Reltio Zero Copy segmentation with Snowflake
Learn about the Snowflake permission model required to support Zero Copy segmentation and how it enables secure, in-place segment evaluation.
The system creates Snowflake objects dynamically to execute segmentation logic. These objects are temporary and scoped to each segment execution.
Segmentation with Zero Copy integration enables segmentation to run directly within a customer-managed Snowflake instance, eliminating the need to replicate data. Segment rules defined by customers are executed directly in Snowflake where the data resides, ensuring access to the most current information while reducing data latency and storage overhead.
This approach uses Snowflake-native capabilities along with Reltio's federated query model to securely access, process, and manage interaction data. It dynamically creates and manages execution objects, enforces strict permission boundaries, and ensures that all operations remain within authorized data scopes.
The following sections describe how segmentation runs in Snowflake, the objects involved, and the controls that govern data access, security, and execution behavior.
How Zero Zopy segmentation works
Reltio Zero Copy segmentation with Snowflake enables segmentation by using data that resides in the customer-managed Snowflake environment. Unified entity data is written to Snowflake, while interaction data remains in the customer warehouse. Based on the segment rules that you define, both datasets are processed directly in Snowflake to produce segment results.
The final segment results, including segment_id and entity_id, are stored in Snowflake. Reltio queries these results in real time to access segment membership for use within the platform. This approach avoids data duplication and ensures that segmentation operates on the most current data available.
To execute segmentation logic within Snowflake, the workflow relies on Snowflake-native objects that coordinate the end-to-end processing:
- Stored procedures contain segment logic, including table creation, cleanup, and result insertion
- Tasks execute the procedure asynchronously with retry and timeout handling
- Execution triggers start the task
- Cleanup operations remove temporary objects after execution
Objects created during execution
| Object | Name pattern | Lifecycle |
|---|---|---|
| Table | <schema>.segment_results | Shared and persistent |
| Procedure | <schema>.segment_proc_<segmentId> | Created per execution and removed after completion |
| Task | <schema>.segment_task_<segmentId> | Created per execution and removed after completion |
| Tags (optional) | zero_copy_tenant, zero_copy_segment_id | Reused if enabled |
Permission model
The permission model ensures segmentation runs within defined boundaries in Snowflake. Access is limited to a specific warehouse, database, and schema.
Permissions are grouped into:
- Baseline (Zero Copy): Required for Snowflake integration
- Segmentation specific: Required for execution
- Optional: Enable tagging and metadata
- Conditional: Required in ownership scenarios
Data access model
Segmentation operates on data stored in Snowflake by reading from source tables, evaluating segment conditions, and writing the results back to designated tables. The process is designed to maintain data consistency while ensuring that all read, write, and delete operations are governed by strict, role-based access controls and limited to authorized schemas and objects.
| Operation Type | Description |
|---|---|
| Read (Entities) | Unified entity data is copied to Snowflake, while interaction data remains in the customer data warehouse. Both datasets are used in Snowflake to execute segment rules and generate results. |
| Read (Interactions) | Segmentation reads data from the interactions table only when segment logic includes interaction-based conditions. |
| Write | Segmentation writes evaluation results to the segment_results table, which stores segment membership. |
| Delete | Segmentation deletes existing records for the segment before inserting new results to ensure data consistency. |
| Access Control | All read, write, and delete operations are explicitly controlled through granted permissions. |
| Data Scope | All data access is restricted to the designated schema and does not extend beyond authorized tables and objects. |
Security boundaries
The segmentation role operates within strict limits:
- Access is limited to a single database and schema
- Data access is restricted to explicitly granted tables
- Object creation is limited to the target schema
- Warehouse usage is limited to the assigned warehouse
The only account-level permission enables task scheduling and does not extend data access.
Account-level execution behavior
Zero Copy segmentation requires an account-level permission. This permission allows Snowflake to schedule and execute tasks created by the segmentation role. The role must have the ability to execute tasks at the account level.
The account-level permission does not allow the following:
- Executing tasks owned by other roles
- Accessing additional data
- Arbitrary query execution
- Escalating privileges
All data access continues to be governed by schema-level and table-level permissions. Execution capability remains restricted to the defined data boundaries.
Optional capabilities
- Tags are applied to segmentation tasks for tracking and filtering when the required permissions are available.
- Execution continues if tagging permissions are not granted, and a warning is logged instead.
- Table reclustering is triggered during execution to optimize storage and query performance.
- Reclustering is automatically skipped if the role lacks sufficient privileges, without affecting segmentation results.