Prerequisites for pushdown enforcement

To enable Data Access Management to push down data access control policies and data filter policies into your cloud data platform, complete the necessary configuration and authorization tasks.

The following table lists the types of data access policies that you can push down in each type of cloud data platform:

Cloud Data Platform Type	Data Access Policy Types
Amazon Redshift	Data access control policies
Databricks	Data access control policies
Microsoft Power BI	Data access control policies
Snowflake	Data access control policies and Data filter policies

General prerequisite

Once you configure your cloud data platform to support pushdown enforcement, you will assign permissions to data assets.

For more information, see Assigning permissions to source systems.

Prerequisites for Amazon Redshift

Complete the following tasks for Amazon Redshift cloud data platforms:

- Configure a catalog source.

For more information about configuring a catalog source for Amazon Redshift, see Amazon Redshift.

- Grant the following permissions to the connection associated with your Amazon Redshift cloud data platform:

grant create role to role [IDMC_USER_ROLE];
grant { { SELECT | INSERT | UPDATE | DELETE } [,...] | ALL [ PRIVILEGES ] } on [OBJECT_NAME]
to { [IDMC_USER_ROLE] with grant option;

- To grant privileges on an object in Amazon Redshift, you must meet one of the following criteria:

▪ Be the object owner.
▪ Be a superuser.
▪ Have a grant privilege for that object and privilege.

For more information about configuring a catalog source for Amazon Redshift, see Connect to Amazon Redshift.

Note: If your organization uses an IdP and pushes data access policies to Amazon Redshift, you must add a custom property for the namespace that Amazon Redshift requires to the Data Access Management Agent service. This allows the Secure Agent to map the IDMC user groups in the data access policies into the IdP-based roles created in a namespace in Amazon Redshift.

Prerequisites for Databricks

Complete the following tasks for Databricks cloud data platforms:

- Ensure that the user identified in the catalog source connection that pushes the policies has Databricks workspace admin privileges on the catalog source.
- Configure a catalog source.

Note: Use a personal access token to connect to your Databricks instance through Data Access Management.

For more information about configuring a catalog source for Databricks, see Register a catalog source.

Prerequisites for Microsoft Power BI

Complete the following tasks for Microsoft Power BI cloud data platforms:

- For each Microsoft Power BI workspace into which you want Data Access Management to push data access control policies, add the service principal as a member with the Admin permission.
- Configure a catalog source.

For more information about configuring a catalog source for Microsoft Power BI, see Microsoft Power BI Connection Properties.

- Grant the following permissions as the Delegated type to the connection associated with your Microsoft Power BI cloud data platform:

Dataset.ReadWrite.All
Dataset.Read.All
Workspace.ReadWrite.All

- Grant the following permissions as the Application type to the connection associated with your Microsoft Power BI cloud data platform:

Group.Read.All
GroupMember.Read.All

Note: You must click "Grant admin consent" in Microsoft Power BI to approve application permissions.

Prerequisites for Snowflake

Complete the following tasks for Snowflake cloud data platforms:

- Configure a catalog source.

For more information about configuring a catalog source for Snowflake, see Snowflake.

- Grant the following permissions to the connection associated with your Snowflake cloud data platform:

GRANT MANAGE GRANTS ON ACCOUNT TO [IDMC_USER_ROLE];
GRANT CREATE ROLE ON ACCOUNT TO [IDMC_USER_ROLE];

- For use with data filter policies, also grant these permissions on your Snowflake cloud data platform.

Note the following about Snowflake permissions:

▪ Your Snowflake account needs to be able to enforce row-level policies.
▪ In permission grants, if you do not specify database and schema names, Data Access Management creates a default database called CDAM_INTERNAL_STATE and a default schema called PUBLIC.

If you want Informatica to have permission to create databases in Snowflake, grant the following permission once where you store Snowflake row access policies:

GRANT CREATE DATABASE ON ACCOUNT TO [IDMC_USER_ROLE];

On every table and view that you want to apply Snowflake row access policies, you can grant the following permissions instead of the GRANT APPLY ROW ACCESS POLICY ON ACCOUNT TO [IDMC_USER_ROLE] permission:

GRANT OWNERSHIP ON [TABLE_NAME] TO [IDMC_USER_ROLE];
GRANT OWNERSHIP ON [VIEW_NAME] TO [IDMC_USER_ROLE];

Grant the following permissions on every table that you want to apply Snowflake row access policies:

GRANT USAGE ON [DATABASE_NAME] TO [IDMC_USER_ROLE];
GRANT USAGE ON [SCHEMA_NAME] TO [IDMC_USER_ROLE];
GRANT SELECT ON TABLE [DATABASE_NAME]."INFORMATION_SCHEMA"."POLICY_REFERENCES";
GRANT SELECT ON VIEW [DATABASE_NAME]."INFORMATION_SCHEMA"."POLICY_REFERENCES";

If you do not want Informatica to have permission to create databases in Snowflake, grant the following permissions once where you store Snowflake row access policies:

GRANT CREATE SCHEMA ON [DATABASE_NAME] TO [IDMC_USER_ROLE];
GRANT USAGE ON [DATABASE-NAME] TO [IDMC_USER_ROLE];
GRANT USAGE ON [SCHEMA-NAME] TO [IDMC_USER_ROLE];
GRANT CREATE ROW ACCESS POLICY ON [SCHEMA-NAME] TO [IDMC_USER_ROLE];
GRANT APPLY ROW ACCESS POLICY ON ACCOUNT TO [IDMC_USER_ROLE];

You can grant the following permissions instead of the GRANT APPLY ROW ACCESS POLICY ON ACCOUNT TO [IDMC_USER_ROLE] permission on every table and view that you want to apply Snowflake row access policies:

GRANT OWNERSHIP ON [TABLE_NAME] TO [IDMC_USER_ROLE];
GRANT OWNERSHIP ON [VIEW_NAME] TO [IDMC_USER_ROLE];

Grant the following permissions on every table that you want to apply Snowflake row access policies: