ALTER SECURITY INTEGRATION (SCIM)

Modifies the properties of an existing SCIM security integration. For information about modifying other types of security integrations (e.g. SAML2), see ALTER SECURITY INTEGRATION.

See also:

CREATE SECURITY INTEGRATION (SCIM) , DROP INTEGRATION , SHOW INTEGRATIONS , DESCRIBE INTEGRATION

语法

ALTER [ SECURITY ] INTEGRATION [ IF EXISTS ] <name> SET
    [ ENABLED = { TRUE | FALSE } ]
    [ NETWORK_POLICY = '<network_policy>' ]
    [ REJECT_TOKENS_ISSUED_BEFORE = '<datetime_string>' ]
    [ SYNC_PASSWORD = { TRUE | FALSE } ]
    [ COMMENT = '<string_literal>' ]

ALTER [ SECURITY ] INTEGRATION [ IF EXISTS ] <name>  UNSET {
                                                            NETWORK_POLICY |
                                                            [ , ... ]
                                                            }
ALTER [ SECURITY ] INTEGRATION <name> SET TAG <tag_name> = '<tag_value>'
    [ , <tag_name> = '<tag_value>' ... ]

ALTER [ SECURITY ] INTEGRATION <name> UNSET TAG <tag_name> [ , <tag_name> ... ]

参数

name

要更改的集成的标识符。如果标识符包含空格或特殊字符,则整个字符串必须放在双引号内。放在双引号内的标识符也区分大小写。

SET ...

指定要为集成设置的一个或多个属性/参数(用空格、逗号或新行分隔):

ENABLED = TRUE | FALSE

Specifies whether the security integration is enabled. To disable the integration, set ENABLED = FALSE.

NETWORK_POLICY = 'network_policy'

Specifies an existing network policy that controls SCIM network traffic.

If there are also network policies set for the account or user, see Network policy precedence.

REJECT_TOKENS_ISSUED_BEFORE = 'datetime_string'

如果设置了此参数,则在指定日期之前发行的令牌将被拒绝。这可以减轻与长期存在或可能遭到入侵的令牌相关的安全风险。如果未设置或未指定此参数,则令牌没有到期日期,之前由于此机制而被拒绝的令牌将被视为有效。在此日期之前发行的、已经获得批准的令牌不会失效,但验证在此日期之前发行的令牌的新请求将失败。

无法在 CREATE SECURITY INTEGRATION 语句中分配此参数;只能在创建集成后添加此参数。

The format is any valid Snowflake timestamp format, with an optional time zone. If the time zone is not provided, it is inferred from the current user settings. For example:

  • ‘Tue, 30 Sep 2025 12:30:00 -0700’
  • ‘Tue, 30 Sep 2025 12:30:00’
  • ’2025-09-30 12:30:00’

默认:没有最早的发行日期。

SYNC_PASSWORD = TRUE | FALSE

指定是否启用或禁用 Okta SCIM 客户端中的用户密码同步(作为 Snowflake API 请求的一部分)。

  • TRUE enables password synchronization.
  • FALSE disables password synchronization.

Default FALSE. If a security integration is created without setting this parameter, Snowflake sets this parameter to FALSE.

If user passwords should not be synchronized from the client to Snowflake, ensure this property value is set to FALSE and disable password synchronization in the Okta client.

Note that this property is only supported for Okta SCIM integrations. Microsoft Entra ID SCIM integrations are not supported because Microsoft Entra ID does not support password synchronization. To request support, please contact Microsoft.

For details, see Snowflake SCIM support.

COMMENT

字符串(字面量),用于指定集成注释。

默认:无值

TAG tag_name = 'tag_value' [ , tag_name = 'tag_value' , ... ]

Specifies the tag name and the tag string value.

The tag value is always a string, and the maximum number of characters for the tag value is 256.

For information about specifying tags in a statement, see Tag quotas.

UNSET ...

指定要为安全集成取消设置的一个或多个属性/参数,这会将它们重置回默认值:

  • NETWORK_POLICY
  • REJECT_TOKENS_ISSUED_BEFORE
  • SYNC_PASSWORD
  • COMMENT
  • TAG tag_name [ , tag_name ... ]

使用说明

关于元数据:

Attention

Customers should ensure that no personal data (other than for a User object), sensitive data, export-controlled data, or other regulated data is entered as metadata when using the Snowflake service. For more information, see Metadata fields in Snowflake.

示例

以下示例启动了已暂停的集成的操作:

ALTER SECURITY INTEGRATION myint SET ENABLED = TRUE;

以下代码为 SCIM 集成增加了令牌有效期限制;2025 年 9 月 30 日中午之前发行的令牌被视为无效。

ALTER SECURITY INTEGRATION 'example_integration'
  SET REJECT_TOKENS_ISSUED_BEFORE = '2025-09-30 12:00:00';