Scaling Secure Data Access – Implementing RBAC in Snowflake for a Leading REIT

About the Client:

Our client is a major, publicly traded Real Estate Investment Trust (REIT) with a multi-billion-dollar portfolio of commercial properties spread across North America.

Background:

As part of a broader cloud modernization effort, the client adopted Snowflake as their centralized data warehouse. Snowflake’s scalability and performance suited their growing data needs—spanning financial data, lease agreements, property operations, tenant activity, and market demographics.

Initially, user access was managed through one-off grants by IT or data admins. This worked when the data team was small and users were few. But as data usage grew across departments—finance, legal, asset management, marketing, and analytics, the manual access model began to crack under pressure. Ensuring the right people had the right access became increasingly difficult, slow, and risky.

Challenges:

  • Too Much Access, Too Little Control: Users were given wide-ranging access when they only needed narrow views, increasing the risk of sensitive data exposure
  • Compliance Headaches: Manual processes made it hard to audit who had access to what. Maintaining SOX and privacy compliance required weeks of effort
  • High Operational Overhead: Every new hire or role change triggered a long string of manual permission updates—slowing teams down and straining IT
  • Inconsistent User Experience: Some users had full access; others had none. Most had to request access for every new dashboard or report
  • Scalability Roadblocks: With data growing rapidly and more departments depending on it, the client needed a way to scale access securely and consistently

Solution:

Working closely with stakeholders across departments, our team designed and deployed a comprehensive RBAC framework for Snowflake—grounded in automation, data governance, and real-world user needs.

Phase 1: Design

  • Data Classification: Tagged datasets by sensitivity and business domain (e.g., public, confidential, property, finance).
  • Persona Mapping: Interviewed business units to identify typical user personas (e.g., Analyst, Legal Reviewer, Executive Viewer) and their access needs.
  • Role Blueprinting: Defined a multi-level role hierarchy using Snowflake’s native RBAC capabilities (e.g., ASSET_MGMT_READ, FINANCE_ANALYST_WRITE, LEGAL_VIEW_ONLY), with inherited privileges to reduce redundancy.
  • Least Privilege Approach: Ensured each role granted only the access necessary for the user’s job function.

Phase 2: Implementation

  • Custom Role Setup: Created roles aligned to business personas and tied privileges to those roles.
  • Granular Privilege Assignment: Applied schema- and object-level access, using dynamic data masking for sensitive columns.
  • Automated Role Assignment: Integrated with the client’s Identity Provider (IdP) for automated provisioning/de-provisioning based on user group.
  • Audit Logging: Enabled Snowflake’s native logging to track access and role changes for compliance reporting.

Outcome:

The impact was significant—both technically and culturally.

  • Role-based access minimized over-permissioning and improved data security.
  • Centralized audit logs made compliance reviews faster and more reliable.
  • Automated provisioning reduced IT workload by 60%.
  • New users received instant, accurate access via predefined roles.
  • The model scaled effortlessly as teams, roles, and datasets grew.

Leave a Reply

Your email address will not be published. Required fields are marked *

BizAcuity
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.