Blog
0 min read

Best practices for protecting your data: Snowflake role hierarchy

Written by
Arman Babayan

One stolen password can bring down an entire enterprise. The 2024 Snowflake breaches revealed how fragile weak access controls are, with 165 organizations and millions of users affected. The breaches were not the result of advanced attacks. They happened because stolen passwords went unchecked, and multi-factor authentication was missing. As businesses move more of their data to the cloud and centralize it on platforms like Snowflake, a critical question emerges: who should have access, and how do you manage it at scale without slowing the business or weakening security?

In this article, we’ll break down the Snowflake Role Hierarchy, explain why it matters, and share best practices for structuring roles that support security, compliance, and day-to-day operations.

What is Snowflake’s role hierarchy?

Snowflake’s role hierarchy is a structured framework that defines how permissions and access controls are organized within the platform. In Snowflake, access to data and operations is governed entirely by roles. Using the Role-Based Access Control (RBAC) model, you grant privileges to roles, and then assign users to those roles, simplifying administration, ensuring consistency, and making audit access easier. RBAC is generally recommended for production environments and enterprise-level governance.

The hierarchy operates on a parent-child relationship model where higher-level roles inherit privileges from subordinate roles, creating a tree-like structure. This structure provides granularity, clarity, and reusability, but it requires thoughtful planning to avoid sprawl or over-permissioned users.

Core components of Snowflake RBAC

  • Roles: The fundamental building blocks that encapsulate specific privileges
  • Privileges: Defined levels of access to securable objects (databases, schemas, tables)
  • Users: Identities that can be assigned roles to access resources
  • Securable Objects: Entities like databases, tables, views, and warehouses that require access control
  • Role Inheritance: The mechanism allowing roles to inherit privileges from other roles

Understanding Snowflake's system-defined roles

Understanding the default role structure is crucial for building secure hierarchies:

ACCOUNTADMIN

SYSADMIN

  • Full control over database objects and users
  • Recommended parent for all custom roles
  • Manages warehouses, databases, and schemas

SECURITYADMIN

  • Manages user and role grants
  • Controls role assignment and privilege distribution
  • Essential for maintaining RBAC governance

Custom roles

  • Created for specific teams or functions within an organization (e.g ANALYST_READ_ONLY, ETL_WRITER).

Best practices for designing a secure Snowflake role hierarchy

A well-structured role hierarchy minimizes risk, supports compliance, and makes onboarding/offboarding easier. Here’s how one should do it right:

1. Follow the Principle of Least Privilege

Grant only the minimum required permissions for each role to perform its function. Avoid blanket grants like GRANT ALL ON DATABASE.

Do this:

  • Specific, targeted grants
  • Avoid cascading access down the role tree unless absolutely needed
  • Regularly audit roles to ensure they align with actual usage
GRANT SELECT ON TABLE SALES_DB.REPORTING.MONTHLY_REVENUE TO ROLE ANALYST_READ;
GRANT USAGE ON SCHEMA SALES_DB.REPORTING TO ROLE ANALYST_READ;
GRANT USAGE ON DATABASE SALES_DB TO ROLE ANALYST_READ;

Not this:

  • Overly broad permissions
GRANT ALL ON DATABASE SALES_DB TO ROLE ANALYST_READ;

Why does it matter?

Least privilege prevents accidental (or malicious) misuse of sensitive data. It also supports data governance and compliance with various regulations like GDPR or HIPAA.

2. Use a layered role design

Design your roles using a layered and modular approach, often structured like this:

  • Functional Roles (what the user does):
CREATE ROLE ANALYST_READ;
CREATE ROLE ETL_WRITE;
CREATE ROLE DATA_SCIENTIST_ALL;
  • Environment Roles (where the user operates)
CREATE ROLE DEV_READ_WRITE;
CREATE ROLE PROD_READ_ONLY;

Composite or Team Roles (Group users by department or team, assigning multiple functional/environment roles under one umbrella)

CREATE ROLE MARKETING_TEAM_ROLE → includes PROD_READ_ONLY + ANALYST_READ

3. Avoid granting privileges directly to users

Always assign privileges to roles and not users. Then, assign users to those roles.

Why it matters?

This keeps access transparent and auditable. If a user leaves or changes teams, simply revoke or change the role. There’s no need to hunt down granular permissions.

4. Establish consistent naming conventions

Enforce naming conventions as consistent role and object naming makes automation and governance far easier to scale.

Recommended Naming Pattern:

  • Access Roles: {ENV}_{DATABASE}_{ACCESS_LEVEL} (e.g., PROD_SALES_READ)
  • Functional Roles: {FUNCTION}_{TEAM} (e.g., DATA_ANALYST, ETL_ENGINEER)
  • Service Roles: {SERVICE}_{PURPOSE}_ROLE (e.g., FIVETRAN_LOADER_ROLE)

5. Use separate roles for Administration vs. Operations

Split roles that manage infrastructure (e.g., warehouses, roles, users) from roles that access data.

  • Admins: SYSADMIN, SECURITYADMIN
  • Data teams: DATA_ENGINEER_ROLE, ANALYST_ROLE, etc.

Why it matters? This separation of duties limits the potential impact of security incidents and supports audit compliance. Administrators should not have access to sensitive data unless it's absolutely necessary for their role.

6. Secure the top-level roles

Roles like ACCOUNTADMIN and SECURITYADMIN should be assigned to the fewest people possible, protected with MFA, and monitored for any usage.

Implementation Checklist:

  • Limit ACCOUNTADMIN to 2-3 emergency users maximum
  • Enable MFA for all administrative accounts
  • Set up monitoring and alerting for admin role usage
  • Regular access reviews and privilege audits
  • Document and justify all administrative access

Monitoring, auditing & compliance: keeping your Snowflake hierarchy healthy

Even the best-designed role trees can get messy over time. Here’s how to maintain security:

1. Regular access reviews

Implement quarterly access reviews to maintain security hygiene:

  • Role Effectiveness Analysis: Identify unused or over-privileged roles
  • User Access Validation: Verify users have appropriate role assignments
  • Privilege Scope Review: Ensure roles maintain least privilege principles
  • Compliance Mapping: Document role mappings to business functions

2. Logging and monitoring

Enable Access History and Login History in Snowflake to track activity and implement automation tools for role assignments during employee transitions.

3. Onboarding/offboarding automation

Implement automation tools or scripts to efficiently manage role assignments during employee transitions.

4. Object Tagging for enhanced security

Use object tagging to classify sensitive data and control access accordingly.

Measuring RBAC Success: Key Performance Indicators

1. Security Metrics

  • Access Review Coverage: % of roles reviewed quarterly
  • Privilege Violations: Number of excessive privilege grants identified
  • Failed Authentication Attempts: Monitor for unauthorized access patterns
  • Role Utilization Rate: % of active roles vs. total created roles

2. Operational Metrics

  • User Onboarding Time: Average time to provision new user access
  • Role Management Efficiency: Time to modify/update role permissions
  • Audit Response Time: Speed of access review and remediation
  • Automation Coverage: % of role operations automated vs. manual

3. Compliance Metrics

  • SOC 2 Readiness: Role hierarchy documentation completeness
  • GDPR/Data Privacy: Data access control effectiveness
  • Industry Compliance: Sector-specific requirement adherence
  • Change Management: Role modification approval and documentation

Future-Proofing Your RBAC Strategy

The way you manage access today will define how secure and scalable your Snowflake environment is tomorrow. The strength of Snowflake’s RBAC model lies in its flexibility, but that power comes with responsibility. As AI features mature, as multi-cloud deployments become the norm, and as regulators tighten expectations around data privacy, static role hierarchies quickly fall behind. A poorly structured role hierarchy can lead to data leaks, audit failures, higher operational costs, and stalled innovation.

At Snowstack, we specialize in building RBAC strategies that are not only secure today but ready for what’s next. Our team of Snowflake-first engineers has designed role models that scale across continents, safeguard sensitive data for regulated industries, and enable AI without exposing critical assets. We continuously monitor Snowflake’s roadmap and fold new security capabilities into your environment before they become business risks.

Don’t wait for the next breach to expose the cracks in your access controls. Let’s design an RBAC strategy that keeps you secure, compliant, and future-ready.

FAQs

RBAC provides scalability and centralized control by granting privileges to roles, which are then assigned to users. UBAC allows privileges to be assigned directly to individual users and is intended for collaborative scenarios like building Streamlit applications.

Follow the "Role of Three" principle: create Access Roles (data-centric), Functional Roles (business-centric), and Service Roles (system-centric). This approach avoids role explosion while maintaining necessary granularity.

Always assign privileges to roles and not users. Then, assign users to those roles. This keeps access transparent and auditable.

Design with hierarchy in mind – role ownership and grant structure should align with your intended control model. Map business functions to role layers and ensure clear inheritance paths.

Create emergency “break-glass” roles with elevated privileges that are heavily monitored and logged, require additional approval workflows, automatically expire after a set period of time, and immediately notify the security team when activated.

Conduct comprehensive access reviews every quarter, perform monthly spot checks on high-privilege administrative roles, service accounts, recently modified permissions, and roles tied to employees who have left the company.

Yes, automation is critical for scaling. Create stored procedures for role provisioning, use CI/CD pipelines for role deployment, and integrate with identity providers for user lifecycle management.

Classify and tag sensitive data, enforce row-level security and column masking, maintain detailed audit logs with supporting access documentation, run regular compliance assessments and gap analyses, and document the business justification for every access role granted.

Learn more about Snowflake from top experts

Join data leaders who get Snowflake insights and updates delivered straight to their inbox.

Thanks for joining us!

We’ll keep you posted with fresh updates and resources.

Oops! Something went wrong while submitting the form.
Insights

Learnings for data leaders

Blog
5 min read

How Snowflake is different from other databases: 3 architecture advantages for modern data teams

Some companies still run databases like it’s 1999. Others have adopted cloud-native architectures that cut costs in half and double performance. Guess who’s winning?

Read more

Some companies still run databases like it’s 1999. Others have adopted cloud-native architectures that cut costs in half and double performance. Guess who’s winning?

Traditional databases force a trade-off between performance and budget. Collaboration still means passing around CSVs. Forward-thinking organizations have shifted to Snowflake’s cloud-native architecture, which scales instantly, operates securely, and keeps costs under control. But what truly sets Snowflake apart from traditional databases or even other cloud data platforms?

In this blog, we’ll break down three key architectural advantages that make Snowflake a game-changer for businesses that want to migrate to the cloud.

But first, what is a cloud-native database?

A cloud-native database is designed from the ground up for the cloud. Unlike traditional databases that were adapted from on-premise systems, cloud-native platforms are purpose-built to take advantage of the cloud’s strengths: scalability, flexibility, and resilience.

They scale horizontally by adding capacity in parallel instead of relying on bigger machines. They automatically adjust resources up or down based on demand, so you only pay for what you use. They also come with built-in high availability through data replication and automated recovery.

In short, a cloud-native database removes the rigid trade-offs of legacy systems and gives modern businesses the performance, efficiency, and reliability they need to stay competitive.

Snowflake's architecture: 3 strategic advantages

Snowflake isn’t just faster or cheaper. It’s built differently. The three architectural choices below explain why modern data teams trust Snowflake to scale, collaborate, and deliver insights in ways legacy systems never could.

1. Separation of storage and compute: elasticity without trade-offs

Most databases tie storage and compute together. Need more power to run quarterly reports? You’ll also pay for storage you don’t use. Want to keep historical data at a lower cost? You’re still paying for compute you don’t actually need.

Snowflake's Solution: Snowflake's architecture fundamentally decouples storage and compute layers, creating unprecedented flexibility for modern data teams.

  • You can scale compute resources up or down independently of your data storage.
  • Multiple workloads (e.g., data ingestion, analytics queries, and reporting) can run simultaneously on isolated compute clusters without performance conflicts.
  • You can assign different warehouses (compute clusters) to different teams or departments without worrying about concurrency issues or resource contention.

Business impact: Imagine a BI team that runs heavy dashboards while a data science team trains models on the same data. The beauty behind this separation is that both can operate without stepping on each other’s toes. This translates to faster time-to-insight, cost control, and happy teams who aren’t waiting for resources to free up.

2. Multi-cluster shared data architecture: built for collaboration and scale

Traditional databases become performance challenge as more users access the system. Query response times degrade, teams queue for resources, and data silos emerge as different departments seek workarounds.

Snowflake's Solution: Snowflake’s multi-cluster shared data model allows any number of users and tools to access the same single source of truth without performance degradation. The platform automatically manages concurrency through intelligent multi-cluster compute scaling.

What this means for data teams:

  • Unlimited concurrency: Teams don’t have to wait in line to access the warehouse. Snowflake automatically adds compute clusters as needed and scales them back down when demand drops.
  • Cross-team collaboration: Data Engineers, analysts, and ML engineers can work off the same dataset in real time, using SQL, Python, or third-party tools.
  • Data sharing across organizations: Snowflake’s architecture supports secure data sharing with external partners or vendors without copying or moving data. You simply grant access.

Business impact: This makes Snowflake not just a warehouse but a collaboration platform for data. Whether your team is distributed across continents or collaborating with external partners, Snowflake enables fast, consistent, and secure access to data.

3. Zero management with cloud-native infrastructure

Managing a traditional database means dealing with provisioning, tuning, indexing, patching, and more. These tasks require specialized DBAs and often lead to downtime, delays, and human error.

Snowflake flips the script with a “zero-management” approach.

Thanks to its fully managed SaaS model:

  • No infrastructure to manage. Snowflake runs entirely in the cloud (on AWS, Azure, or GCP), abstracting away the underlying hardware.
  • Automatic tuning and optimization. No need to manually set indexes or optimize queries, Snowflake handles that under the hood.
  • Security and compliance out of the box. Features like automatic encryption, role-based access control, and compliance with standards (HIPAA, GDPR, SOC 2) are built-in.

Business impact: This lets your team focus on data and insights, not on maintenance. IT teams no longer need to waste time on low-value operational tasks. Instead, they can accelerate innovation and reduce costs.

Snowflake vs. the competition: why architecture matters

In 2025, your data architecture is more than a technical choice. It is a strategic decision that defines how quickly your organization can compete, innovate, and scale. When you compare modern data platforms, Snowflake's architectural advantages become clear when compared to alternatives:

How Snowflake’s architecture drives results?

Snowflake’s architecture solves the trade-offs that hold traditional databases back and delivers flexibility that many cloud platforms still lack. But technology alone is not enough. The difference comes from how you implement it.

Take the case of a $200M pharmaceutical distributor. Their teams were stuck with siloed on-prem systems, compliance risks, and reports that took hours to run. Our Snowflake-certified experts helped them migrate to Snowflake’s cloud-native architecture with a single governed data layer, dedicated compute clusters, and built-in role-based access. In just 90 days, reporting was 80% faster, the architecture was ready for AI and advanced analytics, and teams finally worked from the same source of truth.

👉 Read the full case study here

Making Snowflake’s architecture work for your business

Every organization’s data challenges look different, but the goal is the same: to turn Snowflake into a platform that delivers measurable results. That’s where Snowstack comes in. We bring proven experience from complex projects in finance, pharma, and FMCG. This gives clients confidence that their architecture is designed for scale, collaboration, and compliance from day one. Our role goes beyond implementation. We act as a long-term partner who helps data teams adapt, optimize, and grow with Snowflake as business needs evolve.

Are you getting the full value from Snowflake’s architecture?

FAQs

Snowflake's architecture separates storage and compute into independent layers, unlike traditional databases that tightly couple these resources. This means you can scale processing power without paying for additional storage, and store massive amounts of data without impacting query performance. Snowflake also provides unlimited concurrency through multi-cluster compute, automatic optimization, and zero infrastructure management.

Snowflake focuses on data warehousing, BI, and analytics with SQL-first approach and zero management overhead. Databricks specializes in data science, machine learning, and complex analytics with notebook-based development. Check our blog to explore the differences.

Snowflake uses a consumption-based pricing model with separate charges for storage and compute . You pay for data storage based on the amount stored (compressed), and compute costs based on the size and duration of warehouse usage. Credits are consumed only when warehouses are actively running queries. Check our blog to find out how you can optimize your data warehouse costs.

No, Snowflake is a cloud-native platform that runs exclusively on AWS, Azure, and Google Cloud Platform. However, this cloud-only approach is actually an advantage. It eliminates the infrastructure management overhead, provides automatic scaling, and ensures you always have access to the latest features and security updates without manual maintenance.

Yes, Snowflake natively supports semi-structured and unstructured data formats including JSON, XML, Parquet, Avro, and even binary data like images and documents.

Implementation timelines vary based on data complexity and organizational requirements. Simple migrations can be completed in 4–8 weeks, while comprehensive enterprise transformations typically take 3–6 months. Using proven frameworks and experienced implementation partners like Snowstack can significantly accelerate timelines while reducing risks and ensuring best practices from the start.

Snowflake runs natively on AWS, Azure, and Google Cloud Platform, using each cloud provider's infrastructure while maintaining a consistent experience across all platforms. You can even replicate data across different cloud regions or providers for disaster recovery and compliance requirements. Snowflake handles all the underlying infrastructure complexity, so you focus on your data, not cloud management.

Yes, Snowflake integrates with SQL Server, Oracle, and virtually any database through various methods: direct connectors, ETL tools like Fivetran or Informatica, custom APIs, and batch file transfers. Many organizations use Snowflake as their central data warehouse while keeping operational systems on SQL Server or Oracle, replicating data through automated pipelines.

Blog
5 min read

Why your Snowflake agents give wrong answers on good data

Your Snowflake agent gives wrong answers on clean data because it knows your schema, not your business - here's the context layer that fixes it.

Read more

Under the Hood: grounding CoWork with Cortex Sense — not just prompting it

Your agent isn't wrong because your data is dirty. It's wrong because it doesn't know what your data means. An LLM can read your schema perfectly — table names, column types, row counts — and still have no idea that net revenue means gross revenue after discounts, that the fiscal year starts in February, or that "active customer" excludes anyone who churned last quarter. That gap between the schema an agent sees and the business meaning it doesn't is where confident, wrong answers come from. Closing it is now the single highest-leverage thing a data team can do for AI.

That's also the thesis Snowflake built its entire Summit 2026 agentic story around.

What actually changed at Summit 2026

Two things matter for anyone running agents on Snowflake:

Snowflake Intelligence is now CoWork. Same product lineage — the personal work agent that decomposes a question, researches across structured and unstructured data, and returns a cited answer — new name. If you saw Episode 3, this is the thing you already built against. Existing deployments migrate automatically.

Cortex Sense is the headline, and it's about accuracy, not features. Cortex Sense is a runtime context-enrichment layer: it automatically assembles business context — query history, object metadata, BI dashboards, and Horizon Context semantic views — and feeds it to CoWork and CoCo at query time, with no manual configuration. Snowflake's own internal benchmark puts the difference starkly: 47% accuracy on complex enterprise queries without it, 83% with it— and just 23% for frontier coding agents wired up through Snowflake's MCP connector alone. The message Snowflake is sending could not be clearer: context, not the model, determines agent quality.

We agree with that framing. But there are two catches, and they're exactly where a data team's real work lives.

The two catches nobody puts on the keynote slide

Catch #1 — Cortex Sense is private preview (as of June 2026). CoWork is shipping to enterprises now; Cortex Sense is not generally available yet. So the default CoWork deployment today operates closer to that 47% baseline, withoutSnowflake's own context infrastructure at production readiness. You can't wait for the feature to flip on and rescue answer quality before your stakeholders start trusting (or distrusting) the agent.

Catch #2 — even at GA, Cortex Sense is only as good as what's underneath it. Read the description again: it assembles context from your semantic views, metadata, and dashboards. If those definitions are missing, ambiguous, or contradictory, Cortex Sense faithfully assembles ambiguous context. And there's a deeper trap that governance alone never solves: access control is not correctness. RBAC enforces who can query the revenue table; it says nothing about whether that table is accurate, consistently defined, or current. An agent querying a revenue figure with an upstream ingestion error will return a confident, beautifully-cited, wrong number — and every guardrail will have done its job.

So the work is the same whether Cortex Sense is in preview or GA: you build the governed context layer and you make sure the data beneath it is actually right. The good news is that this work is not throwaway — the semantic layer you build now is precisely the substrate Cortex Sense consumes later. You're not waiting for the feature; you're getting ahead of it.

Here's how we build it.

Under the Hood: the context layer, step by step

Step 1 — Put the business definitions in a governed semantic view

A semantic view is a schema-level Snowflake object that maps physical columns to business concepts — facts, dimensions, and metrics — and stores the definitions natively, under RBAC, where both Cortex Analyst and (eventually) Cortex Sense read them. This is where you kill ambiguity once, centrally, instead of in fifty different dashboards.

The canonical example is the one Snowflake itself uses: revenue is physically stored in a column called amt_ttl_pre_dsc, but the business always means gross revenue after discounts. You encode that once:

CREATE OR REPLACE SEMANTIC VIEW analytics.sales.revenue_model
  TABLES (
    orders AS prod.sales.orders
      PRIMARY KEY (order_id)
      WITH SYNONYMS ('sales', 'bookings')
      COMMENT = 'One row per order line. Source of truth for revenue.',
    unit AS prod.sales.business_unit_dim
      PRIMARY KEY (unit_id)
  )
  RELATIONSHIPS (
    orders_to_unit AS orders (unit_id) REFERENCES unit (unit_id)
  )
  FACTS (
    orders.gross_amount   AS amt_ttl_pre_dsc,
    orders.discount_rate  AS disc_rate
  )
  DIMENSIONS (
    unit.unit_name    AS unit_name WITH SYNONYMS ('business unit', 'segment'),
    orders.order_date AS order_dt
  )
  METRICS (
    orders.net_revenue AS SUM(orders.gross_amount * (1 - orders.discount_rate))
      COMMENT = 'Net revenue = gross revenue after discounts. Use this for ALL
                 revenue reporting. Never sum amt_ttl_pre_dsc directly.'
  )
  COMMENT = 'Governed revenue model. These definitions are the single source
             of truth for agents and BI alike.';

Now anyone — human or agent — asks the question the same way and gets the same number:

SELECT * FROM SEMANTIC_VIEW (
  analytics.sales.revenue_model
  METRICS    net_revenue
  DIMENSIONS unit_name
);

Step 2 — Write your comments like prompts, because they are

This is the part that separates "it compiles" from "the agent is actually right." In a semantic view, Cortex Analyst reads your COMMENT text as instructions, not documentation. The comment on net_revenue above isn't a note for a future engineer — it's telling the model which column is not revenue. Be that explicit everywhere: define what a metric means, when to use it, and what to avoid. If you don't write it down, the model guesses, and a guess is how you get a wrong answer on clean data.

Two more high-leverage moves on the same object:

  • Synonyms so "business unit," "segment," and "BU" all resolve to one dimension. Agents fail constantly on vocabulary mismatch; this fixes it cheaply.
  • Verified queries — known-good question/SQL pairs that anchor the model on your hardest or most political metrics:

-- inside CREATE SEMANTIC VIEW, after the COMMENT clause:
AI_VERIFIED_QUERIES (
  net_rev_by_unit AS (
    QUESTION  'What was net revenue by business unit last quarter?'
    VERIFIED_AT 1717200000
    VERIFIED_BY '(owner = data-platform@yourco.com)'
    SQL 'SELECT * FROM SEMANTIC_VIEW (analytics.sales.revenue_model
           METRICS net_revenue DIMENSIONS unit_name)'
  )
);

One discipline worth stating plainly: only add verified queries you have actually validated. One wrong example teaches the model a bad habit at scale.

Step 3 — Measure the lift on your KPIs, don't take 47→83 on faith

Snowflake's benchmark is theirs, on their data. Before you tell your CFO the agent is trustworthy, prove it on your questions. Snowflake ships a Cortex Agent evaluation framework for exactly this — define a dataset of real questions with expected answers, then score the agent against it:

evaluation:
  agent_params:
    agent_name: "revenue_agent"
    agent_type: "CORTEX AGENT"
  run_params:
    label: "Baseline — before semantic layer"
    source_metadata:
      type: "dataset"
      dataset_name: "kpi_eval_set"
  metrics:
    - answer_correctness        # how close the answer is to ground truth
    - tool_selection_accuracy   # did it call the right tools? (public preview)
    - logical_consistency       # reference-free; consistency across the run

Run it once before the semantic layer exists, run it again after. The delta is your evidence — and your regression test. Wire it into CI so a careless change to a metric definition can't silently re-break answer quality next month.

Step 4 — Fix the data the context layer points at

A perfect semantic layer over a stale or half-loaded table still produces a wrong answer, just a well-defined one. So the context work has a twin: source-to-report reconciliation, freshness checks, and catching the broken or partial feeds that quietly poison a metric. That's a whole topic — it's Episode 5 — but flag it now, because "the agent gave the wrong number" is at least as often an ingestion problem as a semantics problem.

What this means, by role

If you lead data or analytics: the semantic layer is no longer a BI nicety — it's the accuracy substrate for every agent you're about to be asked to deploy. Building it now pays twice: better Cortex Analyst answers today, and a ready-made context source for Cortex Sense when it GAs.

If you're the architect or lead engineer: treat semantic views as strict contracts, not flexible SQL. Model relationships explicitly, comment like you're prompting, anchor hard metrics with verified queries, and put an evaluation set in CI. This is the build work that makes the demo survive contact with production.

If you own the platform strategy (VP / CDO): the question your stakeholders are really asking is "can we trust this for a real decision?" The honest answer is "only as far as our governed definitions and our data quality go." That's a roadmap, not a blocker — and it's a far better place to invest than another model evaluation.

How we'd approach it

Most teams we talk to don't have a context problem they can see — they have a trust problem they can feel: two dashboards disagree, an agent answer doesn't match the board deck, nobody's quite sure which number is right. The fix starts with finding where the definitions diverge and where the data underneath is wrong, before pointing any agent at it.

That's the shape of our AI-readiness assessment — a fixed-scope first step that maps your sources, definitions, and the gaps between what your reports say and what your data actually contains, so the agents you ship are accurate by construction. If your CoWork answers are landing in the "confident but wrong" zone, that's the place to start.

FAQs

Because they understand the schema, not the business meaning. Without governed definitions for metrics, fiscal calendars, and segment rules, the model infers them — and inference is where confident, wrong answers originate. Take a look at our AI and Governance page for more details.

A runtime context-enrichment layer announced at Summit 2026 (June 2) that automatically assembles business context — query history, metadata, BI dashboards, and semantic views — and supplies it to CoWork and CoCo at query time. Snowflake's internal benchmark reports it lifts accuracy from 47% to 83% on complex enterprise queries. It is in private preview as of June 2026.

No. Cortex Sense draws on your semantic views and metadata. Building a governed semantic layer now improves Cortex Analyst answers today and becomes the exact substrate Cortex Sense consumes when it reaches GA.

No. RBAC and governance control who can access data; they do not certify that the data is correct, consistently defined, or current. An agent can be fully governed and still return a wrong number from a table with an upstream error.

For new work, semantic views — they're native schema-level objects with full RBAC, sharing, and catalog support. Legacy YAML semantic models still work with Cortex Analyst for backward compatibility.

Notes & sources: Cortex Sense status and the 47%→83% figure are from Snowflake's own materials and product announcements (Snowflake Summit 2026, June 2); Cortex Sense is in private preview as of June 2026, so treat the figure as a vendor benchmark and validate on your own data. Semantic-view DDL and the comment-as-instruction behavior follow Snowflake's CREATE SEMANTIC VIEW and semantic-view documentation; semantic-view SQL is stricter than ordinary SQL, so validate any DDL against current docs for your account version. Cortex Agent evaluation metrics (answer correctness, tool-selection accuracy, logical consistency) are from Snowflake's Cortex Agent evaluations documentation.

Blog
5 min read

Can Snowflake store unstructured data? How Snowflake handles documents, images, and other data in 2025

Snowflake isn’t just rows and columns anymore. In 2025 you can land PDFs, images, logs, and app data next to your tables, then query, enrich, and search them with SQL, Snowpark, and Cortex AI.

Read more

What if your PDFs, transcripts, and logs could live in the same place as your BI dashboards? For years, Snowflake was known primarily as a cloud native data warehouse built for structured analytics. It was the go-to solution for SQL analysts, BI teams, and data engineers working with neat rows and columns. Meanwhile, many teams dealing with documents, images, logs, and raw application data assumed they needed separate storage such as Amazon S3, Google Cloud Storage, Azure Blob, or NoSQL databases.

In 2025, that separation no longer has to exist. Snowflake is now a multimodal data platform that can store, process and query unstructured data.

So yes, Snowflake can store unstructured data, but more importantly, it can use it. This capability offers significant architectural advantages for modern data teams. In this blog post, we’ll break down exactly how and why it matters.

What is unstructured data?

Unstructured data refers to any information that doesn't fit neatly into traditional rows and columns. This includes:

  • Documents: PDF, DOCX, TXT files
  • Images: PNG, JPG, TIFF formats
  • Audio and video files: Media content and recordings
  • Logs and event data: Application and system logs
  • Communication data: Email threads and chat transcripts
  • Markup and structured text: HTML, XML, JSON blobs
  • Binary files: Application-specific file formats

As organisations increasingly generate massive volumes of this data, the need for unified platforms that can both store and analyse unstructured content has become critical.

How Snowflake stores unstructured data?

Snowflake stages for unstructured data

Snowflake manages unstructured data through stages. This means through storage locations that reference files either within Snowflake's managed infrastructure or in external cloud storage:

  • Internal Stages: Files are stored within Snowflake's managed storage, offering quick setup and seamless integration
  • External Stages: Files remain in external cloud locations (Amazon S3, Azure Blob Storage, Google Cloud Storage), with Snowflake accessing them via metadata references

You can also combine both approaches for optimal performance and scalability based on your specific requirements.

The FILE data type in Snowflake for unstructured files and metadata

Snowflake provides a dedicated FILE data type for unstructured data. A FILE value represents a reference to a file stored in an internal or external stage, without storing the actual file content in the table itself. This approach allows:

  • Efficient storage and cost management
  • Fast metadata querying
  • Seamless integration with processing pipelines

Accessing unstructured files in Snowflake

Snowflake provides familiar commands for file management:

  • PUT: Upload files to stages
  • GET: Download files from stages
  • LIST: View files stored in stages

These operations mirror cloud storage interactions while maintaining Snowflake's security and governance standards.

Processing and querying unstructured data in Snowflake

Storage is just the beginning. Snowflake's real power lies in its ability to process and extract insights from unstructured data.

Snowflake Cortex AI and Document AI for PDFs, images and hybrid search

Cortex AI enables advanced analytics on unstructured data directly within Snowflake:

  • Document analysis: Extract text, summarise content, and perform batch LLM inference on PDFs and documents
  • Image processing: Run classification and analysis on stored images
  • Multimodal SQL functions: Query and transform documents, images, and audio using SQL-powered pipelines
  • Schema-aware extraction: Automatically extract structured tables from unstructured documents like invoices and reports

Snowpark for custom processing

With Snowpark, you can:

  • Extract text from PDFs using Python
  • Perform image classification with embedded ML models
  • Parse JSON or log files into VARIANT columns
  • Run OCR, NLP, and generate embeddings via external functions
  • Build semantic search capabilities over document collections

VARIANT data type for semi-structured data

The VARIANT data type handles semi-structured data formats like JSON, XML, Parquet, and Avro:

  • Store complex, nested data structures
  • Query JSON fields directly using SQL
  • Maintain schema flexibility while preserving query performance

Why unified data architecture matters?

In most companies, data still lives in many places and tools. Dashboards sit on a legacy SQL warehouse, logs go to a separate observability stack, and documents and images disappear into unmanaged cloud buckets or shared drives.

Instead of stitching together a dozen point solutions, you can use Snowflake as the backbone of your data architecture and keep external systems only where they add unique value. The table below shows how data stack functions shift when you standardise on Snowflake in 2025:

Function Old architecture Snowflake in 2025
Analytics Separate SQL data warehouse Snowflake core engine
File storage S3, Google Cloud Storage, Azure Blob Internal storage plus external tables and integrations
Processing Spark clusters or ad hoc Python scripts Snowpark running in the same Snowflake account
Semi-structured & unstructured NoSQL database or object storage Native support in Snowflake tables and stages
Search & retrieval Elasticsearch or a separate search service Cortex search and vector search
ML & AI Separate ML platform and custom pipelines Snowflake AI Studio and Snowpark ML

Real-world use cases of handling unstructured data in Snowflake

Here is how this looks in practice. Below is our recent project, plus common patterns we see when teams bring documents, images, logs, and app data into Snowflake and put them to work.

Global finance, AI-ready in 90 days

A multinational finance firm spending more than 800K per month on cloud was battling rising costs and fragmented data. They needed a governed place for documents, logs, and tables. We used OpenFlow to ingest both structured and unstructured data into Snowflake, tracked lineage and policies in Horizon Catalog, set consistent business logic with semantic views, and enabled natural language querying through Cortex AI SQL. The result was about an 80% reduction in ingestion latency, real-time cost visibility with FinOps, and a platform ready for analytics, ML, and AI at scale.

Read how a global finance managed unstructured data in Snowflake →

Limitations and considerations of Snowflake

Snowflake’s unstructured data capabilities are strong, but it won’t fully replace your data lake or media platform. For B2B teams planning at scale, keep these practical constraints in mind:

  • Not a pure object storage replacement: Snowflake complements rather than replaces S3/GCS for massive-scale raw object storage
  • File retrieval performance: Binary object retrieval speed varies by file size and stage type
  • Compute costs: AI and ML workloads require careful resource management
  • Specialised use cases: For intensive video/audio editing, use specialised systems.

Best practices for managing unstructured data in Snowflake in 2025

1. Keep big binaries in external object storage, keep brains in Snowflake

Register S3, Blob, or GCS as external stages and reference files via the FILE type; keep only hot assets in internal stages for speed.

2. Standardize file layout and formats from day one

Use predictable paths (org/source/system/YYYY/MM/DD/id) and checksums; prefer compressed columnar formats like Parquet, with extracted text or page JSON beside PDFs and images.

3. Store metadata and embeddings in Snowflake, not in files

Put raw files in stages, but keep metadata, chunks, and embeddings in Snowflake tables linked by stable URIs for fast search and governance. Use directory tables to catalog staged files.

4. Orchestrate ingest → extract → enrich → index → serve with Snowpark

Run OCR, NLP, and parsers as Snowpark tasks and UDFs; batch, log runs, and make jobs idempotent so reruns are safe. Implementation flow in processing files with Snowpark.

5. Treat AI as a costed product

Separate warehouses for ELT and AI, strict auto-suspend, resource monitors, caching, and reuse of embeddings and summaries. Get a baseline with the FinOps savings calculator.

6. Govern at the row, column, and file edge

Classify on arrival, enforce row and column policies with masking, and keep least-privilege stage access and full lineage. For role design patterns, see Snowflake role hierarchy best practices.

Need a hand?

Our snowflake experts at Snowstack can audit your current setup, design a lean reference architecture, and prove value with a focused pilot. Read how we deliver in How we work or talk to a Snowflake expert.

Final thoughts

Snowflake doesn’t just store unstructured data; it makes it usable for search, analytics, and AI. With stages, the FILE data type, VARIANT, Snowpark, and Cortex, you can land documents, images, and logs alongside your tables, extract text and entities, generate embeddings, and govern everything under a single security and policy model. The winning pattern is simple: keep raw binaries in low-cost object storage, centralise metadata and embeddings in Snowflake, and start with one focused, high-value use case you can scale.

Ready to try this in your stack?

FAQs

Yes. Snowflake stores and processes unstructured files via stages (internal or external) and a FILE column type. You can access them with SQL and AI features. For setup help, see Snowflake implementation and AI and data governance.

Snowstack builds end-to-end pipelines for documents, images, logs, and app data. Start with Snowflake implementation or Contact.

A focused 4 to 6 week build: audit, reference architecture, secure stages and directory tables, ingest and extract jobs, embeddings and search, cost guards, and a demo with success metrics. See How we work.

FILE is a column type that holds a reference to a staged file (plus metadata like MIME type, size, etag, last modified, and URLs). It doesn't store the binary itself, just a pointer with metadata and helper functions (e.g., FL_GET_SIZE). We design schemas that use FILE in Advisory and architecture.

Create a stage, enable a directory table, then map staged files into a FILE column. We set this up during Migrations and integrations and Snowflake implementation.

Use internal stages for simplicity and hot paths. Use external stages when files live in S3, Azure Blob, or GCS. We help you choose in Advisory and architecture.

Use PUT to upload to internal stages, LIST to enumerate, and GET to download from internal stages. For external stages, upload with your cloud provider tools. At Snowstack, we standardise this in Migrations and integrations.

A directory table catalogs files on a stage so you can query, join to metadata, and build pipelines that react to file changes (with refresh/auto-refresh).

Yes. Use built-in services for document extraction, image understanding, and natural language queries. We enable safe usage through AI and data governance.

Yes. Snowflake provides a VECTOR data type, vector similarity functions, and embedding utilities for RAG/search over your files' text.

Aim for mid-sized files to balance parallelism and overhead; split very large files and compact many tiny ones. Get a sizing plan via Advisory and architecture.

Use scoped URLs (time-limited ~24h) or file URLs (require stage privileges). You can also generate scoped URLs with BUILD_SCOPED_FILE_URL.

Internal stage storage is billed by Snowflake; external stage storage is billed by your cloud provider; compute and any egress are separate. Start with the FinOps Savings Calculator and FinOps services.

Yes. Use a directory table (file catalog) and join it to tables holding metadata (e.g., owners, tags, PII flags) to power governance and pipelines.

Explore our latest blog posts for valuable insights.
View more insights
Stay up to date

Top data insights, delivered to your inbox

 Thanks for joining us!

We’ll keep you posted with fresh updates and resources.

Oops! Something went wrong while submitting the form.

Transform your data with Snowflake

You don't need to hire a data army or wait months to see results. Our Snowflake specialists will get you up and running fast, so you can make better decisions, cut costs, and beat competitors who are still stuck with spreadsheets and legacy systems

Learn more