Often, your data engineering team isn't the best group to decide whether access should be granted to a user. In these cases, you'd prefer to delegate that decision to the people who own the data being requested.

How it works:

1. Use existing roles as policy to reduce setup time and get started quickly.

2. Set reviewers automatically without any action required by your team.

3. Approve the request if the approver is a member of the required roles.

Use existing roles as policy

To enable this capability with minimal configuration, Spyglass allows you to "bootstrap" the data ownership policies using your existing Snowflake roles.

For example, say you have a role called FINANCE_ENG_TEAM with:

1. OWNERSHIP on databases PAYMENTS and SALES.

2. GRANTED to users ALICE_WONDERLAND, CHARLES_CHESHIRE, and DAVE_DUCHESS.

Set reviewers automatically

After enabling this setting, whenever an access request is opened that includes a GRANT to the FINANCE database (or any schema-objects within that database), FINANCE_ENG_TEAM will be included in the Reviewers list for that access request.

Approve the request

When ALICE_WONDERLAND (or any member of FINANCE_ENG_TEAM) approves the request, it will be mergable, provided that there aren't any non-FINANCE related grants (for example, access to a warehouse).

Notifications

Users can configure notifications on their profile. When enabled, users receive an email notification when a request is opened that they are listed as a reviewer for.

A note about user identifiers

Users have a Snowflake username, a Spyglass ID, and an email address (from your IdP). Spyglass uses the email stored on the Snowflake user object to correlate the user with their Spyglass account. This means that if your users aren't uniquely identified by an email in your IdP, or their email isn't associated with their Snowflake user, then some of the automatic setup described above could break.