EVALUATE_CANDIDATE_NETWORK_POLICY

模拟对历史入口流量应用候选网络策略的效果,而无需激活该策略。

通过分析输出,管理员可以回答以下问题:

  • 此策略会阻止哪些内容?
  • 合法用户会受到影响吗?

该过程评估所有观察到的入口客户端 IPs,并生成行级假设结果。它不会修改账户配置。

See also:

RECOMMEND_NETWORK_POLICY

语法

SNOWFLAKE.NETWORK_SECURITY.EVALUATE_CANDIDATE_NETWORK_POLICY(
  POLICY_NAME => '<string>'
  [, LOOKBACK_DAYS => <integer> ]
  [, USER_NAME => <string> ])

实参

必填:

POLICY_NAME => 'string'

要评估的候选网络策略的名称。

可选:

LOOKBACK_DAYS => 'integer'

要评估的历史入口流量的天数。控制模拟的回溯时间。

默认值:None。90

USER_NAME => 'string'

筛选评估以仅包含来自指定用户的流量。

默认值:None。无筛选器;包括所有用户。

返回

返回一个表(至少)包含以下列:

列名称数据类型描述
ACCESS_CLIENT_IPVARCHARThe client IP address observed in historical ingress traffic. This value can be an IPv4 or IPv6 address.
IS_ALLOWEDVARCHARWhether the IP would be allowed (YES) or blocked (NO) if the candidate policy were activated.

解释:

  • YES — This IP would be allowed if the policy were activated.
  • NO — This IP would be blocked if the policy were activated.

The evaluation results don’t activate the policy. You must activate the recommended network policy if you want to enforce it, by running the ALTER ACCOUNT command. For an example, see step 8 in Generate and evaluate a candidate network policy.

访问控制要求

用户至少必须具有 SECURITYADMIN 角色才能运行此存储过程。

For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.

For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.

使用说明

  • The procedure is read-only with respect to account configuration. It doesn’t activate or modify any network policies.
  • This procedure can’t determine which IP addresses are correct or safe for your organization. You must validate results with your IT and security teams before activating the policy.
  • 对于具有大量历史入口访问数据的账户,执行时间可能为 1-2 分钟。
  • Evaluation results might be dense for high-traffic accounts and might require filtering or visualization.
  • 输出中的每一行都代表一个管理员应审查的决策点。

示例

使用默认回顾窗口评估候选网络策略:

USE ROLE SECURITYADMIN;

CALL SNOWFLAKE.NETWORK_SECURITY.EVALUATE_CANDIDATE_NETWORK_POLICY(
  POLICY_NAME => 'MY_INGRESS_POLICY'
  );

根据过去 90 天的入口流量评估候选网络策略:

USE ROLE SECURITYADMIN;

CALL SNOWFLAKE.NETWORK_SECURITY.EVALUATE_CANDIDATE_NETWORK_POLICY(
  POLICY_NAME => 'MY_INGRESS_POLICY',
  LOOKBACK_DAYS => 90
  );

Evaluate a candidate network policy against the last 90 days of ingress traffic for a user named user1:

USE ROLE SECURITYADMIN;

CALL SNOWFLAKE.NETWORK_SECURITY.EVALUATE_CANDIDATE_NETWORK_POLICY(
  POLICY_NAME => 'MY_INGRESS_POLICY',
  LOOKBACK_DAYS => 90,
  USER_NAME => 'user1'
  );