A Row Access Policy is a Snowflake security feature that automatically applies row-level filters to tables and views based on the executing user's role or session attributes. The policy is attached to a table and transparently filters rows for every query that references that table. It is available on Enterprise Edition or higher.
-- Basic Row Access Policy (role-based)
CREATE OR REPLACE ROW ACCESS POLICY rap_region_filter
AS (region_val VARCHAR) RETURNS BOOLEAN →
CASE
WHEN IS_ROLE_IN_SESSION('ADMIN') THEN TRUE
WHEN IS_ROLE_IN_SESSION('APAC_ANALYST')
AND region_val = 'APAC' THEN TRUE
WHEN IS_ROLE_IN_SESSION('EMEA_ANALYST')
AND region_val = 'EMEA' THEN TRUE
ELSE FALSE
END;
-- Attach the policy to the table
ALTER TABLE sales.transactions
ADD ROW ACCESS POLICY rap_region_filter ON (region);
-- Detach the policy
ALTER TABLE sales.transactions
DROP ROW ACCESS POLICY rap_region_filter;Policy arguments are mapped to table columns. With RETURNS BOOLEAN, only rows that return TRUE are included in the query results. Rows that return FALSE or NULL are excluded.
-- CURRENT_ROLE()-based evaluation (Primary Role only)
CREATE OR REPLACE ROW ACCESS POLICY rap_dept_filter
AS (dept_val VARCHAR) RETURNS BOOLEAN →
CURRENT_ROLE() IN ('SYSADMIN', 'HR_ADMIN')
OR dept_val = (
SELECT department
FROM hr.user_department_mapping
WHERE user_name = CURRENT_USER()
);
-- IS_ROLE_IN_SESSION()-based (supports Secondary Roles)
CREATE OR REPLACE ROW ACCESS POLICY rap_dept_filter_v2
AS (dept_val VARCHAR) RETURNS BOOLEAN →
IS_ROLE_IN_SESSION('SYSADMIN')
OR IS_ROLE_IN_SESSION('HR_ADMIN')
OR dept_val = (
SELECT department
FROM hr.user_department_mapping
WHERE user_name = CURRENT_USER()
);In large organizations with many roles, hard-coding role names inside the policy is hard to maintain. A Mapping Table lets you manage access-control conditions as table data, so you can update access rules without modifying the policy itself.
-- Create the mapping table
CREATE TABLE security.region_access_mapping (
role_name VARCHAR,
region VARCHAR,
access_level VARCHAR -- 'FULL' or 'RESTRICTED'
);
-- Populate mapping data
INSERT INTO security.region_access_mapping VALUES
('APAC_ANALYST', 'APAC', 'FULL'),
('EMEA_ANALYST', 'EMEA', 'FULL'),
('GLOBAL_ANALYST', 'APAC', 'FULL'),
('GLOBAL_ANALYST', 'EMEA', 'FULL'),
('GLOBAL_ANALYST', 'AMER', 'FULL');
-- Row Access Policy that references the Mapping Table
CREATE OR REPLACE ROW ACCESS POLICY rap_region_mapping
AS (region_val VARCHAR) RETURNS BOOLEAN →
IS_ROLE_IN_SESSION('ADMIN')
OR EXISTS (
SELECT 1
FROM security.region_access_mapping m
WHERE IS_ROLE_IN_SESSION(m.role_name)
AND m.region = region_val
);
-- Attach to the table
ALTER TABLE sales.transactions
ADD ROW ACCESS POLICY rap_region_mapping ON (region);| Comparison | Row Access Policy | Masking Policy |
|---|---|---|
| Controls | Visibility of rows (records) | Masking of column values |
| Return type | BOOLEAN (TRUE = show / FALSE = hide) | Same type as the argument (returns a masked value) |
| Attachment scope | One per table or view | One per column |
| Edition requirement | Enterprise or higher | Enterprise or higher |
| Effect on COUNT(*) | Filtered rows are not counted | No effect on row counts (only values are masked) |
| Concurrent use | Can be combined with Masking Policy | Can be combined with Row Access Policy |
| Tag-based assignment | Supports automatic tag-based attachment | Supports automatic tag-based attachment |
-- Privileges required to manage Row Access Policies
-- Create a policy
GRANT CREATE ROW ACCESS POLICY ON SCHEMA security
TO ROLE policy_admin;
-- Attach a policy (apply to tables)
GRANT APPLY ROW ACCESS POLICY ON ACCOUNT
TO ROLE policy_admin;
-- Or grant apply privilege only on specific tables
GRANT APPLY ROW ACCESS POLICY ON TABLE sales.transactions
TO ROLE policy_admin;
-- The OWNERSHIP role on the policy can alter or drop it
-- The APPLY privilege role can attach or detach the policy
-- Splitting these two privileges achieves separation of dutiesWhen a Row Access Policy and a Masking Policy are applied to the same table, the Row Access Policy is evaluated first, and the Masking Policy is then applied to the rows that pass the filter. Snowflake controls this order internally, and users cannot change it.
Security & Governance
問題 1
A Row Access Policy is applied to the sales.orders table such that users with ANALYST_ROLE can only see rows where region='APAC'. When such a user runs SELECT COUNT(*) FROM sales.orders, which of the following correctly describes the result?
正解: B
A Row Access Policy applies row filtering to every access to the table, regardless of query type. COUNT(*) also returns the post-filter row count, so a user with ANALYST_ROLE sees only the count of rows where region='APAC'. This is an important difference from Masking Policies, which mask values but do not affect row counts.
Should I use a Row Access Policy or a Secure View?
A Row Access Policy is attached directly to a table and applies row filtering centrally to every query, view, and stored procedure that references the table. A Secure View embeds the filter condition in the view definition itself, so you must design filters individually for each view. When multiple views or queries access the same table, Row Access Policies are easier to manage. On the other hand, Secure Views are better when you need to hide the view definition itself. The two can be combined.
Can I apply multiple Row Access Policies to a single table?
Only one Row Access Policy can be attached to a single table or view. If you need multiple filter conditions, combine them inside a single policy using CASE expressions or IF statements. Different tables can have different Row Access Policies attached, so design policies on a per-table basis.
Do subqueries or Mapping Tables inside a Row Access Policy affect performance?
Subqueries and Mapping Table references inside a Row Access Policy are evaluated on every query execution, so they can affect performance. The join cost rises sharply when the Mapping Table is large. As a mitigation, consider setting a clustering key on the Mapping Table and keeping its size to a minimum. Simple policies that rely only on CURRENT_ROLE() or IS_ROLE_IN_SESSION() also run faster than the Mapping Table approach.
Practice with certification-focused question sets
無料で問題を解いてみるNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
Snowflake Certifications: All 11 Exams Explained (2026)
Every SnowPro certification — Associate, Core, Specialty, Ad...
Snowflake Exam Difficulty Ranking: All 11 Certs Compared (2026)
All 11 SnowPro exams ranked by difficulty with study-time es...
Snowflake Study Guide: Fastest Pass Route by Exam (2026)
How to pass SnowPro certifications efficiently — official ma...
SnowPro Core (COF-C03): Complete Exam Guide (2026)
Pass the SnowPro Core exam — six domains, scope, sample ques...
SnowPro Associate Platform (SOL-C01): Complete Guide (2026)
The entry-level SnowPro Associate exam — scope, weighting, s...