User & Security DDL¶
Snowflake provides a full set of SQL commands for managing users and security. These commands can only be executed by users who are granted roles that have the OWNERSHIP privilege on the managed object. This is usually restricted to the ACCOUNTADMIN and SECURITYADMIN roles.
However, individual users are able to perform the following tasks for themselves:
- Change their password (only through the web interface).
- View their user information (via DESC USER).
- Change their default role, virtual warehouse, or namespace (via ALTER USER).
- Change their session parameters (via ALTER SESSION).
Each user with access to Snowflake is represented by a user object. A user object stores all of the information about the user, including their login name, password, and defaults (role, virtual warehouse, and namespace). Use the following DDL commands to manage users in the system:
Snowflake uses roles to control access to objects in the system:
- Roles are granted access privileges for objects in the system (databases, tables, etc.).
- Roles are granted to users to enable them to create, modify, and use the objects for which the roles have privileges.
- Roles can be granted to other roles to support defining hierarchical access privileges.
Use the following DDL commands to manage roles in the system:
Use the following command to use a role within a user session:
Use the following commands to manage access control for objects by granting (and revoking) object privileges to roles and granting roles to users and other roles: