Access control happens at the ‘Organization’ level. Organizations contain members, accounts, and API tokens for importing account data into Traverse.
Organizations can be created in the ‘Organizations’ tab using the ADD ORGANIZATION button:
Users with the Admin or Owner role can manage the organization using the
PII Tokenization #
Personally identifiable information (currently this includes only usernames) can be optionally tokenized at the organization level. If this option is enabled, tokens will be sent to Traverse in place of usernames. Any place a username exists, like as part of another object name, will be replaced with the token. Tokenization is done before data is sent to Traverse, in the Snowflake account.
Enabling PII Tokenization #
To enable PII tokenization, check the ‘Tokenize PII’ checkbox when creating an account or on the ‘Organizations’ page. After enabling the checkbox, the ‘Scheduled Import Procedure’ will automatically tokenize usernames before sending them to Traverse.
Dereferencing Tokens #
To dereference a token, use the
username_token_mappings table in the same schema the import procedure runs in (by default
An example of getting a token for the current user:
select token from username_token_mappings where name = current_user();
Organization Members #
Members in an organization can have one of three roles:
- Owner: the creator of an organization is its Owner. An Owner cannot be removed from an organization, and is the only member that can delete an organization
- Admin: can add and remove members from organizations, manage accounts, and create API tokens
- Member: can view accounts and their associated data
Organization members can be viewed or added on the ‘Members’ tab:
If a new member already has a phData account they will be immediately added to the organization. If they do not have a phData account they will be sent an invite email with instructions on creating the account and accessing the Organization.
Traverse accounts correspond 1:1 with Snowflake accounts. Accounts can be viewed and added on the ‘Accounts’ tab.
Add Accounts #
To add a Snowflake account, click the
ADD ACCOUNT button.
Enter the name and url of the account. An account description is optional.
Importing Account Data #
Traverse uses stored procedures run in your Snowflake account to collect data about users, roles, privileges, databases, and schemas. Traverse does not have access to your Snowflake account, all data must be export to Traverse.
There are two procedures for importing data into your account, ‘scheduled’ and ‘manual’. Code can be generated for each on the Account Card. This procedure can then be run in your Snowflake account.
Scheduled Import #
Scheduled import is the preferred procedure for organizations that want to keep their account data up-to-date in Traverse. This code generated in this procedure must be run as the ACCOUNTADMIN role to create the API integration and external function.
To generate the scheduled import procedure specific to your account.
The ‘Scheduled Import’ button will generate
- a stored procedure to collect account data
- an API integration with the Traverse API gateway
- an API token in your Traverse account to authenticate with Traverse
- an external function to Import the data into Traverse
- a task to run the import on a schedule
To complete the procedure, fill in the
Manual Import #
The manual import procedure can be used import account data at a point in time. The ‘Manual Import Procedure’ button will generate a procedure that creates JSON data. This JSON data can then be saved to a file and imported using the ‘Manual Import’ button.