Configuring Access Control

This topic describes how to configure object-level security using the system-defined roles (provided by Snowflake) and custom roles (optional).

In this Topic:

Account Administration

Designating Additional Users as Account Administrators

By default, each account has one user who has been designated as an account administrator (i.e. user granted the system-defined ACCOUNTADMIN role). We recommend designating at least one other user as an account administrator. This helps ensure that your account always has at least one user who can perform account-level tasks, particularly if one of your account administrators is unable to log in.

For these additional account administrators, you can choose to create new users or designate existing users, but make sure to specify the following:

  • Grant the ACCOUNTADMIN role to the user(s), but do not set this role as their default. Instead, designate a lower-level administrative role (e.g. SYSADMIN) or custom role as their default. This helps prevent account administrators from inadvertently using the ACCOUNTADMIN role to create objects.
  • Ensure an email address is specified for each user (required for multi-factor authentication).

For example, grant the ACCOUNTADMIN and SYSADMIN roles to an existing user named user2 and specify SYSADMIN as the default role:

GRANT ROLE ACCOUNTADMIN, SYSADMIN TO USER user2;

ALTER USER user2 SET EMAIL='user2@domain.com', DEFAULT_ROLE=SYSADMIN;

Enabling MFA for Each Account Administrator

To ensure the highest level of security for your Snowflake account, we strongly recommend that any user who can modify or view sensitive data be required to use multi-factor authentication (MFA) for login.

This recommendation applies particularly to users with the ACCOUNTADMIN role, but can also be expanded to include users with the SECURITYADMIN and SYSADMIN roles.

For more details, see Access Control Considerations and Multi-Factor Authentication (MFA).

Setting Account Parameters

Account parameters can only be set at the account level by account administrators. Account parameters are set using the ALTER ACCOUNT command. For descriptions of the account parameters, see Parameters for descriptions of account parameters.

For example, to set the PERIODIC_DATA_REKEYING parameter to true:

ALTER ACCOUNT SET periodic_data_rekeying = true;

To restore the default PERIODIC_DATA_REKEYING value:

ALTER ACCOUNT UNSET periodic_data_rekeying;

Creating a Role Hierarchy

When creating custom roles, consider creating a role hierarchy ultimately assigned to the SYSADMIN role. The SYSADMIN role is a system-defined role that has privileges to create warehouses, databases, and database objects in an account and grant those privileges to other roles. In the default system hierarchy, the top-level ACCOUNTADMIN role manages the system administrator role.

You create a role hierarchy by granting a role to a second role. You can then grant that second role to a third role. The privileges associated with a role are inherited by any roles above that role in the hierarchy.

For example, you can create a custom role with all privileges on a specific schema:

  1. Grant this role the following privileges:

    • USAGE on the database that contains the schema
    • ALL on the schema that contains the tables to query
    • USAGE on a warehouse used to execute queries on the tables in the schema.
  2. Create the hierarchy of roles. Grant the custom role to the SYSADMIN role. The parent roles inherit the object privileges associated with each child role.

  3. Grant the custom role to any user who requires the specified privileges.

Any user with the role can create and use any object in the schema. The following diagram illustrates the role hierarchy and the privileges granted to each role:

Role hierarchy and privileges granted to each role

Note

The following sections provide step-by-step instructions for creating a custom role named custom in a basic role hierarchy. This custom role allows users to create objects in a schema and to manage those objects (as the object owner). The role does not have permissions on existing objects in the schema, although those could be given through additional privilege grants at either the schema or object level.

Execute the SQL statements in this section as a user with the SECURITYADMIN role (or higher).

Create a Custom Role

  1. Create the custom role:

    CREATE ROLE custom
       COMMENT = 'This role has all privileges on schema_1';
    
  2. Grant the custom role the following object privileges:

    • USAGE on the database that contains the schema (database_a). To use any objects in a schema, a role must also have the USAGE privilege on the container database.
    • ALL [ PRIVILEGES ] on the schema (schema_1).
    • USAGE on the warehouse used to execute queries (warehouse_1). Users with this role can execute queries using this warehouse.
    GRANT USAGE
      ON DATABASE database_a
      TO ROLE custom;
    
    GRANT ALL
      ON SCHEMA database_a.schema_1
      TO ROLE custom;
    
    GRANT USAGE
      ON WAREHOUSE warehouse_1
      TO ROLE custom;
    

Grant the Role to Another Role

Assign the role to a higher-level role in a role hierarchy. In this example, we are assigning the custom role to the SYSADMIN role. The SYSADMIN role inherits any object privileges granted to the custom role:

GRANT ROLE custom
   TO ROLE sysadmin;

Note

In a more complex example, you could assign the custom role to another child role of SYSADMIN. The SYSADMIN role would inherit the combined privileges assigned to the custom and its parent role. If the role above custom in the hierarchy owned any objects, then the role hierarchy would ensure that members of the SYSADMIN role also owned those objects (indirectly) and could manage them as expected.

Grant the Role to a User

  1. Use the ALTER USER to disable the user you want to modify. This will forcefully close all existing sessions for the user while you are making the changes to that user. For example, the following command disables user Bonnie Smith (bsmith):

    ALTER USER bsmith SET DISABLED=TRUE;
    
  2. Assign the custom role to a user:

    GRANT ROLE custom
       TO USER bsmith;
    
  3. Set the default role for the user. The following command defines the default role for user Bonnie Smith:

    ALTER USER bsmith
       SET DEFAULT_ROLE = custom;
    
  4. Enable the user using the ALTER USER command, so the user can log in again, now with the new default role. For example:

    ALTER USER bsmith SET DISABLED=false;
    

Viewing Granted Privileges

To view the current set of privileges granted on an object, you can execute the SHOW GRANTS command. To view the current permissions on a schema, execute the following command:

SHOW GRANTS ON SCHEMA <database_name>.<schema_name>;

For example, execute the following command to view the privileges on database_a.schema_1 that were granted in Create a Custom Role:

SHOW GRANTS ON SCHEMA database_a.schema_1;

Snowflake returns the following results:

+-------------------------------+--------------------+------------+---------------------+------------+--------------+--------------+--------------+
| created_on                    | privilege          | granted_on | name                | granted_to | grantee_name | grant_option | granted_by   |
|-------------------------------+--------------------+------------+---------------------+------------+--------------+--------------+--------------|
| 2016-08-24 12:35:08.000 -0700 | OWNERSHIP          | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | SYSADMIN     | true         | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | CREATE FILE FORMAT | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | CREATE FUNCTION    | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | CREATE SEQUENCE    | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | CREATE STAGE       | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | CREATE TABLE       | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | CREATE VIEW        | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | MODIFY             | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | MONITOR            | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | USAGE              | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
+-------------------------------+--------------------+------------+---------------------+------------+--------------+--------------+--------------+

You can also run the SHOW GRANTS command to view the current set of privileges granted to a role, or the current set of roles granted to a user:

SHOW GRANTS TO ROLE <role_name>;
SHOW GRANTS TO USER <user_name>;

For example, execute the following command to view the privileges granted on role custom created in Create a Custom Role:

SHOW GRANTS TO ROLE custom;

Snowflake returns the following results:

+-------------------------------+--------------------+------------+---------------------+------------+--------------+--------------+--------------+
| created_on                    | privilege          | granted_on | name                | granted_to | grantee_name | grant_option | granted_by   |
|-------------------------------+--------------------+------------+---------------------+------------+--------------+--------------+--------------|
| 2016-11-22 12:34:29.000 -0800 | USAGE              | DATABASE   | DATABASE_A          | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | CREATE FILE FORMAT | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | CREATE FUNCTION    | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | CREATE SEQUENCE    | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | CREATE STAGE       | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | CREATE TABLE       | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | CREATE VIEW        | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | MODIFY             | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | MONITOR            | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | USAGE              | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | USAGE              | WAREHOUSE  | WAREHOUSE_1         | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
+-------------------------------+--------------------+------------+---------------------+------------+--------------+--------------+--------------+

Note

Executing the SHOW GRANTS command on a specific object requires the same object privileges as running the SHOW command for that object type.

For example, running the SHOW GRANTS command on a table requires the following privileges on the table and the container database and schema:

Database:USAGE
Schema:USAGE
Table:any privilege

Creating Read-Only Roles

Suppose you needed a role that is limited to querying the tables in a specific schema (e.g. database_a.schema_1). Users who execute commands using this role cannot update the table data, create additional database objects, or drop tables.

In this scenario, you could create a custom role with limited access to the schema and its tables. You would then grant the read-only role to the users who require read-only access to the schema and tables. These users can work in the limited default role without concern about accidentally modifying or dropping schema objects.

Note

Execute the SQL statements in this section as a user with the SECURITYADMIN role (or higher).

  1. Create the custom read_only_rl role:

    CREATE ROLE read_only_rl
       COMMENT = 'This role is limited to querying tables in schema_1';
    
  2. Assuming you have implemented a role hierarchy (recommended), assign the role to a higher-level role in a role hierarchy. In this example, we are assigning the read_only_rl role to the SYSADMIN role. The SYSADMIN role inherits any object privileges granted to the read_only_rl role:

    GRANT ROLE read_only_rl
       TO ROLE sysadmin;
    
  3. Grant the read_only_rl role the following object privileges:

    • USAGE on the database that contains the schema (database_a).
    • USAGE on the schema that contains the tables to query (schema_1). To use any objects in a schema, a role must also have the USAGE privilege on the database and schema:
    • SELECT on all existing tables.
    • USAGE on the warehouse used to execute queries on the tables (warehouse_1). Users with this role can execute queries using this warehouse.
    GRANT USAGE
      ON DATABASE database_a
      TO ROLE read_only_rl;
    
    GRANT USAGE
      ON SCHEMA database_a.schema_1
      TO ROLE read_only_rl;
    
    GRANT SELECT
      ON ALL TABLES IN SCHEMA database_a.schema_1
      TO ROLE read_only_rl;
    
    GRANT USAGE
      ON WAREHOUSE warehouse_1
      TO ROLE read_only_rl;
    

    Note

    The GRANT SELECT ON ALL TABLES IN SCHEMA <schema> statement only applies to existing tables. The read-only role must be granted the SELECT privilege on any tables created in the schema thereafter. For example:

    GRANT SELECT
      ON TABLE database_a.schema_1.table_new
      TO ROLE read_only_rl;
    
  4. Use the ALTER USER to disable the user you want to modify. This will forcefully close all existing sessions for the user while you are making the changes to that user. For example, the following command disables user Bonnie Smith (bsmith):

    ALTER USER bsmith SET DISABLED=TRUE;
    
  5. Assign the read_only_rl role to a user:

    GRANT ROLE read_only_rl
       TO USER bsmith;
    
  6. Set the default role for the user. The following command defines the default role for user Bonnie Smith:

    ALTER USER bsmith
       SET DEFAULT_ROLE = read_only_rl;
    
  7. Enable the user using the ALTER USER command, so the user can log in again, now with the new default role. For example:

    ALTER USER bsmith SET DISABLED=false;
    

Managing Object Ownership and Privileges

To customize ownership and privileges granted on objects, use the following high-level instructions, performed by a user with the SYSADMIN role. Note that changing access control on the objects takes immediate effect when successfully executed:

  1. If the object should be owned by a role that the SYSADMIN role dominates (lower in the hierarchy), use the GRANT OWNERSHIP command to transfer the ownership to it. Unlike other privileges, the OWNERSHIP privilege can only be granted to one role. If the target owner role is not granted to SYSADMIN, then only the holder of MANAGE GRANTS can perform the ownership transfer. For example:

    GRANT OWNERSHIP ON WAREHOUSE reports TO ROLE analyst;
    
  2. The control over the object is shared by all users who are assigned the role having the OWNERSHIP privilege on the object. In many cases, this is sufficient granularity for access control on the database objects. However, if the privileges on the object need to be controlled more explicitly, you can create explicit grants on the object using the GRANT <privileges> … TO ROLE command. For example:

    GRANT OPERATE ON WAREHOUSE loader TO ROLE users;
    
  3. Verify the grants on the object using the SHOW GRANTS command. For example:

    SHOW GRANTS ON WAREHOUSE loader;
    

Enabling Non-Account Administrators to Monitor Usage and Billing History

Snowflake provides extensive account usage and billing information about data storage/transfer and warehouse usage/load:

Web interface:Click on Account Account tab » Billing & Usage.
SQL:Query the Information Schema table functions.

However, by default, this information can be accessed/viewed only by account administrators. To enable users who are not account administrators to access/view this information, Snowflake provides the global MONITOR USAGE privilege. Granting the MONITOR USAGE privilege to a role allows all users who are granted the role to access this historical/usage information.

In addition, with this privilege, the SHOW DATABASES and SHOW WAREHOUSES commands return the lists of all databases and warehouses in the account, respectively, regardless of other privilege grants.

For example, to grant this privilege to the custom role:

GRANT MONITOR USAGE ON ACCOUNT TO ROLE custom;