Snowflake Role-Based Access Control Simplified

Snowflake provides a pre-defined set of roles that are used to give access to someone who can perform required operations on a specific objects on an account such as schemas, tables, views etc. The roles are entities through which we give privileges on database objects to grant and provoke. Roles that are assigned to the users help them to access and perform operations that are required in their business structure. But these roles should be restricted to only appropriate personnel and not to everyone.

Snowflake RBAC (Role-Based Access Controls) is the part of Access Control Framework that allows to give privileges by the object owners to roles and that roles in turn are linked to the users that can restrict and allow operations to be performed on the objects. To simply it lets say – the actions performed by users on the Snowflake objects are based on the privileges that are associated with the user’s current role. In Snowflake, we can assign Roles to the other roles that means hierarchies are allowed here.

Before we look at the simplified model of RBAC, lets have a look at the 5 system-defined roles that users must adhere.

ACCOUNTADMIN: It is the most powerful role in the system that has all the privileges of SYSADMIN and SECURITYADMIN. This role is used only at the beginning of setting up the Snowflake. This role can help to visualize the resources used by each warehouse.

SECURITYADMIN: This role is useful to control the users, roles, and their privileges. All roles, users, and their privileges are only owned by Security Administrator.

USERADMIN: This role creates the users and roles.

SYSADMIN: This role helps to create objects in Snowflake. It is responsible for all databases, warehouses, schemas, tables, and views.

PUBLIC: This role is automatically generated and is assigned to every user and role and is publicly available.

Now we have seen the 5 system generated roles, lets have a look at the Simplified RBAC Model.

Related: Snowflake Security

A Simplified RBAC Model

Here we will see the different roles that are divided into logical levels that helps to simplify the RBAC requirement capture and also the inheritance of the privileges. The logical levels are:

Level 0 or System Roles: In this level, all domain roles are rolling up to native Snowflake system role.

Level 1 or Domain Roles: Suppose if the organization or a company has to keep multiple independent domains under one account, then Level 1 or Domain role helps to realize that.

Level 2 or Functional Roles: These roles are assigned to the users and are the actual role maps of the real-world role of the users.

Level A or Access Roles: It is the lowest level role that has the actual access and privileges on DB objects. It maintain the access according to the user’s requirements at the database and schema.

To summarize it, these levels of access define your access roles according to clients needs. The real-life roles are translated into the Functional Roles and depending on the number of environments, the domain roles must be captured.