Configuring Access Control

This topic describes how to configure object-level security using the system-defined roles (provided by Snowflake) and custom roles (optional).

In this Topic:

Account Administration

Designating Additional Users as Account Administrators

By default, each account has one user who has been designated as an account administrator (i.e. user granted the system-defined ACCOUNTADMIN role). We recommend designating at least one other user as an account administrator. This helps ensure that your account always has at least one user who can perform account-level tasks, particularly if one of your account administrators is unable to log in.

For these additional account administrators, you can choose to create new users or designate existing users, but make sure to specify the following:

  • Grant the ACCOUNTADMIN role to the user(s), but do not set this role as their default. Instead, designate a lower-level administrative role (e.g. SYSADMIN) or custom role as their default. This helps prevent account administrators from inadvertently using the ACCOUNTADMIN role to create objects.

  • Ensure an email address is specified for each user (required for multi-factor authentication).

For example, grant the ACCOUNTADMIN and SYSADMIN roles to an existing user named user2 and specify SYSADMIN as the default role:

GRANT ROLE ACCOUNTADMIN, SYSADMIN TO USER user2;

ALTER USER user2 SET EMAIL='user2@domain.com', DEFAULT_ROLE=SYSADMIN;

Enabling MFA for Each Account Administrator

To ensure the highest level of security for your Snowflake account, we strongly recommend that any user who can modify or view sensitive data be required to use multi-factor authentication (MFA) for login.

This recommendation applies particularly to users with the ACCOUNTADMIN role, but can also be expanded to include users with the SECURITYADMIN and SYSADMIN roles.

For more details, see Access Control Considerations and Multi-Factor Authentication (MFA).

Creating a Role Hierarchy

When creating custom roles, consider creating a role hierarchy ultimately assigned to a high-level administrator role. In general, the SYSADMIN role works well as the role all other roles are assigned to in a hierarchy, although it’s important to note that any role with sufficient privileges could serve this function. The SYSADMIN role is a system-defined role that has privileges to create warehouses, databases, and database objects in an account and grant those privileges to other roles. In the default system hierarchy, the top-level ACCOUNTADMIN role manages the system administrator role.

Create a role hierarchy by granting a role to a second role. You can then grant that second role to a third role. The privileges associated with a role are inherited by any roles above that role in the hierarchy (i.e. the parent role).

For example, you can create a custom role with all privileges on a specific schema:

  1. Grant this role the following privileges:

    • USAGE on the database that contains the schema

    • ALL on the schema that contains the tables to query

    • USAGE on a warehouse used to execute queries on the tables in the schema.

  2. Create the hierarchy of roles. Grant the custom role to the SYSADMIN role. The parent roles inherit the object privileges associated with each child role.

  3. Grant the custom role to any user who requires the specified privileges.

Any user with the role can create and use any object in the schema. The following diagram shows an example role hierarchy and the privileges granted to each role:

Role hierarchy and privileges granted to each role

Note

The following sections provide step-by-step instructions for creating a custom role named custom in a basic role hierarchy. This custom role allows users to create objects in a schema and to manage those objects (as the object owner). The role does not have permissions on existing objects in the schema, although those could be given through additional privilege grants at either the schema or object level.

Execute the SQL statements in this section as a user with the SECURITYADMIN role (or higher).

Create a Custom Role

  1. Create the custom role:

    CREATE ROLE custom
       COMMENT = 'This role has all privileges on schema_1';
    
  2. Grant the custom role the following object privileges:

    • USAGE on the database that contains the schema (database_a). To use any objects in a schema, a role must also have the USAGE privilege on the container database.

    • ALL [ PRIVILEGES ] on the schema (schema_1).

    • USAGE on the warehouse used to execute queries (warehouse_1). Users with this role can execute queries using this warehouse.

    GRANT USAGE
      ON DATABASE database_a
      TO ROLE custom;
    
    GRANT ALL
      ON SCHEMA database_a.schema_1
      TO ROLE custom;
    
    GRANT USAGE
      ON WAREHOUSE warehouse_1
      TO ROLE custom;
    

Grant the Role to Another Role

Assign the role to a higher-level role in a role hierarchy. In this example, we are assigning the custom role to the SYSADMIN role. The SYSADMIN role inherits any object privileges granted to the custom role:

GRANT ROLE custom
   TO ROLE sysadmin;

Note

In a more complex example, you could assign the custom role to another child role of SYSADMIN (or another administrator role, such as a custom role with sufficient privileges to create databases). The SYSADMIN role would inherit the combined privileges assigned to the custom role and its parent role. If the role above custom in the hierarchy owned any objects, then the role hierarchy would ensure that members of the SYSADMIN role also owned those objects (indirectly) and could manage them as expected.

Grant the Role to a User

  1. Use the ALTER USER to disable the user you want to modify. This will forcefully close all existing sessions for the user while you are making the changes to that user. For example, the following command disables user Bonnie Smith (bsmith):

    ALTER USER bsmith SET DISABLED=TRUE;
    
  2. Assign the custom role to a user:

    GRANT ROLE custom
       TO USER bsmith;
    
  3. Set the default role for the user. The following command defines the default role for user Bonnie Smith:

    ALTER USER bsmith
       SET DEFAULT_ROLE = custom;
    
  4. Enable the user using the ALTER USER command, so the user can log in again, now with the new default role. For example:

    ALTER USER bsmith SET DISABLED=false;
    

Viewing Granted Privileges

To view the current set of privileges granted on an object, you can execute the SHOW GRANTS command. To view the current permissions on a schema, execute the following command:

SHOW GRANTS ON SCHEMA <database_name>.<schema_name>;

For example, execute the following command to view the privileges on database_a.schema_1 that were granted in Create a Custom Role:

SHOW GRANTS ON SCHEMA database_a.schema_1;

Snowflake returns the following results:

+-------------------------------+--------------------+------------+---------------------+------------+--------------+--------------+--------------+
| created_on                    | privilege          | granted_on | name                | granted_to | grantee_name | grant_option | granted_by   |
|-------------------------------+--------------------+------------+---------------------+------------+--------------+--------------+--------------|
| 2016-08-24 12:35:08.000 -0700 | OWNERSHIP          | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | SYSADMIN     | true         | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | CREATE FILE FORMAT | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | CREATE FUNCTION    | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | CREATE SEQUENCE    | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | CREATE STAGE       | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | CREATE TABLE       | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | CREATE VIEW        | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | MODIFY             | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | MONITOR            | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | USAGE              | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
+-------------------------------+--------------------+------------+---------------------+------------+--------------+--------------+--------------+

You can also run the SHOW GRANTS command to view the current set of privileges granted to a role, or the current set of roles granted to a user:

SHOW GRANTS TO ROLE <role_name>;
SHOW GRANTS TO USER <user_name>;

For example, execute the following command to view the privileges granted on role custom created in Create a Custom Role:

SHOW GRANTS TO ROLE custom;

Snowflake returns the following results:

+-------------------------------+--------------------+------------+---------------------+------------+--------------+--------------+--------------+
| created_on                    | privilege          | granted_on | name                | granted_to | grantee_name | grant_option | granted_by   |
|-------------------------------+--------------------+------------+---------------------+------------+--------------+--------------+--------------|
| 2016-11-22 12:34:29.000 -0800 | USAGE              | DATABASE   | DATABASE_A          | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | CREATE FILE FORMAT | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | CREATE FUNCTION    | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | CREATE SEQUENCE    | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | CREATE STAGE       | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | CREATE TABLE       | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | CREATE VIEW        | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | MODIFY             | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | MONITOR            | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | USAGE              | SCHEMA     | DATABASE_A.SCHEMA_1 | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
| 2016-11-22 12:34:30.000 -0800 | USAGE              | WAREHOUSE  | WAREHOUSE_1         | ROLE       | CUSTOM       | false        | ACCOUNTADMIN |
+-------------------------------+--------------------+------------+---------------------+------------+--------------+--------------+--------------+

Note

Executing the SHOW GRANTS command on a specific object requires the same object privileges as running the SHOW command for that object type.

For example, running the SHOW GRANTS command on a table requires the following privileges on the table and the container database and schema:

Database

USAGE

Schema

USAGE

Table

any privilege

Creating Read-Only Roles

Suppose you needed a role that is limited to querying the tables in a specific schema (e.g. database_a.schema_1). Users who execute commands using this role cannot update the table data, create additional database objects, or drop tables.

In this scenario, you could create a custom role with limited access to the schema and its tables. You would then grant the read-only role to the users who require read-only access to the schema and tables. These users can work in the limited default role without concern about accidentally modifying or dropping schema objects.

Note

Execute the SQL statements in this section as a user with the SECURITYADMIN role (or higher).

  1. Create the custom read_only_rl role:

    CREATE ROLE read_only_rl
       COMMENT = 'This role is limited to querying tables in schema_1';
    
  2. Assuming you have implemented a role hierarchy (recommended), assign the role to a higher-level role in a role hierarchy. In this example, we are assigning the read_only_rl role to the SYSADMIN role. The SYSADMIN role inherits any object privileges granted to the read_only_rl role:

    GRANT ROLE read_only_rl
       TO ROLE sysadmin;
    
  3. Grant the read_only_rl role the following object privileges:

    • USAGE on the database that contains the schema (database_a).

    • USAGE on the schema that contains the tables to query (schema_1). To use any objects in a schema, a role must also have the USAGE privilege on the database and schema:

    • SELECT on all existing tables.

    • USAGE on the warehouse used to execute queries on the tables (warehouse_1). Users with this role can execute queries using this warehouse.

    GRANT USAGE
      ON DATABASE database_a
      TO ROLE read_only_rl;
    
    GRANT USAGE
      ON SCHEMA database_a.schema_1
      TO ROLE read_only_rl;
    
    GRANT SELECT
      ON ALL TABLES IN SCHEMA database_a.schema_1
      TO ROLE read_only_rl;
    
    GRANT USAGE
      ON WAREHOUSE warehouse_1
      TO ROLE read_only_rl;
    

    Note

    The GRANT SELECT ON ALL TABLES IN SCHEMA <schema> statement only applies to existing tables. The read-only role must be granted the SELECT privilege on any tables created in the schema thereafter. For example:

    GRANT SELECT
      ON TABLE database_a.schema_1.table_new
      TO ROLE read_only_rl;
    
  4. Use the ALTER USER to disable the user you want to modify. This will forcefully close all existing sessions for the user while you are making the changes to that user. For example, the following command disables user Bonnie Smith (bsmith):

    ALTER USER bsmith SET DISABLED=TRUE;
    
  5. Assign the read_only_rl role to a user:

    GRANT ROLE read_only_rl
       TO USER bsmith;
    
  6. Set the default role for the user. The following command defines the default role for user Bonnie Smith:

    ALTER USER bsmith
       SET DEFAULT_ROLE = read_only_rl;
    
  7. Enable the user using the ALTER USER command, so the user can log in again, now with the new default role. For example:

    ALTER USER bsmith SET DISABLED=false;
    

Assigning Future Grants on Objects

Future grants allow defining an initial set of privileges to grant on new (i.e. future) objects of a certain type (e.g. tables or views) in a schema. As new objects are created, the defined privileges are automatically granted to a specified role.

Future grants are defined using GRANT <privileges> … TO ROLE with the ON FUTURE keywords. For example, to grant the SELECT privilege on all future tables created in the mydb.myschema schema to the role1 role, an administrator would execute the following command:

GRANT SELECT ON FUTURE TABLES IN SCHEMA mydb.myschema
TO ROLE role1;

Note

The MANAGE GRANTS global privilege is required to grant or revoke privileges on future objects. By default, only security administrators (i.e. users with the SECURITYADMIN role) or higher have the MANAGE GRANTS privilege. In a managed access schema, the schema owner has an implicit privilege allowing grant management on objects in the schema.

Future grants only define the initial set of privileges granted on new objects of a specified type. After an individual object is created, administrators can explicitly grant additional privileges or revoke privileges on the object. This allows fine-grained access control over all objects in the schema.

Note that future grants only pertain to new objects; to grant privileges on existing objects, an administrator must explicitly grant the privileges.

Future grants can be removed using REVOKE <privileges> … FROM ROLE with the ON FUTURE keywords. Privileges granted on existing objects are retained.

You can define future grants using either the web interface or SQL:

Web Interface

Click on Databases Databases tab » <db_name> » Schemas » <schema_name> » Grant Privileges.

SQL

Execute a GRANT <privileges> … TO ROLE statement with the ON FUTURE keywords.

The following example shows a complete workflow for granting, using, and revoking future grants using SQL:

Example

-- Switch to the SYSADMIN role or any role that has the CREATE DATABASE privilege
use role sysadmin;
create or replace database mydb;

create or replace schema fg_schema;

-- Switch to the SECURITYADMIN role or any role that has the MANAGE GRANTS privilege
use role securityadmin;

create or replace role fg_table_role;

grant usage on database mydb to role fg_table_role;

grant usage on schema mydb.fg_schema to role fg_table_role;

grant select,insert on future tables in schema mydb.fg_schema to role fg_table_role;

show future grants in schema mydb.fg_schema;

-- The FG_TABLE_ROLE role has INSERT and SELECT future grants on tables in the schema, i.e. on tables created after this point in time

+-------------------------------+-----------+----------+------------------------+----------+---------------+--------------+
| created_on                    | privilege | grant_on | name                   | grant_to | grantee_name  | grant_option |
|-------------------------------+-----------+----------+------------------------+----------+---------------+--------------|
| 2018-11-26 06:08:45.325 -0800 | INSERT    | TABLE    | MYDB.FG_SCHEMA.<TABLE> | ROLE     | FG_TABLE_ROLE | false        |
| 2018-11-26 06:08:45.325 -0800 | SELECT    | TABLE    | MYDB.FG_SCHEMA.<TABLE> | ROLE     | FG_TABLE_ROLE | false        |
+-------------------------------+-----------+----------+------------------------+----------+---------------+--------------+

-- Switch to the role used to create the MYDB database earlier in this script
use role sysadmin;

create or replace table fg_table (val number);

show grants on table fg_table;

+-------------------------------+-----------+------------+-------------------------+------------+---------------+--------------+------------+
| created_on                    | privilege | granted_on | name                    | granted_to | grantee_name  | grant_option | granted_by |
|-------------------------------+-----------+------------+-------------------------+------------+---------------+--------------+------------|
| 2018-11-26 06:12:14.534 -0800 | INSERT    | TABLE      | MYDB.FG_SCHEMA.FG_TABLE | ROLE       | FG_TABLE_ROLE | false        | SYSADMIN   |
| 2018-11-26 06:12:14.534 -0800 | SELECT    | TABLE      | MYDB.FG_SCHEMA.FG_TABLE | ROLE       | FG_TABLE_ROLE | false        | SYSADMIN   |
| 2018-11-26 06:12:14.534 -0800 | OWNERSHIP | TABLE      | MYDB.FG_SCHEMA.FG_TABLE | ROLE       | SYSADMIN      | true         | SYSADMIN   |
+-------------------------------+-----------+------------+-------------------------+------------+---------------+--------------+------------+

-- Switch to the role used to grant privileges earlier in this script
use role securityadmin;

grant role fg_table_role to role accountadmin;

-- Switch to the FG_TABLE_ROLE role
-- The role can successfully query the FG_TABLE table and insert rows of data
use role fg_table_role;

use schema mydb.fg_schema;

select * from fg_table;

+-----+
| VAL |
|-----|
+-----+

-- Switch to the SECURITYADMIN role or any role that has the MANAGE GRANTS privilege
use role securityadmin;

-- Revoke the future grants on tables in the schema from the FG_TABLE_ROLE role:
revoke select,insert on future tables in schema mydb.fg_schema from role fg_table_role;

-- Switch to the FG_TABLE_ROLE role
use role fg_table_role;

-- The privileges already granted on this object are retained
use schema mydb.fg_schema;

select * from fg_table;

+-----+
| VAL |
|-----|
+-----+

Creating Managed Access Schemas

Managed access schemas improve security by locking down privilege management on objects.

In regular (i.e. non-managed) schemas, object owners (i.e. a role with the OWNERSHIP privilege on an object) can grant access on their objects to other roles, with the option to further grant those roles the ability to manage object grants.

With managed access schemas, object owners lose the ability to make grant decisions. Only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant privileges on objects in the schema, including future grants, centralizing privilege management.

You can create a managed access schema using either the web interface or SQL:

Web Interface

Click on Databases Databases tab » <db_name> » Schemas » Create Schema.

SQL

Execute a CREATE SCHEMA statement with the WITH MANAGED ACCESS keywords.

You can change a regular schema to a managed access schema (or vice-versa) using either the web interface or SQL:

Web Interface

Click on Databases Databases tab » <db_name> » Schemas » <schema_name> » Alter a schema.

SQL

Execute an ALTER SCHEMA statement with the ENABLE | DISABLE MANAGED ACCESS keywords.

The following table indicates which roles can manage object privileges in a regular or managed access schema:

Role

Can grant object privileges in a regular schema

Can grant object privileges in a managed access schema

SYSADMIN

No

No

SECURITYADMIN or higher

Yes

Yes

Database owner

No

No

Schema owner

No

Yes

Object owner

Yes

No

Any role with the MANAGE GRANTS privilege

Yes

Yes

Enabling Non-Account Administrators to Monitor Usage and Billing History

Snowflake provides extensive account usage and billing information about data storage/transfer and warehouse usage/load:

Web interface

Click on Account Account tab » Billing & Usage.

SQL

Query the Information Schema table functions.

However, by default, this information can be accessed/viewed only by account administrators. To enable users who are not account administrators to access/view this information, Snowflake provides the global MONITOR USAGE privilege. Granting the MONITOR USAGE privilege to a role allows all users who are granted the role to access this historical/usage information.

In addition, with this privilege, the SHOW DATABASES and SHOW WAREHOUSES commands return the lists of all databases and warehouses in the account, respectively, regardless of other privilege grants.

For example, to grant this privilege to the custom role:

GRANT MONITOR USAGE ON ACCOUNT TO ROLE custom;