ExoInsight for Snowflake is delivered as a Snowflake Native App, which means it runs within the controlled boundaries of your existing Snowflake account. The Snowflake article below explains the many security advantages and benefits of the Native Applications Framework in Snowflake:
Snowflake Blog - Snowflake Native Apps Security
Installation
ExoInsight for Snowflake is installed via the Snowflake Marketplace by a Snowflake user with the ACCOUNTADMIN role. The installation process creates a special type of database with your Snowflake account called an application. This application database contains everything needed for ExoInsight for Snowflake to perform its tasks.
Once created, the application starts with no privileges to access any tables or other objects within the Snowflake account. These privileges must be granted explicitly by the Snowflake administrator.
Installing the ExoInsight for Snowflake application does not give Casabase Software (the creator of ExoInsight for Snowflake) or any other third-party access to your Snowflake account or data.
Connectivity with Oracle Cloud
The ExoInsight for Snowflake application does not have access to your Oracle Cloud environments upon installation. This access must be explicitly granted by configuring the following Snowflake features:
- Network Rules: used to control what Oracle resources can be accessed from the application.
- Secrets: used to securely stored credentials and Oracle authentication configuration within Snowflake.
- External Access Integrations: used to tie network rules and secrets together for communication with Oracle resources.
The Snowflake Secret enables two types of Authentication:
- Native Oracle Cloud Account: Authentication is controlled via an Oracle Cloud Account username/password. Once stored in the Snowflake secret, this username and password will not be able to be viewed by anyone. Additionally, you can name individual Snowflake users who will be able to utilize the secret (and therefore connect to Oracle via the username/password supplied in the secret), providing granular control. Please see the secrets section of this article for more information on Snowflake secrets.
- Oracle Confidential Application using JWT Assertion: Authentication is controlled by Snowflake, and the Snowflake user is communicated to Oracle via JWT Assertion. The Oracle Confidential Application information is stored in the Snowflake secret. Please see the following URL for more information on Snowflake authentication:
Snowflake Authentication Policies
Regardless of which Authentication method is used, all Authorization is controlled by your existing Oracle security. ExoInsight for Snowflake cannot change or circumvent your existing Oracle security model, regardless of which Authentication process you choose.
When connecting to Oracle Cloud EPM sources or calling BI Publisher reports with Oracle Fusion Cloud ERP while using the Snowflake secret with the Native Oracle Cloud Account option, both authentication and authorization is provided by the username used in the Snowflake secret. Only individual Snowflake users specified can utilize the native Oracle Cloud Account specified in the secret.
Note: The Native Oracle Cloud Account option in the Snowflake secret behaves slightly differently when using custom SQL in Oracle Fusion Cloud ERP. In this scenario, authentication happens via the native Oracle Cloud Account specified in the secret, but authorization is controlled by the current Snowflake user running the process. This means the current Snowflake user must be set up as a user in Oracle Fusion Cloud ERP and have access to the data and objects that you would like to access.
The ExoInsight for Snowflake application will guide you through the creation of the Snowflake network rule, secret, and external access integration objects. Please see the Installation and Setup Guides for more information.
Data Storage and Access
ExoInsight for Snowflake will store certain data related to your Oracle queries and configuration in standard Snowflake tables within the native application instance. This data is used for logging purposes as well as standard configuration data to connect to your Oracle environments. Neither Casabase Software (the creator of ExoInsight for Snowflake) nor any other third-party has access to this data and access is completely controlled by your Snowflake role assignments.
ExoInsight for Snowflake offers two methods of accessing your Oracle Cloud data in Snowflake:
- Returning data directly in SnowSight or from a stored procedure call
- Materializing the data in a standard Snowflake table
Access to the data in SnowSight or from a stored procedure call is controlled by both your Snowflake role assignment as well as the security configuration you have chosen (see Connectivity with Oracle Cloud section above).
ExoInsight for Snowflake only has the ability to materialize the data into schemas within the ExoInsight for Snowflake native application. The ExoInsight for Snowflake application cannot access or materialize data outside these native application schemas. Once materialized, you have the ability to move the data wherever you like, depending on your Snowflake role assignments.
Application Upgrades
Casabase Software will deploy new versions of ExoInsight for Snowflake on a regular basis via the standard Snowflake Native App versioning process. This process is handled by Snowflake and does not give Casabase Software (the creator of ExoInsight for Snowflake) or any other third-party access to your application, data, or account. The only information Casabase Software will have is visibility into whether or not the upgrade process succeeded and any associated messages.