Security

Ingress traffic

The Snowflake Posit Team Native App is accessible via a secured subdomain provided by Snowflake, such as https://<prefix>.snowflakecomputing.com or https://<prefix>.privatelink.snowflakecomputing.com. Access is managed by Snowflake SPCS Ingress. All standard Snowflake authentication methods, including organizational SSO requirements, apply. For details on ingress, see Ingress using a Service from outside Snowflake.

Egress traffic

By default, the Posit Team Native App allows open egress traffic. This is managed using network rules.

To restrict egress, refer to instructions for changing the egress policy for Workbench or Connect via their management pages. The application itself only connects to Snowflake for the following purposes:

  • OAuth authentication flow

  • Database ODBC driver calls

  • OCSP certificate validation

However, users can make arbitrary external requests, so administrators are advised to restrict egress where appropriate.

Default egress policy

The Native App’s default egress policy includes these endpoints. Optional ones can be removed:

Endpoint Required Product Description
<organization>-<account>.snowflakecomputing.com:443 Yes Workbench For Snowflake OAuth and ODBC queries
ocsp.snowflakecomputing.com:80 Yes Workbench For Snowflake certificate validation
ocsp.digicert.com:80 Yes Workbench For Snowflake certificate validation
open-vsx.org:443, openvsxorg.blob.core.windows.net:443 Optional Workbench To download VS Code and Positron extensions
p3m.dev:443, rspm-sync.rstudio.com:443 Optional Workbench, Package Manager For downloading PyPi, R, and Bioconductor packages from Posit-managed mirror
0.0.0.0:443, 0.0.0.0:80 Optional Workbench, Connect Allows open egress; required for Snowflake VS Code Extension functionality

You can determine your Snowflake account’s endpoint using this SQL query:

Snowsight UI
SELECT REPLACE(LOWER(CURRENT_ORGANIZATION_NAME()), '_', '-') || '-' || REPLACE(LOWER(CURRENT_ACCOUNT_NAME()), '_', '-') || '.snowflakecomputing.com';

You can verify the generated URL by visiting it in your browser; it should redirect to your Snowflake account where the Workbench Native App is hosted.

For further details, see Snowflake Network Rules.

Root access in the Posit Team Native App

Root access within the Native App is strictly disabled. No user, including administrators, has sudo access. This ensures:

  • System reliability
  • User data isolation (no access to other users’ files)
  • Protection of managed OAuth credentials
Back to top