I have seen a similar post here but it doesn't answer my question.
I have a long Azure AD group names and would like to map them to shorter role names in Snowflake. Is this possible? From my understanding the name of the group will become the name of the role (1 to 1), right?
I would be grateful for any feedback,
Rafal
That's correct. The Azure AD group name will become the name of the role within Snowflake.
More details:
https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/snowflake-provisioning-tutorial
https://docs.snowflake.com/en/user-guide/scim-azure.html#azure-scim-integration-with-snowflake
Related
can anyone explain the complete process to create a snowflake organization account and the way to attach/detach account from it? I looked into the snowflake console as well as in documentation but have not gotten clarity
You should submit a ticket to Snowflake Support to enable organization on one of your accounts. This will create the ORGADMIN role in the account. Then you can grant this role to one of your users. The user which has the ORGADMIN role can access the Organization page. From the organization page, you can see your existing accounts, and create new accounts. When you create a new account, it will be in your organization automatically.
If you have an account which you can't see on the organization page, that means the account was created in another organization. In this case, you need to submit a ticket to Snowflake Support and ask them to move your account to your organization.
Normally, it's expected that each customer should have one organization, but if you have multiple organizations, you can also ask Snowflake Support to move your account from one organization to antother (that's how you would detach). If you want to drop an account, you should also contact Snowflake Support, it can't be done through the organization page.
They are trying to migrate Oracle database into snowflake. THey are going to convert all existing oracle accounts to snowflake accounts. Now, if AD LDAP logon is enabled, does new users have to only be created in LDAP end, and will those be able to be tagged to accounts while conencting to snowflake? say currently there are 10 oracle accounts which was converted into 10 snowflake acccounts. If LDAP is enabled, can multiple employee IDs be added to use one of 10 snowflake account, by creating LDAP account.
Sorry if I sound dumb. I am not too experienced i LDAP/AD/admin work
You usually have one Azure AD and need configure every snowflake account to use it.
Which employee can access which snowflake account is controlled on the snowflake side, where you need to create a database user.
Say "Martina" needs access to Snowflake Account A and B. You need her in the Azure AD, as well as create her user in Account A and B.
You can find more details how to do this here:
https://docs.snowflake.com/en/user-guide/admin-security-fed-auth-configure-snowflake.html
I have a question similar to: On premise Active Directory ObjectId is different than Azure Active Directory ObjectId
We used objectGUID in AD to uniquely identify the users and groups. We also maintain the group memberships using objectGUID. When querying Microsoft tenant using Microsoft Graph, what we see for the id from User or Group objects is different from what we get from the on-prem AD. This makes it difficult to correlate the AAD and AD resources.
I tried to use onPremisesImmutableId using the request below, only to find that this id is my employee id.
/v1.0/me?$select=id,userPrincipalName,onPremisesSecurityIdentifier,displayName,onPremisesImmutableId
Any idea how to retrieve the same objectGUID in the AAD world? I could not find anything close by looking at the User documentation.
Also for Group objects, I could not find the property onPremisesDomainName, similar to that in User objects. Is this by design?
That was the correct answer back when was written but things have changed a bit since then. There is an excellent blog post at Azure AD Connect: objectGUID vs. mS-DS-ConsistencyGuid that discusses this change. Specifically this bit:
Before Azure AD Connect version 1.1.524.0, Azure AD Connect (but also Azure AD Sync and DirSync) defaulted to the objectGUID attribute for objects as the source anchor. Azure AD Connect version 1.1.553.0, and beyond, defaults to the mS-DS-ConsistencyGuid for user objects, but objectGUID for groups and computer objects.
In your case, it sounds like your particular tenant mapping was configured differently (i.e. your employee id).
Given the issues raised in the blog post, I'd recommend against using objectGUID for this purpose altogether. If you're looking for a single property across both User and Group resources, I'd suggest looking at onPremisesSecurityIdentifier instead. This holds the SID from your on-prem AD.
I need a LDAP query for windows server 2012 AD starting from the username of a user and getting all his collegues. In my AD collegues ad identified with the same PRIMARY group.
Is it possibile or should I need a two step query?
Thank you.
Unfortunately, LDAP filtering syntax does not allow for sub-queries within the expression.
You'd have to break this into two parts - first get the user's DirectoryEntry record, then use his PrimaryGroupID in a separate filter, something like :
(&(objectClass=user)(sAMAccountName=JSmith)
Now let's say JSmith is part of the default "Domain Users" group (513) :
(&(objectCategory=person)(objectClass=user)(primaryGroupID=513))
This will return all users that share that same PrimaryGroupID.
I'm trying to set up security for my application for users. I am not sure about my logic. Is the following possible:
I want to create 1 login for 'all users' in Active Directory. Then I want an admin (in the program self) to choose which user is in which server role (e.g. marketing, sales, ...). Then I want to give those roles permissions to the tables in the database.
Some questions about this:
Is this safe? The admin of the program has to be db owner?
Is it possible to list the users by name, instead of the login 'All users', the admin has to be able to place a user in a role after it is created in Ad.
I use the function SUSER_NAME(), will this return the current user or the groupname 'All Users'
If this isn't the right way to make security, please send me in the right direction.
Thanx!
Part of the best solution already lies in your desire to use the Active Directory to authenticate your users. Let it authorise your users as well. Marketing isn't just a database role that specifies access to your tables. It's a department of your company with file shares, mailing lists as well as a role to play in your application. Get your domain admin to make an AD group called Marketing and let them add and remove people as appropriate. Likewise for the Sales department and other departments who touch your database.
When that is done, add the MYDOMAIN\Marketing group as a login on your server and as a user in your database. It will behave more or less like the roles you've described so you can still go ahead and create the roles, add that domain group to the role and grant to the role or grant to that user directly since it identifies a group of people. This also gives you the chance to reconsider your role definitions. Are they really about Marketing people and Sales people or are they CustomerEditor, CustomerViewer, ProfitAndLossViewer roles?
User and group management is a standard function of AD administration; let them do what they do best. It probably doesn't need to feature too strongly in your solution unless you get very poor service from the domain admins, in which case, why use your AD to manage your users?
This very small change will probably free up a lot of your dev time and release you from reinventing a user management facility that already exists and is easy to use.
Good luck!
here's what i would do:
create two roles on the database, one users, one admin. then create two security groups in ad, SQL.App.Admin, SQL.App.Users (replace app with whatever your app name is). I would then assign those groups to the roles in the database. after that you can drop users and/or security groups into those two groups.