Snowflake

Snowflake Aggregation Policies: Enforce Aggregation and Protect Privacy

2026-03-26
更新: 2026-03-27
NicheeLab Editorial Team

Aggregation Policy is a Snowflake data governance feature that enforces that every aggregation group in a query result contains at least a minimum number of rows (MIN_GROUP_SIZE). It structurally eliminates the risk of inferring individual or small-group data and is available on Enterprise Edition and above.

Why Enforce Aggregation?

When you aggregate data with GROUP BY in analytics, if a specific group has only 1-2 rows, the aggregate value can reveal an individual. For example, if the group "region=Hokkaido, age=65+, condition=diabetes" has only one row, the average or sum directly represents that individual's value. Aggregation Policy prevents these Small Group Attacks.

CREATE AGGREGATION POLICY Syntax

-- Basic Aggregation Policy
CREATE OR REPLACE AGGREGATION POLICY privacy_db.policies.min_group_5
  AS () RETURNS AGGREGATION_CONSTRAINT ->
    AGGREGATION_CONSTRAINT(MIN_GROUP_SIZE => 5);

-- Conditional policy: vary aggregation constraint by role
CREATE OR REPLACE AGGREGATION POLICY privacy_db.policies.role_based_agg
  AS () RETURNS AGGREGATION_CONSTRAINT ->
    CASE
      WHEN CURRENT_ROLE() IN ('DATA_SCIENTIST', 'ADMIN')
        THEN AGGREGATION_CONSTRAINT(MIN_GROUP_SIZE => 0)
      WHEN CURRENT_ROLE() = 'ANALYST'
        THEN AGGREGATION_CONSTRAINT(MIN_GROUP_SIZE => 5)
      ELSE
        AGGREGATION_CONSTRAINT(MIN_GROUP_SIZE => 20)
    END;

The policy body is written as a SQL expression that returns AGGREGATION_CONSTRAINT(MIN_GROUP_SIZE => N). Setting MIN_GROUP_SIZE to 0 disables the aggregation constraint (raw data access becomes possible). By using CURRENT_ROLE() or IS_ROLE_IN_SESSION() inside a CASE expression, you can switch the constraint level per role.

Applying to Tables and Views

-- Apply Aggregation Policy to a table
ALTER TABLE medical_db.public.patient_records
  SET AGGREGATION POLICY privacy_db.policies.min_group_5;

-- Apply with ENTITY KEY (enforce aggregation per entity)
ALTER TABLE medical_db.public.patient_records
  SET AGGREGATION POLICY privacy_db.policies.min_group_5
  ENTITY KEY (patient_id);

-- Also applicable to views
ALTER VIEW medical_db.public.patient_summary
  SET AGGREGATION POLICY privacy_db.policies.min_group_5
  ENTITY KEY (patient_id);

-- Unset the policy
ALTER TABLE medical_db.public.patient_records
  UNSET AGGREGATION POLICY;

The Role of ENTITY KEY

When you specify ENTITY KEY, MIN_GROUP_SIZE is evaluated against the "number of unique entities" rather than "row count". For example, with ENTITY KEY (patient_id) and MIN_GROUP_SIZE=5, the query is rejected unless each group contains at least 5 distinct patients. Even if a single patient has multiple rows, what matters is patient count, not row count.

Query Behavior After Policy Application

-- Example queries on a policy-applied table
-- MIN_GROUP_SIZE=5 / ENTITY KEY=patient_id

-- OK: succeeds if each region has 5+ patients
SELECT region, AVG(age) AS avg_age, COUNT(*) AS cnt
FROM medical_db.public.patient_records
GROUP BY region;

-- NG: the entire query errors out if any region has fewer than 5 patients
-- Error: Aggregation policy violation

-- Workaround: exclude small groups with HAVING
SELECT region, AVG(age) AS avg_age, COUNT(*) AS cnt
FROM medical_db.public.patient_records
GROUP BY region
HAVING COUNT(DISTINCT patient_id) >= 5;

-- Non-aggregated SELECT * is blocked (when MIN_GROUP_SIZE > 0)
SELECT * FROM medical_db.public.patient_records;
-- Error: Query does not contain an aggregate function

Governance Policy Comparison

PolicyProtection TargetScopeBehavior
Aggregation PolicyGranularity of aggregate resultsTable / ViewBlocks queries that include groups below MIN_GROUP_SIZE
Masking PolicyColumn valuesColumnReplaces values with NULL or a fixed value depending on role
Row Access PolicyRow visibilityTable / ViewFilters out rows that do not meet the condition
Projection PolicyColumn projectionColumnProhibits SELECT on the column for specific roles

Policy Management SQL

-- List defined policies
SHOW AGGREGATION POLICIES IN SCHEMA privacy_db.policies;

-- Describe a policy
DESCRIBE AGGREGATION POLICY privacy_db.policies.min_group_5;

-- Check where a policy is applied
SELECT *
FROM TABLE(
  INFORMATION_SCHEMA.POLICY_REFERENCES(
    POLICY_NAME => 'privacy_db.policies.min_group_5'
  )
);

-- View all policy references in Account Usage
SELECT policy_name, ref_entity_name, ref_entity_domain
FROM SNOWFLAKE.ACCOUNT_USAGE.POLICY_REFERENCES
WHERE policy_kind = 'AGGREGATION_POLICY';

-- Drop a policy (must be unset from objects first)
DROP AGGREGATION POLICY privacy_db.policies.min_group_5;

Required Privileges

OperationRequired Privileges
CREATE AGGREGATION POLICYCREATE AGGREGATION POLICY on the schema
ALTER TABLE SET AGGREGATION POLICYOWNERSHIP on the table + APPLY on the policy
DROP AGGREGATION POLICYOWNERSHIP on the policy

Design and Operational Best Practices

  • Centralize policies in a dedicated schema: consolidate all Aggregation Policies in a schema like privacy_db.policies and grant APPLY privilege only to specific roles
  • Always specify ENTITY KEY: row-count-based protection is weakened by duplicate records, so specify the entity's primary key
  • Validate MIN_GROUP_SIZE in a test environment: investigate in advance how many existing queries will violate the policy and notify the analytics team
  • Roll out gradually with conditional policies: exclude the ADMIN role with MIN_GROUP_SIZE=0 first, then apply constraints to analyst roles and roll out in phases
  • Combine with Masking Policy and Row Access Policy: beyond aggregation constraints, layer in masking of sensitive columns and row-level filters to build defense in depth

Check Your Understanding

Data Governance

問題 1

A medical data table has an Aggregation Policy applied with ENTITY KEY (patient_id) and MIN_GROUP_SIZE=5. What is the correct result when the following query is executed? SELECT region, AVG(blood_pressure) FROM patients GROUP BY region; Assume the region='Hokkaido' group contains only 3 distinct patient_id values.

  1. Only the Hokkaido group returns NULL while other regions aggregate normally
  2. The Hokkaido group is automatically excluded and only the other regions' results are returned
  3. The entire query fails with an Aggregation Policy Violation error and no results are returned
  4. The AVG value for Hokkaido is automatically returned as a noise-added approximation

正解: C

Under an Aggregation Policy, if any GROUP BY group falls below MIN_GROUP_SIZE, the entire query errors out. Since Hokkaido has only 3 distinct patient_id values (below MIN_GROUP_SIZE=5), the entire query, including other regions, is rejected. There is no automatic small-group exclusion or noise injection. Adding HAVING COUNT(DISTINCT patient_id) >= 5 lets you exclude small groups and run the query.

Frequently Asked Questions

What value should I use for MIN_GROUP_SIZE in an Aggregation Policy?

A minimum of 5 is recommended to mitigate statistical re-identification risk. Under regulatory regimes such as GDPR or HIPAA, MIN_GROUP_SIZE is sometimes set between 10 and 20. Higher values restrict the granularity of returned results, so balance analytical needs against privacy requirements. After configuration, verify behavior using test queries with IS_AGGREGATION_POLICY_MET().

What is the difference between Aggregation Policy and Dynamic Data Masking Policy?

Masking Policy hides or transforms individual column values per role, replacing them with NULL or fixed strings at SELECT time. In contrast, Aggregation Policy enforces sufficient aggregation of query results, blocking the entire query if any GROUP BY group falls below the specified row count. Masking Policy controls 'who sees what', while Aggregation Policy controls 'at what granularity aggregate results are returned'. The two can be combined.

What happens to a non-compliant query on a table with an Aggregation Policy applied?

If any GROUP BY group contains fewer rows than MIN_GROUP_SIZE, the entire query errors out and no results are returned. The error message includes 'Aggregation policy violation'. Adding HAVING COUNT(*) >= <MIN_GROUP_SIZE> excludes small groups and lets the query pass. Policy violation audit logs are available in the ACCOUNT_USAGE.POLICY_REFERENCES view.

Check what you learned with practice questions

Practice with certification-focused question sets

無料で問題を解いてみる
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Snowflake

Snowflake Certifications: All 11 Exams Explained (2026)

Every SnowPro certification — Associate, Core, Specialty, Ad...

Snowflake

Snowflake Exam Difficulty Ranking: All 11 Certs Compared (2026)

All 11 SnowPro exams ranked by difficulty with study-time es...

Snowflake

Snowflake Study Guide: Fastest Pass Route by Exam (2026)

How to pass SnowPro certifications efficiently — official ma...

Snowflake

SnowPro Core (COF-C03): Complete Exam Guide (2026)

Pass the SnowPro Core exam — six domains, scope, sample ques...

Snowflake

SnowPro Associate Platform (SOL-C01): Complete Guide (2026)

The entry-level SnowPro Associate exam — scope, weighting, s...

Browse all Snowflake articles (103)
© 2026 NicheeLab All rights reserved.