April 2024

Explorer — My access

In the explorer, Spyglass users now see:

  1. Which privileges they have on the selected Snowflake object.

  2. If a selected role is assigned to their Snowflake user.

  3. If a selected user is their Snowflake user.

  4. A filtered explorer tree with only objects that their user has privileges on.

These features are only supported for users authenticated through SSO. "Privileges" refers to the flattened privileges of the user, which includes indirect grants via role inheritance.

Explorer — Add a "star" to any object

Users can now "star" any database, schema, table, or other object that they would like to access quickly later. Quick links to starred objects now appear on the main explorer page in the "Starred objects" section.

Starred objects are unique to each Spyglass user.

Explorer — Comment on objects

Users can now add comments to object details pages (database, schemas, tables, users, or roles). This is a first feature as part of a larger effort to provide a wiki-style experience to documenting Snowflake objects.

If you have a collaborative metadata use case you're looking to fill, reach out and let us know!

Access requests — Suggested grants

When a request is opened and doesn't include any proposed grants yet, a "Suggestions" button now appears, allowing you to quickly grant access roles to a user's existing functional roles.

These suggestions are based on: the requester's email, so we can find their Snowflake user and existing functional roles; and the request's title and description, so we can determine which tables or schemas they're requesting access to.

Access requests — Role recommendations

Upon new access request creation, Spyglass looks at the access request title and description to determine if any tables or views have been requested. Spyglass attempts to find those tables and returns the top-level roles that grant access to all the objects mentioned.

"Top-level roles" are roles that exist at the top of the role hierarchy that should be granted to users. In other words, Spyglass tries not to recommend any intermediate or lower level roles.

Access requests — Status notifications

Newly-opened access requests now send email notifications to approvers. These notifications are configurable and can be enabled or disabled on a per-user basis.

By default, notifications are sent to all Spyglass administrators who have authenticated via SSO.

Access requests Easy reverts

After an access request has been merged and applied, an action is now available to open a new access request that reverts the original one in one click.

Recommendations — Over-provisioned access

Spyglass now identifies unused roles: roles that aren't granted to any users, so they can safely be cleaned up and deleted. A remediation is available to drop these roles in one click.

Spyglass now identifies duplicate roles: roles that have overlapping privileges, so that users can decide how they want to clean up these redundancies.

Weekly reports — Straight to your inbox

Spyglass now sends a weekly report (every Wednesday) that summarizes activity in your account for the last 7 days. It includes information about merged access requests, open access requests, and triggered alerts.

In the future, we'll include information about recommendations specific to your account, as well as any anomalous activity worthy of note.

Monitors and alerts — ACCOUNTADMIN user changes

Spyglass now monitors when role ACCOUNTADMIN is granted or revoked from users. When this change is detected, Spyglass admins receive a notification, and can view the open alerts on the issue details page.

Options are available to acknowledge the alert: mark the change as intended and acceptable; or dismiss it: ignore this incident, and similar future incidents.

Recommendations — Sensitive access history

Spyglass now identifies elevated users and roles that may have directly accessed sensitive data within the last 90 days.

"Sensitive data" means any tables or views that are secured by one or more masking policies.

User experience

  • Explorer

    • Database details page now shows which functional roles are granted access to that database.

    • Role details page now indicates whether a role is a functional role.

    • Privileges for ACCOUNTADMIN and other Snowflake builtin roles are now correctly displayed in the role details page.

  • Functional Roles

    • Functional roles page now includes quick links to each database's details page in the explorer.

  • Performance

    • Improved performance when staging changes for users with larger deployments.

    • Fixed issues with pagination and filtering on the recommendations listing page.

  • SQL code blocks across the app now have syntax highlighting!

  • Added an access request timeline to the main listing page to give users a high level overview of recent changes.

  • Added a better animated indication to the Snowflake settings page when automatic sync is enabled.

  • Functional roles summary table now displays a user count for each role, with a tooltip that lists their usernames.

  • Fixed a formatting issue with the metadata sidebar on the access requests detail page.

  • Fixed an issue that could occur when reverting certain kinds of access requests where the original access request would only partially be reversed.

  • Users are now correctly redirected to their intended destination after a successful login, for example if they clicked an email link and hadn't yet authenticated. Previously, they were redirected to the home page by default.

  • Snowflake future grants config now allows setting a "Excluded objects regular expression". See Snowflake future grants docs for more info.

Last updated