How Snowflake automated user access reviews with Retool

From 2018 to 2022, Snowflake expanded headcount from 400 to 4,000 employees to support the company’s explosive growth and adoption. This hypergrowth, coupled with the scrutiny of becoming a public company, often meant dealing with manual processes that weren’t keeping up with the scale.

But one process came to a head when Falguni Sonawala, a Manager on the Security Governance Risk & Compliance team, and Cameron Tekiyeh, a Manager on the Security Analytics team, noticed that teams were burning 6-7 weeks every quarter manually reviewing user access rights for each employee. Preparation and remediation took place across dozens of fragmented tools.

Falguni explains, “We had a suite of 30 systems that were siloed and disintegrated. Each system came with its own process, resulting in a bad experience for end users. It was very manual, very time-consuming, and highly error-prone.”

Without data flowing between their static spreadsheets and apps, Falguni and the team would need to catch errors manually: “We’d review 100 users, then when the audit happened, we’d realize one user was missed or done late. It created a lot of frustration."

The absence of a robust audit trail led to auditor mistrust and created sales friction: "When you have these issues crop up on your audit reports, it suggests as a company that you're not being diligent enough.” 

With managers manually sending screenshots, and IT in a constant state of provisioning and deprovisioning users, hundreds of hours were being wasted across the organization. And it was really starting to frustrate managers: “Towards the end of last year, we noticed pushback from managers doing reviews. They didn’t always have the right context, and thought the process was ineffective.” Falguni and Cameron knew they needed a better way to scale efficiently.

They needed a way to automate their manual review process and unify the experience currently split across dozens of apps.

To build from scratch would be time consuming—and required a team of developers. To buy an off-the-shelf solution would be too rigid and costly. As Cameron told us: “Solutions like IAM vendors were expensive and harder to focus on a particular use case. It’d also be difficult to make changes based on manager feedback”.

Retool fit right in the sweet spot: “Retool was the nice in-between. Retool provided the platform that allowed teams like mine—not formal software engineers—to build apps quickly and partner with other business-centric teams.” Cameron and his team wouldn’t be “bogged down on the fundamental building blocks that are already included out-of-the-box with Retool. We could dream big but also move fast.”

During the buildout, the security and compliance teams collected feedback and iterated quickly without stopping operations. On this Cameron notes: “It took us 2.5-3 months to get up on Retool and capture that audit control with all the managers, including implementing their feedback. We were able to quickly iterate without going through a formal process.” This was in sharp contrast to the years-long journey of tinkering with an amalgamation of legacy tooling.

Because Retool abstracted away the burden of building a UI from scratch, the team could stay focused on functionality first. “Retool allowed us to focus on the functionality and then focus on the UI.  We stayed business-centric, knowing that we could redesign the UI later on. This was a huge benefit over other tools.”

When it came time to design the UI, the team leveraged Retool’s library of UI components (buttons, menus, tables, etc). Later down the road, continuing to improve what they built “took no more than a week”.

As you might expect, the team at Snowflake uses Snowflake to manage all of their data, and as such, one of the biggest selling points for Retool was the pre-built integration with Snowflake. From there, the team could build any interface on top of their existing data: “We were able to plug into data already in Snowflake, connect with apps via pre-built integrations, leverage existing building blocks, and iterate fast based on team needs and feedback.”

Being able to connect with their existing tool stack enabled them to extend the use cases for their user review app: “Retool helps us connect with remediation tools—Jira, ServiceNow, Slack—and write back through Snowflake to access management tools—Okta, Active Directory—to remove users from groups that grant them access to various apps.” 

The goal is to minimize errors, reducing manual revocations by up to 90%. Falguni adds, “With automation, we would no longer have to ask the IT team to de-provision users and later see that we missed one, which would result in an audit finding.” 

They also significantly reduced manual ticket creation—a process where teams would have to write a Jira ticket to have access taken away—from ~300 Jira tickets to zero per quarter.

Now that there was a clear path for data to flow, implementing GitHub to handle change control was not only possible but necessary to stay audit-ready. Sonawala adds: “Integrating GitHub in each workstream was important to govern change control around these data transformations, and to provide assurance to auditors around the accuracy and completeness of the data.”

Adding new apps was even faster than the first. Falguni and Cameron built two apps to automate user access reviews with the Retool platform: the Security & Compliance Portal and the Manager Portal. The Security & Compliance Portal gave Falguni and Cameron’s teams a snapshot view of progress by manager and system, and enabled them to take action on submitted user reviews. 

It was streamlined, automated, and a huge leap forward from the earlier process. Falguni shares, “Previously when we kicked off a review, we would literally all get into a room for a meeting and start another spreadsheet. Now we have an app to do that.”

“When it's time for a new review to be initiated, data gets populated on the Retool platform, [and] we can change any dates, systems or users in scope, and we're good to go. This is a huge burden off our shoulders.” –Falguni Sonawala

In a world where security and compliance risks are changing fast, it was important for Falguni to update their app quickly as well: “We can customize the default reasons for user revocation in response to changing audit requirements, and add other incremental features very quickly.” And with the Slack integration, they’ve been able to automate manual outreach to delayed teammates “who haven't done their reviews after a certain date. It’s an easy integration that’s customizable. We don't have to follow-up manually with individuals.”

The Manager Portal enabled managers across the org to perform and track their reviews in one place. No more taking manual screenshots, or filling endless spreadsheets.

Managers could easily filter one user at a time, and answer questions required to stay compliant—including why the access was appropriate and why it was changing. As Cameron notes, it provides these "end users a snapshot of how far along they are in the review.” Now managers could submit and track their reviews from one platform without disrupting their workflow.

In unifying what once was a fragmented user access review experience into a pair of powerful internal apps, which are forecasted to reduce hours spent on user reviews by 65%, and the total time to close reviews by 30%. A more complete and accurate audit trail should also build trust across internal and external stakeholders, from auditors to sales to customers.

Looking beyond the rollout, Snowflake plans to expand the use cases even further with Retool, tackling challenges related to incident response and case management, and collaborating more deeply with the product engineering org. At the heart of Retool’s platform, Cameron notes, is its ability to “build apps and solve problems quickly”. This adaptability is exactly what Snowflake needs as it readies itself for the next phase of growth.