Authorize Use

Type: Procedure

Request an authorization decision for a specific data operation. This is the core policy enforcement tool. It evaluates the requested operation against all applicable governance policies and returns a structured decision with conditions, obligations, and evidence.

Use Cases

An AI agent checks whether it can read from a sensitive table before executing a query
An export workflow verifies authorization before sending data to an external system
A data-sharing pipeline checks cross-jurisdiction rules before replicating data
An agent asks "can I use this data for model training?" and gets a policy-backed answer

Input Parameters

Parameter	Type	Required	Description
`table_name`	string	Yes	Fully qualified table name (`DB.SCHEMA.TABLE`).
`operation`	string	Yes	The operation being requested. Common values: `read`, `write`, `export`, `share`, `transform`, `delete`, `aggregate`.
`intended_use`	string	Yes	Plain-language description of what the data will be used for. This is evaluated against usage rules.
`actor_role`	string	No	The Snowflake role or logical role performing the operation (e.g., `DATA_ANALYST`, `ML_ENGINEER`). Defaults to the session role.
`columns`	array	No	Array of column names involved in the operation. If omitted, the decision applies to all columns in the table.
`destination`	object	No	Where the data is going. Useful for export/share operations.
`destination.system`	string	No	Target system name (e.g., `"Salesforce"`, `"S3"`, `"Tableau"`)
`destination.jurisdiction`	string	No	Legal jurisdiction of the destination (e.g., `"EU"`, `"US"`)
`jurisdiction`	string	No	Jurisdiction context for the operation (e.g., `"EU"`, `"US-CA"`). Used for cross-border data transfer evaluation.
`context`	object	No	Additional context as key-value pairs. Passed to policy evaluation for custom rule matching.

Output Schema

Field	Type	Description
`decision`	string	One of: `ALLOW`, `DENY`, `CONDITIONAL`, `UNKNOWN`
`decision_id`	string	Unique identifier for this decision. Use with `explain-why` to retrieve the full audit trail.
`confidence`	number	Confidence score from 0.0 to 1.0. Lower values indicate ambiguous policy coverage.
`summary`	string	Human-readable summary of the decision.
`reason_codes`	array	Machine-readable reason codes (e.g., `["PII_ACCESS_RESTRICTED", "CROSS_BORDER_BLOCKED"]`)
`conditions`	array	Conditions that must be met for a `CONDITIONAL` decision (e.g., `["Apply column masking on EMAIL", "Log access for audit"]`)
`prohibitions`	array	Actions that are explicitly prohibited (e.g., `["Do not store PII in external system"]`)
`obligations`	array	Required follow-up actions (e.g., `["Notify data steward within 24h", "Delete after processing"]`)
`next_actions`	array	Suggested next steps for the caller (e.g., `["Request access elevation via Jira"]`)
`evidence`	array	Policy references that informed the decision
`evidence[].policy_id`	string	Policy identifier
`evidence[].policy_name`	string	Policy name
`evidence[].rule`	string	Specific rule within the policy
`evidence[].impact`	string	How this rule impacted the decision: `allow`, `deny`, `condition`
`applicable_policies`	array	List of all policies evaluated, including those that did not affect the outcome

Example Response

{
  "status": "success",
  "data": {
    "decision": "CONDITIONAL",
    "decision_id": "dec_a1b2c3d4e5f6",
    "confidence": 0.92,
    "summary": "Data access is allowed with conditions. PII columns must be masked and access must be logged.",
    "reason_codes": ["PII_MASKING_REQUIRED", "AUDIT_LOGGING_REQUIRED"],
    "conditions": [
      "Apply column masking on EMAIL, PHONE, SSN",
      "Log this access event for compliance audit"
    ],
    "prohibitions": [
      "Do not persist unmasked PII outside the Snowflake environment"
    ],
    "obligations": [
      "Retain access log for 90 days",
      "Notify data steward if data is used beyond stated purpose"
    ],
    "next_actions": [
      "Proceed with masked columns",
      "Use validate-query-context to check your SQL before execution"
    ],
    "evidence": [
      {
        "policy_id": "pol_customer_pii_001",
        "policy_name": "Customer PII Protection",
        "rule": "PII columns require masking for non-admin roles",
        "impact": "condition"
      },
      {
        "policy_id": "pol_audit_001",
        "policy_name": "Data Access Audit Policy",
        "rule": "All access to confidential tables must be logged",
        "impact": "condition"
      }
    ],
    "applicable_policies": [
      "pol_customer_pii_001",
      "pol_audit_001",
      "pol_retention_001"
    ]
  },
  "errors": []
}

SQL Examples

Basic authorization check

CALL METATATE_APP.CORE.AUTHORIZE_DATA_USE(
  OBJECT_CONSTRUCT(
    'table_name', 'ANALYTICS_DB.CORE.CUSTOMERS',
    'operation', 'read',
    'intended_use', 'Generate a quarterly customer engagement report'
  )
);

Authorization for data export with destination

CALL METATATE_APP.CORE.AUTHORIZE_DATA_USE(
  OBJECT_CONSTRUCT(
    'table_name', 'ANALYTICS_DB.CORE.CUSTOMERS',
    'operation', 'export',
    'intended_use', 'Sync customer records to CRM for sales outreach',
    'actor_role', 'DATA_ENGINEER',
    'columns', ARRAY_CONSTRUCT('NAME', 'EMAIL', 'COMPANY', 'ACCOUNT_STATUS'),
    'destination', OBJECT_CONSTRUCT(
      'system', 'Salesforce',
      'jurisdiction', 'US'
    ),
    'jurisdiction', 'EU'
  )
);

Check authorization for ML training

CALL METATATE_APP.CORE.AUTHORIZE_DATA_USE(
  OBJECT_CONSTRUCT(
    'table_name', 'ANALYTICS_DB.CORE.TRANSACTIONS',
    'operation', 'transform',
    'intended_use', 'Feature engineering for fraud detection ML model',
    'actor_role', 'ML_ENGINEER',
    'context', OBJECT_CONSTRUCT(
      'project', 'fraud_detection_v2',
      'environment', 'development'
    )
  )
);

JSON Request / Response (API)

Request:

{
  "method": "tools/call",
  "params": {
    "name": "authorize-use",
    "arguments": {
      "table_name": "ANALYTICS_DB.CORE.CUSTOMERS",
      "operation": "export",
      "intended_use": "Sync customer records to CRM",
      "destination": {
        "system": "Salesforce",
        "jurisdiction": "US"
      }
    }
  }
}

Response:

{
  "content": [
    {
      "type": "text",
      "text": "{\"status\":\"success\",\"data\":{\"decision\":\"CONDITIONAL\",\"decision_id\":\"dec_a1b2c3d4e5f6\",\"confidence\":0.92,\"summary\":\"Export allowed with conditions. PII columns must be excluded or masked.\",\"reason_codes\":[\"PII_MASKING_REQUIRED\"],\"conditions\":[\"Exclude or mask EMAIL, PHONE, SSN columns before export\"],\"prohibitions\":[\"Do not export SSN to external systems\"],\"obligations\":[\"Log export event for compliance audit\"],\"next_actions\":[\"Remove PII columns from export and retry\"],\"evidence\":[{\"policy_id\":\"pol_customer_pii_001\",\"policy_name\":\"Customer PII Protection\",\"rule\":\"PII must not leave Snowflake unmasked\",\"impact\":\"condition\"}],\"applicable_policies\":[\"pol_customer_pii_001\",\"pol_audit_001\"]},\"errors\":[]}"
    }
  ]
}

Try it in the app

Open Metatate and navigate to the Test Tools tab to run authorize-use interactively. The form pre-populates operation choices and lets you build destination and context objects visually.

Use Cases​

Input Parameters​

Output Schema​

Example Response​

SQL Examples​

Basic authorization check​

Authorization for data export with destination​

Check authorization for ML training​

JSON Request / Response (API)​