Cloud Computing, Data Analytics

3 Mins Read

A Deep Dive into Snowflake Architecture, Roles, Row-Level Security, and Column-Level Security


Snowflake, the cloud-based data platform, has revolutionized how organizations manage and analyze their data. Its architecture, which separates storage and compute, offers scalability, flexibility, and ease of use. In this blog post, we’ll delve into three essential components of Snowflake: Snowflake roles, row-level security (RLS), and column-level security (CLS).



Source: Snowflake documentation

Snowflake’s architecture can be conceptually divided into three layers, each serving a distinct purpose in the data platform. These are the Storage Layer, Compute Layer, and Cloud Services Layer.

Pioneers in Cloud Consulting & Migration Services

  • Reduced infrastructural costs
  • Accelerated application deployment
Get Started

Each layer in detail

  1. Storage Layer:

At the base of Snowflake’s architecture is the Storage Layer, responsible for managing the persistent data storage. Key components of this layer include:

  • Object Store: Snowflake utilizes cloud-based object stores, such as Amazon S3, Microsoft Azure Blob Storage, or Google Cloud Storage, as the underlying storage for data. This provides a scalable and durable storage solution.
  • Data Storage: Structured and semi-structured data, including tables, metadata, and other objects, are stored in the Object Store. Snowflake uses its proprietary data storage format, optimizing performance and storage efficiency.
  • Zero-Copy Cloning: A unique feature of Snowflake’s Storage Layer is the ability to perform zero-copy cloning. This means that when a database or table is cloned, it doesn’t duplicate the actual data but creates a metadata layer, resulting in significant storage savings.
  1. Compute Layer:

Above the Storage Layer is the Compute Layer, responsible for processing queries, running computations, and performing data analysis. Key components of this layer include:

  • Virtual Warehouses (Clusters): The Compute Layer consists of virtual warehouses, also known as clusters. These are groups of compute resources that are dynamically allocated to process queries. Virtual warehouses can be scaled up or down based on the workload, providing elasticity and flexibility.
  • Query Processing: When a query is submitted, Snowflake’s Query Processing engine optimizes and compiles it into a series of stages. These stages can be executed in parallel across multiple nodes in the virtual warehouse, enabling efficient and high-performance query processing.
  1. Cloud Services Layer:

The top layer of Snowflake’s architecture is the Cloud Services Layer, which manages various operational and administrative aspects of the platform. Key components of this layer include:

  • Metadata Store: This centralized repository stores metadata about all objects within Snowflake. It includes information about databases, tables, user-defined functions, and more.
  • Query Compilation and Optimization: Snowflake’s cloud services manage the compilation and optimization of queries, ensuring they are executed most efficiently across the Compute Layer.
  • Authentication and Access Control: The Cloud Services Layer integrates with the identity services of the chosen cloud provider (AWS, Azure, GCP) for user authentication. It also manages Snowflake’s access control system, which includes roles and privileges to control user access to data.
  • Metadata Management: Cloud services manage metadata, ensuring consistency and accuracy across the platform. This includes tracking changes to databases, tables, and other objects.
  • Data Sharing and Security: Features such as data sharing between different Snowflake accounts, role-based access control, encryption, and other security measures are managed at this layer.

Snowflake Roles

Roles in Snowflake play a crucial role in managing access and permissions. They provide a way to group users and grant privileges to those groups. This hierarchical approach simplifies access control and reduces the complexity of managing individual permissions. Snowflake supports both predefined and custom roles.

Predefined Roles:

  • ACCOUNTADMIN: The superuser role with full access to all objects and operations.
  • SECURITYADMIN: Manages user roles and other security-related tasks.
  • SYSADMIN: Has broad administrative privileges for system-related tasks.
  • PUBLIC: The default role is assigned to all users, providing minimal access.

Custom Roles:

Organizations can create custom roles to align with their specific requirements. These roles can be granted specific privileges, and users can be assigned to these roles to inherit the associated permissions.

Row-Level Security (RLS)

Row-level security is a critical feature in Snowflake that enables organizations to control access to data at the row level based on certain conditions. This ensures that users only see the data they are authorized to access.

Implementation of RLS:

  • Predicate-Based Policies: Organizations can define policies using predicates that specify the conditions for accessing rows.
  • Context-Based Policies: RLS policies can also be based on user attributes or session parameters.

Column-Level Security (CLS)

Column-level security complements RLS by allowing organizations to control access to specific columns within a table. This is particularly useful when certain users or roles should not have access to sensitive information within a dataset.

Implementation of CLS:

  • Column Masking: Organizations can define masking policies to redact or mask specific column values based on user roles or conditions.
  • Column Encryption: Sensitive data in columns can be encrypted, ensuring only authorized users can decrypt and view the actual values.


Snowflake’s enhanced security features, including roles, row-level security, and column-level security, provide organizations with a comprehensive toolkit to manage data access and protect sensitive information.

The flexibility to define custom roles, implement fine-grained row-level and column-level controls, and integrate with various authentication providers makes Snowflake a powerful and secure data platform.

Drop a query if you have any questions regarding Snowflake and we will get back to you quickly.

Making IT Networks Enterprise-ready – Cloud Management Services

  • Accelerated cloud migration
  • End-to-end view of the cloud environment
Get Started

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, Microsoft Gold Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, and many more.

To get started, go through our Consultancy page and Managed Services PackageCloudThat’s offerings.


1. Can I create my custom roles in Snowflake?

ANS: – Yes, Snowflake allows organizations to create custom roles to align with their specific access control requirements. These roles can be tailored to grant specific privileges to groups of users.

2. How does Row-Level Security work in Snowflake?

ANS: – Row-level security in Snowflake is implemented through policies that define conditions (predicates) for accessing rows. Users or roles are then associated with these policies, ensuring that they only see the data for which they are authorized.



    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!