Insufficient privileges to operate on 'SYSTEM' running SHOW ORGANIZATION ACCOUNTS - snowflake-cloud-data-platform

I'm new to snowflake and trying to read through all the documentation. One of the subjects was account identifiers and provided SQL to show organization accounts. When trying to execute this under the ACCOUNTADMIN role, I receive the following error.
SHOW ORGANIZATION ACCOUNTS
SQL access control error: Insufficient privileges to operate on
'SYSTEM'
If account admin is the most powerful account, what else might be happening here?

You should execute this command as an ORGADMIN. Only organization administrators (users with the ORGADMIN role) can execute this SQL command.
https://docs.snowflake.com/en/sql-reference/sql/show-organization-accounts.html#usage-notes
Enabling the ORGADMIN role
https://docs.snowflake.com/en/user-guide/organizations-gs.html#enabling-the-orgadmin-role-for-an-account
https://docs.snowflake.com/en/user-guide/organizations-gs.html#assigning-the-orgadmin-role-to-a-user-or-role
https://docs.snowflake.com/en/user-guide/organizations.html#orgadmin-role

ACCOUNTADMIN is the highest privileged role in an account but Organisation is a level above accounts. Firstly you would need to be set up to use Organisations and then you would need to use the ORGADMIN role to run Organisation-level queries

Please run below statement to grant ORGADMIN role in your account. This will allow you to use Organizations feature.
use role ACCOUNTADMIN;
grant role orgadmin to user <username>;--Run with accountadmin role
Or
use role ACCOUNTADMIN;
grant role orgadmin to role <non-systemroles>;--Run with accountadmin role
Doc link: https://docs.snowflake.com/en/user-guide-organizations.html

Related

What permissions are required to access information_schema.warehouse_load_history from snowsql?

What permissions are required to access information_schema.warehouse_load_history from snowsql? I created a role and user like the below and this shows 0 results.
create role TESTROLE;
grant imported privileges on database SNOWFLAKE to role TESTROLE;
create user TEST_USER
LOGIN_NAME = TEST_USER
password = 'Testsnowflake$1234'
default_warehouse = TEST_WH
default_role = TESTROLE
default_namespace = SNOWFLAKE.INFORMATION_SCHEMA;
grant role TESTROLE to user TEST_USER;
grant usage on WAREHOUSE TEST_WH to role TESTROLE;
Please see this link for required privileges
https://docs.snowflake.com/en/sql-reference/functions/warehouse_load_history.html#usage-notes
To get results from this function, one of the following roles or
privileges are required:
The ACCOUNTADMIN role can get results from this function as it has all
of the global account permissions.
A role with the MONITOR USAGE global privilege on the ACCOUNT can
query this function for any warehouses in the account.
A role with the MONITOR privilege on the WAREHOUSE can query this
function for the warehouse it has permissions on.
A role with the OWNERSHIP privilege on the WAREHOUSE has all
permissions on the warehouse including MONITOR.
For more details, see Access Control Privileges.
When calling an Information Schema table function, the session must
have an INFORMATION_SCHEMA schema in use or the function name must be
fully-qualified. For more details, see Snowflake Information Schema.

How to GRANT CREATE INTEGRATION to role SYSADMIN

We want to give SYSADMIN the privilege to create integrations for an automated pipeline.
We ran the following with the ACCOUNTADMIN role but got a syntax error
GRANT CREATE INTEGRATION TO ROLE SYSADMIN;
What is the correct statement for this?
Answer -
GRANT CREATE INTEGRATION ON ACCOUNT TO ROLE SYSADMIN;
GRANT CREATE INTEGRATION ON ACCOUNT TO ROLE SYSADMIN;
You can also refer to the syntax shared in the link below for the format of granting the privileges to roles
https://docs.snowflake.com/en/sql-reference/sql/grant-privilege.html#syntax

How to create snowflake security admin role and at same time restrict the permission only on one database

Environment: snowflake database.
i am trying to find a way to create a role which have security admin permission but should limit the permission only to specific database. is this doable or not? if so, anyone can help me on this? thanks so much.
Thanks, Alex
SECURITYADMIN is a role created by default in Snowflake and a lot of his permissions are not database-related (for example role and user management). Indeed most of the database-related grants belongs to SYSADMIN role.
So if you want to create a custom role having limited permissions on a specific database. You should list the permission which are database related and grant this permissions to the custom role.
For example if you want to give all privileges to a role on a specific database you can use :
GRANT ALL PRIVILEGES ON DATABASE my_db TO ROLE my_custom_role;
Roles are account-level, not db-level objects. So I am guessing you are trying actually to do the same role mgmt that SECURITYADMIN does, but at db-level. In that case:
use role SECURITYADMIN;
create role SECURITYADMIN_DB1;
grant create user, create role to SECURITYADMIN_DB1;
After that create Access Roles for your db:
https://docs.snowflake.com/en/user-guide/security-access-control-considerations.html#aligning-object-access-with-business-functions
Then assign all access roles to the custom SECURITYADMIN_DB1 role, so your role will manage that particular db only.

Can we grant permissions to perform SHOW LOCKS IN ACCOUNT to a role in Snowflake

Can we grant permissions to perform SHOW LOCKS IN ACCOUNT to a role in Snowflake
Or only Admins can do that?
you need to be accountadmin to see those:
https://docs.snowflake.com/en/sql-reference/sql/show-locks.html#parameters

How to allow sysadmin to create role?

SYSADMIN role cannot create roles at the moment or at least that's what I learned from the docs. Does anyone know how to allow SYSADMIN to create roles?
You can grant the CREATE ROLE privilege to a role. Why not create a custom role that meets your needs instead of manipulating a system-defined role? https://docs.snowflake.net/manuals/user-guide/security-access-control-privileges.html#global-privileges
Only roles which inherit the privileges of the the SECURITYADMIN role will be able to create users. From the docs:
The security administrator (SECURITYADMIN) role includes the privileges to create and manage users and roles
This means you should be able to add the SYSADMIN role as a member of the SECURITYADMIN role and you'll be able to manage users and roles with SYSADMIN.
As #SuzyLockwood has mentioned though, you should probably create a separate role to manage these objects

Resources