User Management

Security and account administrators (i.e. users with the SECURITYADMIN role or higher) can create and manage Snowflake users through SQL or the web interface:

  • Using SQL, administrators can perform all user-related tasks, including changing login credentials and defaults for users.
  • The web interface doesn’t support all user-related tasks, but provides a convenient wizard for creating users and performing most common activities, such as resetting a user’s password.

Note

To create, alter, or drop users, you must use the SECURITYADMIN role or higher.

In this Topic:

Snowflake Password Policy

A password can be any string up to 256 characters, including blank spaces and special (i.e. non-alphanumeric) characters, such as exclamation points (!), percent signs (%), and asterisks (*). Passwords are case-sensitive.

Snowflake enforces the following policy password when an existing password is reset for a user, either by a security administrator or the user on their own:

  • Must be at least 8 characters long.
  • Must contain at least 1 digit.
  • Must contain at least 1 uppercase letter and 1 lowercase letter.

Note that this policy only covers minimum requirements for user passwords. We strongly recommend the following guidelines for creating the strongest passwords possible:

  • Create a unique password for Snowflake (i.e. do not reuse passwords from other systems or accounts).
  • Use more than 8 characters.
  • Include multiple, random mixed-case letters, numbers, and special characters, including blank spaces.
  • Do not use easily-guessed common passwords, names, numbers, or dates.

User Roles

Snowflake uses roles to control the objects (virtual warehouses, databases, tables, etc.) that users can access:

  • Snowflake provides a set of predefined roles, as well as a framework for defining a hierarchy of custom roles.
  • All Snowflake users are automatically assigned the predefined PUBLIC role, which enables login to Snowflake and basic object access.
  • In addition to the PUBLIC role, each user can be assigned additional roles, with one of these roles designated as their default role. A user’s default role determines the role used in the Snowflake sessions initiated by the user; however, this is only a default. Users can change roles within a session at any time.
  • Roles can be assigned at user creation or afterwards.

Attention

When deciding the additional roles to assign to a user, as well as designating their default role, consider the following for the predefined ACCOUNTADMIN role (required for performing account-level administrative tasks):

  • Snowflake recommends strictly controlling the assignment of ACCOUNTADMIN, but recommends assigning it to at least two users.
  • ACCOUNTADMIN should never be designated as a user’s default role. Instead, designate a lower-level administrative or custom role as their default.

For more details and best practices related to the ACCOUNTADMIN role, see Access Control Considerations. For more general information about roles, see Understanding Access Control in Snowflake.

Creating Users

You can create a user through the web interface or using SQL.

Note

The web interface requires that you specify a password when you create a user; the CREATE USER command does not.

In addition, Snowflake does not enforce the Snowflake Password Policy when a password is first set (i.e. when creating a user or altering a user that does not have an existing password). This enables security administrators to decide whether to assign generic, less secure passwords or specific, stronger passwords to users. If generic initial passwords are used, we strongly recommend also setting the MUST_CHANGE_PASSWORD property to TRUE to require users to change their password on their next login (including initial login) into Snowflake.

Using the Web Interface

  1. Click on Account > Users.

  2. Click the Create button.

  3. In the User Name field, enter a unique identifier for the user.

    Note

    User name is the unique identifier for the user in Snowflake. It is not the user’s login name (i.e. the name the user enters when logging into Snowflake). Snowflake allows users to have different user names and login names, if desired. You specify a login name for the user on the next screen.

  4. In the Password and Confirm Password fields, enter the login password for the user.

  5. Leave the Force Password Change checkbox selected to force the user to change their password on their next login; otherwise, clear the checkbox.

  6. Click the Next button. The Advanced screen opens.

  7. Optionally enter the Login Name, Display Name, and personal information for the user.

    Note

    Users require a login name to log into Snowflake; if you don’t explicitly provide a login name, Snowflake uses their user name as the login name.

  8. Click the Next button. The Preferences screen opens.

  9. Optionally enter defaults for the user:

    • Virtual warehouse
    • Namespace in the form of <db_name> or <db_name>.<schema_name>
    • Role
  10. Click the Finish button. Snowflake displays a success message.

Using SQL

Use the CREATE USER command to create a user.

Important

When creating a user, if you assign a default role to the user, you must then explicitly grant this role to the user. For example:

CREATE USER jane.smith PASSWORD = 'abc123' DEFAULT_ROLE = 'myrole' MUST_CHANGE_PASSWORD = TRUE;

GRANT ROLE "myrole" TO USER jane.smith;

Note that the GRANT ROLE command allows you to assign multiple roles to a single user. The web interface does not currently support the same capability.

Resetting the Password for a User

Administrators can change a user’s password through the web interface or using SQL.

Note

Users can only change their own password through the web interface. For more information, see Changing Your Password, Role (for the Session), and Logging Out.

Using the Web Interface

  1. Click on Account > Users.
  2. Click on a user row to select it, then click the Reset Password button. The Reset Password dialog opens.
  3. Enter the new login password for the user, and confirm the password.
  4. Leave the Force Password Change checkbox selected to force the user to change their password on their next login; otherwise, clear the checkbox.
  5. Click the Finish button.

Using SQL

Use the ALTER USER command to reset a user’s password. For example:

ALTER USER jane.smith SET PASSWORD = 'welcome1' MUST_CHANGE_PASSWORD = TRUE;

Disabling / Enabling a User

Disabling a user prevents the user from logging into Snowflake. You can disable a user through the web interface or using SQL.

Using the Web Interface

  1. Click on Account > Users.
  2. Click on a user row to select it, then click the Disable User button. A confirmation dialog opens.
  3. Click Yes to disable the user.

To enable a user, follow the same steps, but click on the Enable User button.

Using SQL

Use the ALTER USER command to disable or enable a user. For example:

  • Disable a user:

    ALTER USER jane.smith SET DISABLED = TRUE;
    
  • Enable a user:

    ALTER USER jane.smith SET DISABLED = FALSE;
    

Unlocking a User

If a user login fails after five consecutive attempts, the user is locked out of their account for a period of time (currently 15 minutes). Once the period of time elapses, the system automatically clears the lock and the user can attempt to log in again.

To unlock the user before the time has elapsed, you can reset the timer using the ALTER USER command.

The following example resets the timer to 0, which immediately unlocks user jane.smith:

ALTER USER jane.smith SET MINS_TO_UNLOCK= 0;

Tip

If a single role has the OWNERSHIP privilege on all Snowflake users, it’s a good idea to grant multiple users membership in the role. That way, if a member of the role is locked out, another member can unlock that user.

Altering Session Parameters for a User

  • To show the session parameters for a user, use the following SQL syntax:

    SHOW PARAMETERS [ LIKE '<pattern>' ] FOR USER <name>
    
  • To alter the session parameters for a user, use the following syntax:

    ALTER USER <name> SET <session_param> = <value>
    

    For example, allow a user to remain connected to Snowflake indefinitely without timing out:

    ALTER USER `jane.smith` SET CLIENT_SESSION_KEEP_ALIVE = TRUE;
    
  • To reset a session parameter for a user to the default value, use the following syntax:

    ALTER USER <name> UNSET <session_param>
    

Modifying Other User Properties

You can modify all other user properties using the ALTER USER command. For example:

  • Change the last name for user jane.smith to Jones:

    ALTER USER jane.smith SET LAST_NAME = 'Jones';
    
  • Set or change the default warehouse, namespace, and role for user jane.smith:

    ALTER USER jane.smith SET DEFAULT_WAREHOUSE = 'mywarehouse' DEFAULT_NAMESPACE = `mydatabase.myschema` DEFAULT_ROLE = `myrole`;
    

Viewing Users

You can view information about users using SQL.

Use the DESC USER or SHOW USERS command to view information about one or more users.

For example:

DESC USER janeksmith;

+-------------------------------+---------------------+---------+-------------------------------------------------------------------------------+
| property                      | value               | default | description                                                                   |
|-------------------------------+---------------------+---------+-------------------------------------------------------------------------------|
| NAME                          | JANEKSMITH          | null    | Name                                                                          |
| COMMENT                       | null                | null    | user comment associated to an object in the dictionary                        |
| LOGIN_NAME                    | JANE.SMITH          | null    | Login name of the user                                                        |
| DISPLAY_NAME                  | Jane                | null    | Display name of the user                                                      |
| FIRST_NAME                    | Jane                | null    | First name of the user                                                        |
| MIDDLE_NAME                   | null                | null    | Middle name of the user                                                       |
| LAST_NAME                     | Smith               | null    | Last name of the user                                                         |
| EMAIL                         | jsmith@company.com  | null    | Email address of the user                                                     |
| MUST_CHANGE_PASSWORD          | true                | false   | User must change the password                                                 |
| DISABLED                      | false               | false   | Whether the user is disabled                                                  |
| SNOWFLAKE_LOCK                | false               | false   | Whether the user or account is locked by Snowflake                            |
| SNOWFLAKE_SUPPORT             | false               | false   | Snowflake Support is allowed to use the user or account                       |
| DAYS_TO_EXPIRY                | null                | null    | User record will be treated as expired after specified number of days         |
| MINS_TO_UNLOCK                | null                | null    | Temporary lock on the user will be removed after specified number of minutes  |
| DEFAULT_WAREHOUSE             | mywarehouse         | null    | Default warehouse for this user                                               |
| DEFAULT_NAMESPACE             | MYDATABASE.MYSCHEMA | null    | Default database namespace prefix for this user                               |
| DEFAULT_ROLE                  | ANALYST             | null    | Primary principal of user session will be set to this role                    |
| EXT_AUTHN_DUO                 | false               | false   | Whether Duo Security is enabled as second factor authentication               |
| EXT_AUTHN_UID                 | null                | null    | External authentication ID of the user                                        |
| MINS_TO_BYPASS_MFA            | null                | null    | Temporary bypass MFA for the user for a specified number of minutes           |
| MINS_TO_BYPASS_NETWORK_POLICY | null                | null    | Temporary bypass network policy on the user for a specified number of minutes |
+-------------------------------+---------------------+---------+-------------------------------------------------------------------------------+

Dropping a User

Dropping a user removes the user credentials from Snowflake. Note that any objects created by the user are actually owned by the user’s active role when the objects were created, so dropping a user does not impact any of the objects they’ve created. Another user assigned the same role or a higher role in the role hierarchy can manage the objects or transfer ownership to another role.

Using the Web Interface

  1. Click on Account > Users.
  2. Click on a user row to select it, then click the Drop button. A confirmation dialog opens.
  3. Click Yes to drop the user.

Using SQL

Use the DROP USER command to drop a user.

DROP USER jane.smith;