Skip to main content

Stack: Snowflake

Okta disaster recovery for teams running on Snowflake

Snowflake customers typically federate via Okta SAML and provision via SCIM. The role-grant decisions Snowflake makes at login depend on the SAML attribute statement Okta sends. If that mapping drifts, your analysts log in but land in the wrong role — or no role at all — and silently lose access to the views they're audited on.

Butterfly captures point-in-time, encrypted snapshots of the Okta configuration that governs Snowflake access — the SAML app, the attribute statement, the SCIM feed, the assigned groups, and the sign-on policies. Restore preview shows the precise diff before any revert.

Book a 30-min demo with MickStart the free trial

What you get

How Butterfly fits Snowflake

SAML attribute statement is versioned

Every backup captures the Okta-side Snowflake SAML app's attribute statement, including the Snowflake role claim. Restore preview tells you which roles would be re-asserted before you commit.

SCIM provisioning feed is versioned

The Okta-to-Snowflake SCIM connection is captured per snapshot. If a teammate disables it during a cleanup, restore preview surfaces the disabled state and the user population affected.

Group rules that drive Snowflake role membership

Group rules are how most teams scale who-is-in-which-Snowflake-role. Butterfly versions every rule. Restore preview shows you which Snowflake-bound groups would gain or lose members before you commit.

What goes wrong

Three incidents you have already seen variations of

SAML attribute change rewrites role assertion

An edit to the Snowflake SAML attribute statement intended to clean up a stale claim rewrote the role assertion. Analysts logged in but landed in the PUBLIC role with no access to anything. Restore preview surfaces the diff and the change is reverted at the SAML-app scope.

SCIM feed deactivated during a directory cleanup

A teammate disabled the Snowflake SCIM provisioning connection while cleaning up unused integrations. New analysts were never provisioned into Snowflake. Restore preview restores the connection configuration; the assigned groups re-trigger provisioning.

Group rule renamed and breaks Snowflake role mapping

A group rule was renamed without updating the downstream mapping. Snowflake role assignments drifted silently for a week before a quarterly access review surfaced the discrepancy.

Honest scope

What Butterfly captures — and what it does not

In scope

The Okta-side configuration governing Snowflake access: the Snowflake SAML app integration with the full attribute statement, the SCIM provisioning configuration, the assigned users and groups, group rules, sign-on policies applied to the app, and Workflows automations.

Out of scope

We do not back up Snowflake databases, warehouses, role grants on the Snowflake side, or any Snowflake-side state. Snowflake recovery is owned by Snowflake's own Time Travel / Fail-safe features.

Plans

Free, Standard, or Business

Free

$0 / forever

  • 1 Okta connection
  • 7-day retention
  • 1 total backup
  • No credit card

Standard

$1 / user / month — $99 minimum

  • 2 Okta connections
  • 90-day retention
  • Restore preview + dry-run
  • Audit Pack PDF (framework-filterable)

Business

$2 / user / month — $299 minimum

  • Unlimited Okta connections
  • Unlimited retention
  • Continuity (warm standby)
  • Priority restore support

Pricing reference: /upgrade. Provider coverage today: Okta, Okta Workflows, Auth0.

Regulatory shape

Compliance and audit angle

SOC 2 CC6 / CC7 (logical access + system operations), ISO 27001 A.5.16 (identity management), HIPAA 164.312 (technical safeguards for PHI data warehouses), and PCI DSS Requirement 7 (need-to-know) all expect the identity layer governing data-warehouse access to be restorable. Butterfly's Audit Pack PDF supplies this evidence.

Butterfly's own SOC 2 Type II work is in progress; current status lives in the Trust Center.

Frequently asked

FAQ

Does Butterfly back up Snowflake itself?

No. Butterfly only backs up the Okta configuration that governs how your team reaches Snowflake. Snowflake-side state is handled by Snowflake's Time Travel and Fail-safe.

Can we see the SAML attribute statement diff between two snapshots?

Yes. Restore preview surfaces a structured diff between any two snapshots — including attribute statements, claims, and role assertions.

Is this compatible with Snowflake's SCIM 2.0 implementation?

Yes. Butterfly captures the Okta-side SCIM connector configuration. Any SCIM target Okta supports is in scope.

Recover your Okta org in minutes, not hours

Talk to Mick (the founder) for a 30-minute demo, or start the free trial. No credit card for the free tier.

Book a 30-min demo with MickStart the free trial

More stacks

Okta DR for other stacks

AWS infrastructureDatabricksSalesforceHubSpotMicrosoft 365Google WorkspaceGitHub EnterpriseSlackJira SoftwareNotionZoomDatadog1Password BusinessGitHub + Okta SSOAWS IAM Identity CenterSalesforce + Okta SSOAtlassian stackFinancial servicesHealthcare provider

Trust posture, subprocessors, and security details: Trust Center.