Skip to main content

Roles and permissions

This document answers common questions about the roles Atlan creates or requires in Snowflake, why elevated permissions such as dq_admin are necessary, and how Snowflake's built-in controls keep your data safe.

Updated permission model

The permission model has been updated to use SELECT access instead of table owner role grants. This simplifies setup and reduces privilege requirements. Existing setups with table owner role grants continue to work.

What permissions does dq_admin need?

The dq_admin role requires SELECT access on your customer tables to enable data quality monitoring. Using Snowflake's EXECUTE AS ROLE feature, Atlan can attach and manage data metric functions (DMFs) on your tables without requiring the dq_admin role to own those tables.

The dq_admin role needs:

  • SELECT on customer tables and views (to read data for quality checks)
  • SNOWFLAKE.DATA_METRIC_USER database role (to work with DMFs)
  • EXECUTE DATA METRIC FUNCTION on account (to run quality checks)

This simplified permission model ensures that while the role has necessary privileges to manage data quality checks, it operates with minimal access to your data—only what's needed to monitor quality.

How does Atlan's security architecture protect your data when using dq_admin?

Atlan is never granted direct access to the dq_admin role. Instead, the security architecture works through controlled indirection:

Access control through stored procedure
Atlan can only interact with the dq_admin role indirectly through a secure stored procedure called MANAGE_DMF. This procedure:

  • Uses Snowflake's EXECUTE AS ROLE feature to run DMF operations with dq_admin privileges
  • Exposes only limited, predefined data quality operations—nothing more
  • Executes all operations strictly within Snowflake's secure execution context
  • Ensures that privileges can't be misused or escalated

Minimal access principle
The dq_admin role only needs:

  • SELECT on your tables (read-only data access for quality checks)
  • Data Metric Function permissions (to run quality monitoring)

Security boundaries remain intact
This architecture ensures that:

  • Atlan can't assume the dq_admin role directly
  • The dq_admin role has read-only access to your data
  • All operations remain strictly controlled within Snowflake
  • Your existing data governance and access boundaries stay fully protected

This security-first design enables Atlan to orchestrate data quality workflows without compromising your control, visibility, or trust in your data platform