how to perform joins and how to maintain warehouse?
I have tried:
create table table_name values i int, nm string;
How to create a role in snowflake without any privileges or minimum privileges ?
I tried to create a role with parent role security-admin .
when I assign this role to user i am able to see databases of parent role also.
After I created role with parent role as public still I am able to see databases
what shall I do that a created role should not have access to any unless I grant it ?
When you CREATE ROLE, it's an independent object and does not come with any privileges:
use role accountadmin;
create role empty_role;
show grants to role empty_role;
The last command does not return anything even if it is created by the accountadmin role.
grant role empty_role to user gokhan;
use role empty_role;
show databases;
As the new role has no additional access, the last command shows the databases which the PUBLIC role has access. I hope this explains why you see some databases when you switch to your new role.
Related
Can we hide tables from users upon creation in Snowflake?
Can we setup an access control rule using wildcards on table names? Ex: revoke access to users if table name like '%ETL_TRANSIT%'?
OR
When creating a table/view, do we have an option to choose "not visible to users"?
You will first have to be using a different role to create the tables than the role that will be viewing the tables. I would recommend reviewing the Role-based Access Controls in the documentation: Role Hierarchy and Privilege Inheritance
I'm going to use SYSADMIN as the role that creates objects, and a create a new role for viewing called VIEWER just as an example. If you have SYSADMIN access you can test this out yourself:
USE ROLE sysadmin;
CREATE OR REPLACE DATABASE demo_db; -- creating a new db just for demo purposes
CREATE OR REPLACE SCHEMA demo_schema;
USE ROLE securityadmin; -- Use the securityadmin or useradmin to create and manage roles
CREATE ROLE viewer;
GRANT ROLE viewer TO ROLE sysadmin;
-- Now go check out the Roles page in Snowsight under Admin --> Users & Roles
-- You should see viewer underneath sysadmin
USE ROLE viewer; -- You will see nothing because you don't have access to anything
USE ROLE securityadmin;
GRANT USAGE ON WAREHOUSE compute_wh TO ROLE viewer; -- viewer needs a WH to access data
GRANT USAGE ON DATABASE demo_db TO ROLE viewer;
GRANT USAGE ON SCHEMA demo_db.demo_schema TO ROLE viewer;
USE ROLE viewer; -- You will see the db and the schema now
-- Follow this for each new table you create:
USE ROLE sysadmin;
CREATE OR REPLACE TABLE demo_db.demo_schema.demo_tbl (col INT);
USE ROLE viewer; -- You will not see the new table
USE ROLE securityadmin;
GRANT SELECT ON demo_db.demo_schema.demo_tbl TO ROLE viewer;
USE ROLE viewer; -- You will now see the new table and be able to query it
Do NOT grant SELECT on FUTURE TABLES or FUTURE VIEWS in a schema though. IF you do that, the Viewer role will automatically see new tables as you create them. You will want to grant SELECT one at a time based on your requirements.
This is an answer to your second requirement. You could build out a Stored Procedure that could GRANT based on a like, but it would be a highly custom option that would need to run on a schedule or triggered manually.
Unless you have future grants in place or a role is inheriting the role used to create the table, most roles do not automatically gain access to tables created by other roles. You would need to explicitly grant them permissions on the new table (and the table's associated schema/database) in order for the table to be "visible" to the role.
I need information within Snowflake which captures "Role to Privilege mapping".
Example :: If I am an user "USER_01" & I have the role as "ANALYST", then this "ANALYST" role has access to which all the objects (database/schema/table/etc..) in Snowflake account I would need that information.
Any pointers like queries/metadata tables/etc.. would help as there has to be some metadata tables which would keep this role to privilege mapping.
For e.g., queries like :
show grants to user USER_01
--> This gives what role has been assigned to this user. But this do not convey any information regarding what all privileges has been given to that role. Like if this role has got below access:
grant usage on database DB_01 to role analyst;
grant all privileges on schema schema_01 to role analyst;
grant all privileges on all tables in schema schema_01 to role analyst;
SHOW GRANTS:
SHOW GRANTS TO ROLE <role_name>
Key point: Access Control Framework
Role-based Access Control (RBAC): Access privileges are assigned to roles, which are in turn assigned to users.
Access priviliges are not assigned directly to users.
If you want to list all the privileges given to a user, you may use the stored procedure described in this KB article:
https://community.snowflake.com/s/article/How-to-Capture-Snowflake-Users-Roles-and-Grants-Into-a-Table
I want to create a role on snowflake limited only to one database and one schema and give there a read access on all tables.
I create a role, grant:
grant usage on database1,
grant usage on database1.schema1,
grat select on all tables in database1.schema1,
and I grant usage and operate on one warehouse1.
However, additionally to this I am seeing also other databases and other schemas with this role, despite no grants were added, also there is additional warehouse to warehouse1.
How I can limit access with this role and not see something that appear as default
'databases' even for roles with no grants?
Regards
P
You will be able to find out what the role can and cannot do.
Check the which users and/or roles are granted the privilege of the role:
show grants of role ;
Then check what privileges were given to the role:
show grants to role ;
All the users are granted the PUBLIC role. Hence, never grant any privileges to the PUBLIC role, as this simply means giving the whole world access to a database, schema and tables/views etc.
How to create a role in snowflake without any privileges or minimum privileges ?
I tried to create a role with parent role security-admin .
when I assign this role to user i am able to see databases of parent role also.
After I created role with parent role as public still I am able to see databases
what shall I do that a created role should not have access to any unless I grant it ?
When you create a role, it does not come with any privileges. The role can only access the objects granted to role PUBLIC:
use role accountadmin;
create role testing_role;
grant role testing_role to user gokhan;
use role testing_role;
show databases;
SAMPLE_DATA ...
show grants to role testing_role;
The last command will return zero rows. Are you sure you switch to the role when checking databases? Also note that UI has separate roles for worksheets and the tabs:
https://docs.snowflake.com/en/user-guide/ui-worksheet.html#overview-of-features
https://docs.snowflake.com/en/user-guide/security-access-control-considerations.html
Environment: snowflake database.
i am trying to find a way to create a role which have security admin permission but should limit the permission only to specific database. is this doable or not? if so, anyone can help me on this? thanks so much.
Thanks, Alex
SECURITYADMIN is a role created by default in Snowflake and a lot of his permissions are not database-related (for example role and user management). Indeed most of the database-related grants belongs to SYSADMIN role.
So if you want to create a custom role having limited permissions on a specific database. You should list the permission which are database related and grant this permissions to the custom role.
For example if you want to give all privileges to a role on a specific database you can use :
GRANT ALL PRIVILEGES ON DATABASE my_db TO ROLE my_custom_role;
Roles are account-level, not db-level objects. So I am guessing you are trying actually to do the same role mgmt that SECURITYADMIN does, but at db-level. In that case:
use role SECURITYADMIN;
create role SECURITYADMIN_DB1;
grant create user, create role to SECURITYADMIN_DB1;
After that create Access Roles for your db:
https://docs.snowflake.com/en/user-guide/security-access-control-considerations.html#aligning-object-access-with-business-functions
Then assign all access roles to the custom SECURITYADMIN_DB1 role, so your role will manage that particular db only.