Scribd
Upload
68 views

16.access Control in Snowflake

The document discusses access control in Snowflake including key concepts such as roles, privileges, and the object hierarchy. It describes system defined roles like ACCOUNTADMIN and SYSADMIN and how custom roles can be created and organized in a role hierarchy.

Uploaded by

clouditlab9
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
68 views

16.access Control in Snowflake

The document discusses access control in Snowflake including key concepts such as roles, privileges, and the object hierarchy. It describes system defined roles like ACCOUNTADMIN and SYSADMIN and how custom roles can be created and organized in a role hierarchy.

Uploaded by

clouditlab9
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 14

Access Control in

Snowflake
Agenda
• What is Access Control
• Key Concepts of Access Control
• Objects Hierarchy
• Roles in Snowflake
• System Defined Roles
• Role Hierarchy
• Custom Roles
Access Control in Snowflake
• What is Access Control?
• Access control determines who can access database objects and perform
operations on specific objects in Snowflake.
• Snowflake supports and combines both of below access control models.
• Discretionary Access Control (DAC): Each object has an owner, who can in turn
grant access to that object.
• Role-based Access Control (RBAC): Access privileges are assigned to roles, which
are in turn assigned to users.
Key Concepts
Below are the key concepts of Snowflake Access Control mechanism.
• Securable object: An entity to which access can be granted. Tables, schemas, views
etc.
• Role: An entity to which privileges can be granted. Roles are in turn assigned to
users. Note that roles can also be assigned to other roles, creating a role hierarchy.
• Privilege: It is level of access that can be granted to any object. Like select, create,
drop, insert etc.
• User: Specifies the people or system to whom the access granted.
Key Concepts
Privileges
Privilege Usage
SELECT Execute a SELECT statement on the table.
INSERT Execute an INSERT query on the table.
UPDATE Execute an UPDATE query on the table.
TRUNCATE Execute a TRUNCATE query on the table.
DELETE Execute a DELETE query on the table.

ALL [ PRIVILEGES] Grant all privileges, except OWNERSHIP, on the table.

OWNERSHIP Grant full control over a table.


Object Hierarchy
Roles in Snowflake
• Roles are the entities to which privileges on securable objects can be granted
and revoked.
• Roles are assigned to users to allow them to perform actions required for
business functions
• A user can be assigned multiple roles. This allows users to switch roles.
• On Snowflake web UI window the top right corner shows which Role is currently
we are using.
• Two types of roles
1. System defined roles
2. Custom roles
System Defined Roles
1. ORGADMIN (Organization Administrator):
• Role that manages operations at the organization level. More specifically, this role:
• Can create accounts in the organization.
• Can view all accounts in the organization (using SHOW ORGANIZATION ACCOUNTS) as well as all
regions enabled for the organization (using SHOW REGIONS).
• Can view usage information across the organization.

2. ACCOUNTADMIN (Account Administrator):


• It is the top-level role in the system.
• Only Account Admin can see all account related things like usage, billing, users, roles, sessions and
reader account details.
• Should be granted only to a limited number of users in your account.
• Can enable multi factor authentication.
• Encapsulates the SYSADMIN and SECURITYADMIN system-defined roles.
System Defined Roles
3. SECURITYADMIN (Security Administrator):
• Role that can manage any object grant globally,
• Can create, monitor, and manage users and roles.
• Limited access to Account tab.
• Inherits the privileges of the USERADMIN role via the system role hierarchy.

4. USERADMIN (User and Role Administrator):


• Role that is dedicated to user and role management only.
• This role is granted the CREATE USER and CREATE ROLE security privileges.
• Can create users and roles in the account.
System Defined Roles
5. SYSADMIN (System Administrator):
• Role that has privileges to create warehouses and databases and other objects in an
account.
• This role also has the ability to grant privileges on warehouses, databases, and other
objects to other roles.
• All custom roles are assigned to the SYSADMIN role.

6. PUBLIC:
• Automatically granted to every user and every role in your account.
• The objects owned by the role are, by definition, available to every other user and
role in the account.
• This role is typically used in cases where all users have all access to the objects.
Role Hierarchy
Custom Roles
• Custom roles can be created by the USERADMIN role (or a higher role) as well as by any
role to which the CREATE ROLE privilege has been granted.
• By default, a newly-created role is not assigned to any user, nor granted to any other role.
• Snowflake recommends creating a hierarchy of custom roles, with the top-most custom
role assigned to the system role SYSADMIN. This will allow system administrators to
manage all objects in the account.
• If custom role is not assigned to SYSADMIN through a role hierarchy, the system
administrators will not be able to manage the objects owned by that role. Only
SECURITYADMIN can view the objects and modify their access grants.
Thank You

You might also like