Security
Ingress traffic
The Posit Team Native App runs in Snowpark Container Services (SPCS) and is accessible via a secured subdomain provided by Snowflake, such as https://<prefix>.snowflakecomputing.com or https://<prefix>.privatelink.snowflakecomputing.com. SPCS ingress manages access to Posit Team. All standard Snowflake authentication methods, including organizational SSO requirements, apply. For details on ingress, see Ingress: Using a Service from outside Snowflake.
Egress traffic
By default, the Posit Team Native App configures network rules to allow open egress traffic.
To restrict egress, refer to instructions for changing the egress policy for Workbench or Connect via their management pages. The application itself only connects to Snowflake for the following purposes:
OAuth authentication flow
Database ODBC driver calls
Online Certificate Status Protocol (OCSP) certificate validation
As you consider egress restrictions, be aware that development workflows might need to access external resources.
Default egress policy
The Native App’s default egress policy includes these endpoints. Optional ones can be removed:
| Endpoint | Required | Product | Description |
|---|---|---|---|
<organization>-<account>.snowflakecomputing.com:443 |
Yes | Workbench | For Snowflake OAuth and ODBC queries |
ocsp.snowflakecomputing.com:80 |
Yes | Workbench | For Snowflake certificate validation |
ocsp.digicert.com:80 |
Yes | Workbench | For Snowflake certificate validation |
p3m.dev:443, packagemanager.posit.co:443, rspm-sync.rstudio.com:443 |
Optional | Workbench, Package Manager | For downloading PyPi, R, Bioconductor packages, and VS Code/Positron extensions from Posit-managed mirror |
0.0.0.0:443, 0.0.0.0:80 |
Optional | Workbench, Connect | Allows open egress; required for Snowflake VS Code Extension functionality |
You can determine your Snowflake account’s endpoint using this SQL query:
Snowsight UI
SELECT REPLACE(LOWER(CURRENT_ORGANIZATION_NAME()), '_', '-') || '-' || REPLACE(LOWER(CURRENT_ACCOUNT_NAME()), '_', '-') || '.snowflakecomputing.com';Visit the generated URL in your browser and verify that it points to the Snowflake account hosting the Posit Team Native App.
For further details, see Snowflake Network Rules.
Root access in the Posit Team Native App
Posit Team prohibits root access. No users, including administrators, have sudo access. This ensures:
- System reliability
- User data isolation (no access to other users’ files)
- Protection of managed OAuth credentials