User & Security DDL

Snowflake provides a full set of SQL commands for managing users and security. These commands can only be executed by users who are granted roles that have the OWNERSHIP privilege on the managed object. This is usually restricted to the ACCOUNTADMIN and SECURITYADMIN roles.

However, individual users are able to perform the following tasks for themselves:

  • Change their password (only through the web interface).
  • View their user information (via DESC USER).
  • Change their default role, virtual warehouse, or namespace (via ALTER USER).
  • Change their session parameters (via ALTER SESSION).

User Management

Each user with access to Snowflake is represented by a user object. A user object stores all of the information about the user, including their login name, password, and defaults (role, virtual warehouse, and namespace). Use the following DDL commands to manage users in the system:

Role Management

Snowflake uses roles to control access to objects in the system:

  • Roles are granted access privileges for objects in the system (databases, tables, etc.).
  • Roles are granted to users to enable them to create, modify, and use the objects for which the roles have privileges.
  • Roles can be granted to other roles to support defining hierarchical access privileges.

Use the following DDL commands to manage roles in the system:

Use the following command to use a role within a user session:

Access Control

Use the following commands to manage access control for objects by granting (and revoking) object privileges to roles and granting roles to users and other roles:

Network Policy Management

A network policy supports restricting access to your account based on user IP address. Use the following commands to create, alter, or drop network policies: