We want to give SYSADMIN the privilege to create integrations for an automated pipeline.
We ran the following with the ACCOUNTADMIN role but got a syntax error
GRANT CREATE INTEGRATION TO ROLE SYSADMIN;
What is the correct statement for this?
Answer -
GRANT CREATE INTEGRATION ON ACCOUNT TO ROLE SYSADMIN;
GRANT CREATE INTEGRATION ON ACCOUNT TO ROLE SYSADMIN;
You can also refer to the syntax shared in the link below for the format of granting the privileges to roles
https://docs.snowflake.com/en/sql-reference/sql/grant-privilege.html#syntax
Related
I have a share(i.e. shareTest_share) in accountAdmin role in one of my reader accounts in snowflake.
Now I want to create a database from this, but from sysAdmin role.
The statement for creating database is:
CREATE or replace DATABASE shareTest_db FROM SHARE mukulanalytics.shareTest_share
This is giving permission issue since I am trying to execute it from the sysAdmin role instead of accountAdmin role which has the access to shareTest_share share.
Error:
SQL access control error: Insufficient privileges to operate on foreign share 'SHARETEST_SHARE'
How can I create a database from share in a different role with share in another role?
You will have to grant the IMPORT SHARE privilege to SYSADMIN/any other users
use role accountadmin
grant import share on account to sysadmin
use role sysadmin
create database TEST from share <>
https://docs.snowflake.com/en/user-guide/security-access-privileges-shares.html
the privileges required to achieve this are described here: https://docs.snowflake.com/en/user-guide/security-access-privileges-shares.html
I'm new to snowflake and trying to read through all the documentation. One of the subjects was account identifiers and provided SQL to show organization accounts. When trying to execute this under the ACCOUNTADMIN role, I receive the following error.
SHOW ORGANIZATION ACCOUNTS
SQL access control error: Insufficient privileges to operate on
'SYSTEM'
If account admin is the most powerful account, what else might be happening here?
You should execute this command as an ORGADMIN. Only organization administrators (users with the ORGADMIN role) can execute this SQL command.
https://docs.snowflake.com/en/sql-reference/sql/show-organization-accounts.html#usage-notes
Enabling the ORGADMIN role
https://docs.snowflake.com/en/user-guide/organizations-gs.html#enabling-the-orgadmin-role-for-an-account
https://docs.snowflake.com/en/user-guide/organizations-gs.html#assigning-the-orgadmin-role-to-a-user-or-role
https://docs.snowflake.com/en/user-guide/organizations.html#orgadmin-role
ACCOUNTADMIN is the highest privileged role in an account but Organisation is a level above accounts. Firstly you would need to be set up to use Organisations and then you would need to use the ORGADMIN role to run Organisation-level queries
Please run below statement to grant ORGADMIN role in your account. This will allow you to use Organizations feature.
use role ACCOUNTADMIN;
grant role orgadmin to user <username>;--Run with accountadmin role
Or
use role ACCOUNTADMIN;
grant role orgadmin to role <non-systemroles>;--Run with accountadmin role
Doc link: https://docs.snowflake.com/en/user-guide-organizations.html
Environment: snowflake database.
i am trying to find a way to create a role which have security admin permission but should limit the permission only to specific database. is this doable or not? if so, anyone can help me on this? thanks so much.
Thanks, Alex
SECURITYADMIN is a role created by default in Snowflake and a lot of his permissions are not database-related (for example role and user management). Indeed most of the database-related grants belongs to SYSADMIN role.
So if you want to create a custom role having limited permissions on a specific database. You should list the permission which are database related and grant this permissions to the custom role.
For example if you want to give all privileges to a role on a specific database you can use :
GRANT ALL PRIVILEGES ON DATABASE my_db TO ROLE my_custom_role;
Roles are account-level, not db-level objects. So I am guessing you are trying actually to do the same role mgmt that SECURITYADMIN does, but at db-level. In that case:
use role SECURITYADMIN;
create role SECURITYADMIN_DB1;
grant create user, create role to SECURITYADMIN_DB1;
After that create Access Roles for your db:
https://docs.snowflake.com/en/user-guide/security-access-control-considerations.html#aligning-object-access-with-business-functions
Then assign all access roles to the custom SECURITYADMIN_DB1 role, so your role will manage that particular db only.
I'm trying to grant usage on a security integration I have created.
GRANT USAGE ON INTEGRATION <integration_name> TO ROLE test_role;
This should be the query that would grant usage, and it runs without error ('Statement executed successfully.'). But it doesn't do anything, I can't get any details on the security integration.
DESC SECURITY INTEGRATION <integration_name>
This is what I would like to run with the test_role, but it still says 'SQL access control error: Insufficient privileges to operate on integration '<integration_name>'.
Is it just not possbile to grant usage on a security integration?
As I see, only the owner of the security integration object can use DESCRIBE command on the object. You may change the ownership and test it:
USE ROLE accountadmin;
grant ownership on INTEGRATION test_integration to role test_role REVOKE CURRENT GRANTS;
USE ROLE test_role;
DESC SECURITY INTEGRATION test_integration;
SYSADMIN role cannot create roles at the moment or at least that's what I learned from the docs. Does anyone know how to allow SYSADMIN to create roles?
You can grant the CREATE ROLE privilege to a role. Why not create a custom role that meets your needs instead of manipulating a system-defined role? https://docs.snowflake.net/manuals/user-guide/security-access-control-privileges.html#global-privileges
Only roles which inherit the privileges of the the SECURITYADMIN role will be able to create users. From the docs:
The security administrator (SECURITYADMIN) role includes the privileges to create and manage users and roles
This means you should be able to add the SYSADMIN role as a member of the SECURITYADMIN role and you'll be able to manage users and roles with SYSADMIN.
As #SuzyLockwood has mentioned though, you should probably create a separate role to manage these objects