Regarding Snowflake Role Permissions - database

I would like to know about snowflake permission settings.
"User A" has only "create user" privileges.
It also has the authority to handle objects under the database.
However, "User A" does not have the authority to handle roles such as "create role".
"User A" has "Role A" granted by the administrator. I want "user A" to be able to grant roles to other users only "role A" that he himself has been granted.
In other words, if it is a role that has been granted to yourself, I would like to set permissions so that it can be granted to other users.
Is it possible to set such permissions? Please let me know your query if possible.

Grant role to role with grant option is not available.
https://docs.snowflake.com/en/sql-reference/sql/grant-role.html#syntax
However, grant privilege to a role with a grant option is available.
https://docs.snowflake.com/en/sql-reference/sql/grant-privilege.html#syntax

Related

What permissions are required to access information_schema.warehouse_load_history from snowsql?

What permissions are required to access information_schema.warehouse_load_history from snowsql? I created a role and user like the below and this shows 0 results.
create role TESTROLE;
grant imported privileges on database SNOWFLAKE to role TESTROLE;
create user TEST_USER
LOGIN_NAME = TEST_USER
password = 'Testsnowflake$1234'
default_warehouse = TEST_WH
default_role = TESTROLE
default_namespace = SNOWFLAKE.INFORMATION_SCHEMA;
grant role TESTROLE to user TEST_USER;
grant usage on WAREHOUSE TEST_WH to role TESTROLE;
Please see this link for required privileges
https://docs.snowflake.com/en/sql-reference/functions/warehouse_load_history.html#usage-notes
To get results from this function, one of the following roles or
privileges are required:
The ACCOUNTADMIN role can get results from this function as it has all
of the global account permissions.
A role with the MONITOR USAGE global privilege on the ACCOUNT can
query this function for any warehouses in the account.
A role with the MONITOR privilege on the WAREHOUSE can query this
function for the warehouse it has permissions on.
A role with the OWNERSHIP privilege on the WAREHOUSE has all
permissions on the warehouse including MONITOR.
For more details, see Access Control Privileges.
When calling an Information Schema table function, the session must
have an INFORMATION_SCHEMA schema in use or the function name must be
fully-qualified. For more details, see Snowflake Information Schema.

Snowflake - Give full access on database to role; revoke access on specific schemas to user that is part of the role

Is there a way to do this?
There is a admin role which is the owner of the database, schema & all other objects.
There is tester role with only read/write permissions on 1 schema of the database.
The tester role needs to be a part of the admin role for that 1 specific schema (so that any new objects created - the ownership will be on the admin role).
Have to revoke access to users of the tester role access on all other schemas in the database
I've tried these scripts:
grant role testerrole to user tester1;
grant usage on database DEMODB to role adminrole;
grant usage on database DEMODB to role testerrole;
grant all on database DEMODB to role adminrole;
grant select,insert,update,delete in schema "DEMODB"."DEVSCHM" to role testerrole;
--Adding tester role in admin role
grant role adminrole to testerrole;
-- revoke all other schema access to tester1 (This fails. How to fix this?)
revoke usage on schema "DEMODB"."PRDSCHM" from user tester1;
revoke usage on schema "DEMODB"."QASSCHM" from user tester1;
Looking to accomplish this - The testerrole needs to be able to create objects in the DEVSCHM, but ownership of the object should still be held with adminrole
If I've understood your question, you want the admin role to own all objects regardless of the role that created them. If that is the case then just grant future ownership on the relevant objects to the admin role

Why does a newly created snowflake role has access to all existing databases?

I used the following statements:
USE ROLE SECURITYADMIN;
CREATE ROLE TEST_ROLE;
CREATE USER TEST_USER PASSWORD='PASSWORD', DEFAULT_ROLE='TEST_ROLE', DEFAULT_WAREHOUSE='MY_WH';
GRANT ROLE TEST_ROLE TO TEST_USER;
When I login with the TEST_USER, the user has access to all existing databases/schemas/tables/views. How come?
This is expected behaviour if the PUBLIC role was granted access to all your database objects.
By default, all users belong to the PUBLIC role.
You may check the privileges of the TEST_ROLE with this grant statement, which lists all privileges and roles granted to the role:
show grants to role TEST_ROLE;
and lists all users and roles to which the role has been granted:
show grants of role TEST_ROLE;

Insufficient privileges to operate on 'SYSTEM' running SHOW ORGANIZATION ACCOUNTS

I'm new to snowflake and trying to read through all the documentation. One of the subjects was account identifiers and provided SQL to show organization accounts. When trying to execute this under the ACCOUNTADMIN role, I receive the following error.
SHOW ORGANIZATION ACCOUNTS
SQL access control error: Insufficient privileges to operate on
'SYSTEM'
If account admin is the most powerful account, what else might be happening here?
You should execute this command as an ORGADMIN. Only organization administrators (users with the ORGADMIN role) can execute this SQL command.
https://docs.snowflake.com/en/sql-reference/sql/show-organization-accounts.html#usage-notes
Enabling the ORGADMIN role
https://docs.snowflake.com/en/user-guide/organizations-gs.html#enabling-the-orgadmin-role-for-an-account
https://docs.snowflake.com/en/user-guide/organizations-gs.html#assigning-the-orgadmin-role-to-a-user-or-role
https://docs.snowflake.com/en/user-guide/organizations.html#orgadmin-role
ACCOUNTADMIN is the highest privileged role in an account but Organisation is a level above accounts. Firstly you would need to be set up to use Organisations and then you would need to use the ORGADMIN role to run Organisation-level queries
Please run below statement to grant ORGADMIN role in your account. This will allow you to use Organizations feature.
use role ACCOUNTADMIN;
grant role orgadmin to user <username>;--Run with accountadmin role
Or
use role ACCOUNTADMIN;
grant role orgadmin to role <non-systemroles>;--Run with accountadmin role
Doc link: https://docs.snowflake.com/en/user-guide-organizations.html

Snowflake :: Role to Privilege mapping information

I need information within Snowflake which captures "Role to Privilege mapping".
Example :: If I am an user "USER_01" & I have the role as "ANALYST", then this "ANALYST" role has access to which all the objects (database/schema/table/etc..) in Snowflake account I would need that information.
Any pointers like queries/metadata tables/etc.. would help as there has to be some metadata tables which would keep this role to privilege mapping.
For e.g., queries like :
show grants to user USER_01
--> This gives what role has been assigned to this user. But this do not convey any information regarding what all privileges has been given to that role. Like if this role has got below access:
grant usage on database DB_01 to role analyst;
grant all privileges on schema schema_01 to role analyst;
grant all privileges on all tables in schema schema_01 to role analyst;
SHOW GRANTS:
SHOW GRANTS TO ROLE <role_name>
Key point: Access Control Framework
Role-based Access Control (RBAC): Access privileges are assigned to roles, which are in turn assigned to users.
Access priviliges are not assigned directly to users.
If you want to list all the privileges given to a user, you may use the stored procedure described in this KB article:
https://community.snowflake.com/s/article/How-to-Capture-Snowflake-Users-Roles-and-Grants-Into-a-Table

Resources