Security and account administrators (i.e. users with the SECURITYADMIN role or higher) can create and manage Snowflake users through SQL or the web interface:
- Using SQL, administrators can perform all user-related tasks, including changing login credentials and defaults for users.
- The web interface doesn’t support all user-related tasks, but provides a convenient wizard for creating users and performing most common activities, such as resetting a user’s password.
In this Topic:
- Snowflake Password Policy
- User Roles
- Creating Users
- Resetting the Password for a User
- Disabling the Change Password Functionality for Users
- Disabling / Enabling a User
- Unlocking a User
- Altering Session Parameters for a User
- Modifying Other User Properties
- Viewing Users
- Dropping a User
Only security administrators (i.e. users with the SECURITYADMIN role) or higher can create, alter, or drop users.
Snowflake Password Policy¶
A password can be any case-sensitive string up to 256 characters, including blank spaces and special (i.e. non-alphanumeric) characters, such as exclamation points (
!), percent signs (
%), and asterisks
Snowflake enforces the following password policy when creating a user, setting a new/initial password for a user, or resetting the existing password for a user:
- Must be at least 8 characters long.
- Must contain at least 1 digit.
- Must contain at least 1 uppercase letter and 1 lowercase letter.
However, this policy only covers the minimum requirements for user passwords. We strongly recommend the following guidelines for creating the strongest passwords possible:
- Create a unique password for Snowflake (i.e. do not reuse passwords from other systems or accounts).
- Use more than 8 characters.
- Include multiple, random mixed-case letters, numbers, and special characters, including blank spaces.
- Do not use easily-guessed common passwords, names, numbers, or dates.
In addition, to configure the highest level of security for user login, we recommend that users enroll in MFA.
Snowflake uses roles to control the objects (virtual warehouses, databases, tables, etc.) that users can access:
- Snowflake provides a set of predefined roles, as well as a framework for defining a hierarchy of custom roles.
- All Snowflake users are automatically assigned the predefined PUBLIC role, which enables login to Snowflake and basic object access.
- In addition to the PUBLIC role, each user can be assigned additional roles, with one of these roles designated as their default role. A user’s default role determines the role used in the Snowflake sessions initiated by the user; however, this is only a default. Users can change roles within a session at any time.
- Roles can be assigned at user creation or afterwards.
When deciding the additional roles to assign to a user, as well as designating their default role, consider the following for the predefined ACCOUNTADMIN role (required for performing account-level administrative tasks):
- Snowflake recommends strictly controlling the assignment of ACCOUNTADMIN, but recommends assigning it to at least two users.
- ACCOUNTADMIN should never be designated as a user’s default role. Instead, designate a lower-level administrative or custom role as their default.
You can create a user through the web interface or using SQL.
The web interface requires that you specify a password when you create a user; the CREATE USER command does not.
In addition, Snowflake does not enforce the Snowflake Password Policy when a password is first set (i.e. when creating a user or altering a user that does not have an existing password). This enables security administrators to decide whether to assign generic, less secure passwords or specific, stronger passwords to users. If generic initial passwords are used, we strongly recommend also setting the MUST_CHANGE_PASSWORD property to TRUE to require users to change their password on their next login (including initial login) into Snowflake.
Using the Web Interface¶
Click the Create button.
In the User Name field, enter a unique identifier for the user.
User name is the unique identifier for the user in Snowflake. It is not the user’s login name (i.e. the name the user enters when logging into Snowflake). Snowflake allows users to have different user names and login names, if desired. You specify a login name for the user on the next screen.
In the Password and Confirm Password fields, enter the login password for the user.
Leave the Force Password Change checkbox selected to force the user to change their password on their next login; otherwise, clear the checkbox.
Click the Next button. The Advanced screen opens.
Optionally enter the Login Name, Display Name, and personal information for the user.
Users require a login name to log into Snowflake; if you don’t explicitly provide a login name, Snowflake uses their user name as the login name.
Click the Next button. The Preferences screen opens.
Optionally enter defaults for the user:
- Virtual warehouse
- Namespace in the form of
Click the Finish button. Snowflake displays a success message.
Use the CREATE USER command to create a user.
When creating a user, if you assign a default role to the user, you must then explicitly grant this role to the user. For example:
CREATE USER janesmith PASSWORD = 'abc123' DEFAULT_ROLE = myrole MUST_CHANGE_PASSWORD = TRUE; GRANT ROLE myrole TO USER janesmith;
Note that the GRANT ROLE command allows you to assign multiple roles to a single user. The web interface does not currently support the same capability.
Resetting the Password for a User¶
Administrators can change a user’s password through the web interface or using SQL.
Users can only change their own password through the web interface. For more information, see Changing Your Password / Switching Your (Session) Role / Logging Out.
Using the Web Interface¶
- Click on Account » Users.
- Click on a user row to select it, then click the Reset Password button. The Reset Password dialog opens.
- Enter the new login password for the user, and confirm the password.
- Leave the Force Password Change checkbox selected to force the user to change their password on their next login; otherwise, clear the checkbox.
- Click the Finish button.
Use the ALTER USER command to input a user’s password. For example:
ALTER USER janesmith SET PASSWORD = 'welcome1' MUST_CHANGE_PASSWORD = TRUE;
Alternatively, use the ALTER USER … RESET PASSWORD syntax to generate a URL to share with the user. The URL opens a web page on which the user can enter the new password. For example:
ALTER USER janesmith RESET PASSWORD;
- The generated URL is valid for one use only and expires after 4 hours.
- Executing the ALTER USER … RESET PASSWORD statement does not invalidate the current password. The user can continue to use the old password until the new password is set.
Disabling the Change Password Functionality for Users¶
Users change their Snowflake password in the web interface by clicking the dropdown menu in the upper right (next to the login name) » Change Password. The Select a New Password dialog opens. The dialog accepts the current and new password.
You can optionally disable the ability for users in your account to change their own password. Account administrators can continue to change user passwords using the web interface under Account » Users, or through SQL using the ALTER USER command.
To request this change, please contact Snowflake Support.
Disabling / Enabling a User¶
Disabling a user prevents the user from logging into Snowflake. You can disable a user through the web interface or using SQL.
Using the Web Interface¶
- Click on Account » Users.
- Click on a user row to select it, then click the Disable User button. A confirmation dialog opens.
- Click Yes to disable the user.
To enable a user, follow the same steps, but click on the Enable User button.
Unlocking a User¶
If a user login fails after five consecutive attempts, the user is locked out of their account for a period of time (currently 15 minutes). Once the period of time elapses, the system automatically clears the lock and the user can attempt to log in again.
To unlock the user before the time has elapsed, you can reset the timer using the ALTER USER command.
The following example resets the timer to 0, which immediately unlocks user
ALTER USER janesmith SET MINS_TO_UNLOCK= 0;
If a single role has the OWNERSHIP privilege on all Snowflake users, we recommend granting the role to multiple users. That way, if a member of the role is locked out, another member can unlock that user.
Altering Session Parameters for a User¶
To show the session parameters for a user, use the following SQL syntax:
SHOW PARAMETERS [ LIKE '<pattern>' ] FOR USER <name>
To alter the session parameters for a user, use the following syntax:
ALTER USER <name> SET <session_param> = <value>
For example, allow a user to remain connected to Snowflake indefinitely without timing out:
ALTER USER `janesmith` SET CLIENT_SESSION_KEEP_ALIVE = TRUE;
To reset a session parameter for a user to the default value, use the following syntax:
ALTER USER <name> UNSET <session_param>
Modifying Other User Properties¶
You can modify all other user properties using the ALTER USER command. For example:
Change the last name for user
ALTER USER janesmith SET LAST_NAME = 'Jones';
Set or change the default warehouse, namespace, and role for user
ALTER USER janesmith SET DEFAULT_WAREHOUSE = 'mywarehouse' DEFAULT_NAMESPACE = `mydatabase.myschema` DEFAULT_ROLE = `myrole`;
You can view information about users using SQL.
DESC USER janeksmith;
Dropping a User¶
Dropping a user removes the user credentials from Snowflake. Note that any objects created by the user are actually owned by the user’s active role when the objects were created, so dropping a user does not impact any of the objects they’ve created. Another user assigned the same role or a higher role in the role hierarchy can manage the objects or transfer ownership to another role.