagation: When a column in a table or view is created from another column that already has a tag, Snowflake automatically propagates that tag to the new column with some conditions:
   • Only downstream objects created via SELECT (like views, clones, or CTAS tables) are eligible for tag propagation. 
   • Propagation only happens at object creation time.

3. Monitoring & Discovery: Snowflake offers built-in views like TAG_REFERENCES and TAG_REFERENCES_ALL_COLUMNS, allowing administrators to easily track and manage tag usage across the environment.

4. Tag-Based Policies: Snowflake enables the creation of access control and data protection policies that are directly linked to tags, ensuring that security measures automatically propagate with the associated metadata.

These automated features significantly reduce the manual overhead typically associated with comprehensive data governance initiatives.

Decoupling Tag Management for Data Governance

While Snowflake's native tagging capabilities are powerful, managing tags solely within Snowflake can present challenges:

• Lack of global metadata consistency across multiple data systems
• Limited user interface for bulk tagging and complex workflows

To address these limitations, many organizations are adopting external governance platforms like Select Star that offer centralized tag management among other advanced data governance capabilities.

Select Star's automated data catalog seamlessly syncs tags with Snowflake, separating governance tracking from access control execution. This integration offers significant benefits like the following:

• Automated updates ensure tags remain current across the data ecosystem, propagating tags downstream and syncing back to Snowflake to be leveraged in Snowflake's masking policies
• Centralized management provides a single source of truth for metadata
• Improved scalability as governance needs grow and evolve
  

By leveraging Select Star's platform for comprehensive tag management, you can maintain consistent and robust governance practices across your entire data landscape, not just within Snowflake.

The Power of Snowflake Tags for Access Management

Snowflake Object Tagging stands as a cornerstone of effective metadata-driven governance. By enabling dynamic, context-aware access controls and data protection measures, tags empower organizations to implement sophisticated governance strategies with greater ease and flexibility.

Key takeaways:

• Tags enable metadata-driven governance, enhancing security and compliance
• Automating tag management simplifies ongoing governance efforts
• Decoupling tag tracking from access control allows for greater scalability

As organizations continue to navigate growing data volumes and complexity, adopting best practices around tag management becomes increasingly crucial. Consistent tag taxonomy, regular monitoring, and leveraging automation where possible will be key to maintaining effective governance in the long term.

By harnessing the full potential of Snowflake Object Tagging, companies can build a more resilient, compliant, and efficient data governance framework that adapts to their evolving needs while ensuring data remains both accessible and secure. Use the form below to connect with us and see how we can help you leverage Snowflake Object Tagging as part of your data governance strategy.
‍