We can see what roles are assigned to a user but how do I see the list of users in a role snowflake?
For example I have a role svn_dev_admin , I need to see all users under this role
Thanks,
Xi
https://docs.snowflake.com/en/sql-reference/sql/show-grants.html will do what you want with:
SHOW GRANTS OF ROLE svn_dev_admin;
created_on role granted_to grantee_name granted_by
2018-11-12 15:18:07.580 -0800 SYSADMIN ROLE ACCOUNTADMIN
2019-10-02 09:23:26.688 -0700 SYSADMIN USER XYZ ACCOUNTADMIN
2020-03-02 12:56:01.386 -0800 SYSADMIN USER ZYX ACCOUNTADMIN
The following query should give you users list for the role specified and the role(s) under that.
-- since role_name used in the query twice, set it to a parameter
set role_name = 'svn_dev_admin';
select GRANTEE_NAME
from SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_USERS
where ROLE = $role_name
and DELETED_ON is null
union
select GRANTEE_NAME
from SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_USERS
where ROLE IN (select NAME
from SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_ROLES
where GRANTEE_NAME = $role_name)
and DELETED_ON is null;
If you want to see the users got the access with a lower level role to the given role you can add the ROLE column to the query like the following, but it might create duplicate user names
select ROLE, GRANTEE_NAME
You can just query the GRANTS_TO_USERS view
Related
Our Security group is asking for us to have Snowflake audit records ingested into our on prem SIEM by the end of the quarter. I've found the information_schema.login_history records but I'm struggling to find anything else that the SIEM might want (privilege usage, etc). Any tips on relevant views or functions would be appreciated.
some tables can be used to understand query & login attempts by Snowflake users along with various dimensions. For details take a look at:
https://docs.snowflake.net/manuals/sql-reference/functions/login_history.html
https://docs.snowflake.net/manuals/sql-reference/functions/query_history.html
Here are some of the SNOWFLAKE ACCOUNT_USAGE SCHEMA QUERIES that may come handy.
Access_History ,Query_History will help to find out who and How the Snowflake DB is been accessed and Query History will show the queries executed ,Role ,Warehouse,start time ,end time etc.
Also try to login to Snowsight get the full lineage of a specific Role.
--TO FIND THE ACTIVE USERS IN THE ACCOUNT--
SELECT FIRST_NAME,LAST_NAME,DISPLAY_NAME from "SNOWFLAKE"."ACCOUNT_USAGE"."USERS"
WHERE DELETED_ON IS NULL GROUP BY FIRST_NAME,LAST_NAME,DISPLAY_NAME
ORDER BY FIRST_NAME DESC;
--TO FIND THE ACTIVE USERS AND ROLES IN THE ACCOUNT--
SELECT ROLE,GRANTEE_NAME,GRANTED_BY FROM "SNOWFLAKE"."ACCOUNT_USAGE"."GRANTS_TO_USERS"
WHERE DELETED_ON IS NULL
GROUP BY ROLE,GRANTEE_NAME,GRANTED_BY
ORDER BY GRANTEE_NAME DESC;
--TO FIND THE ACTIVE GRANTS ON ROLES TO OBJECTS--
SELECT PRIVILEGE,TABLE_CATALOG,GRANTEE_NAME,GRANTED_BY FROM "SNOWFLAKE"."ACCOUNT_USAGE"."GRANTS_TO_ROLES"
WHERE DELETED_ON IS NULL
GROUP BY PRIVILEGE,TABLE_CATALOG,GRANTEE_NAME,GRANTED_BY
ORDER BY TABLE_CATALOG;
I have two AD groups: GROUP A and GROUP B
GROUP A contains User1, User2, User3
GROUP B contains User1
I have 3 stored procedures
SP1 GROUP A Grant Execute
SP2 GROUP A Grant Execute
SP3 GROUP A Deny Execute, GROUP B Grant Execute
SP3 doesn't run for User 1, guessing as the Deny from Group A overrides Group B Grant, is this true?
How can I make this work without removing User1 from GROUP A and adding GROUP B to all SP's... or not possible.
The way it is currently setup, it is not possible as the 'DENY' will always take precedence over the 'GRANT'.
You would need to create another security group called GROUP C and remove User 1 from other groups and add them to this one. You would then apply GRANT to SP1 and SP3 for Group C.
I have a USER1 in DATABASE1 and USER2 and USER3 in DATABASE2. I am given the credentials of USER2 from which i can select only few tables on USER3. Now the requirement is, i have to create a databaselink in USER1 to query the tables in USER3. Can someone help, how to create the database link for this type of requirement?
Here's one options: in USER2 schema create views to tables owned by USER3:
create view v_tab1 as select * from user3.tab1;
As USER1, create a database link to USER2:
create database link dbl_user2
connect to user2
identified by its_password
using 'database2_alias';
Now you can access USER2 objects, which includes both tables and views:
select * from tabx#dbl_user2; -- selects from USER2's table
select * from v_tab1#dbl_user2; -- selects from USER3's table, via a view owned by USER2
I'm trying to look for all the users with certain privileges in the DBA_SYS_PRIVS table. The table has a GRANTEE column and according to Oracle Official website, the GRANTEE column shows "Grantee name, user, or role receiving the grant". So how could I know if the GRANTEE is an account or a role? For example, there is role called SYS and also an account called SYS in the Oracle DB. So how do I know if this is an account or role????
Also in table DBA_TAB_PRIVS, there is a column called GRANTEE. And in this table, the column GRANTEE is "Name of the user to whom access was granted". So I am really confused because the "GRANTEE" column means different things in two different tables
Please help, thanksssssssssssssss
No there is no SYS role in Oracle.
SQL> select * from dba_roles where role='SYS';
no rows selected
Actually you cant create roles same name as usernames.
SQL> create role sys;
create role sys
*
ERROR at line 1:
ORA-01921: role name 'SYS' conflicts with another user or role name
To get only the roles without usernames.
SQL>select grantee from dba_sys_privs where grantee not in(select username from all_users);
To get only users without roles.
SQL>select grantee from dba_sys_privs where grantee in(select username from all_users)
I would like implement a database containing hierarchical acl data
My tables
USERS: idUser,username,...
GROUPS: idGroups,name...
GROUPSENTITIES: idGroup, idChild, childType (1 for users, 2 from groups)
ROLES : idRole,name...
ROLESENTITIES: idRole, IsDeny, idChild, childType (1 for users, 2 from groups)
Every user can belong to 0 or more groups
Every group can belong to 0 or more groups
Every user and every group can belong to 0 or more roles and roles can be allowed or denied
If an explicit deny is found, role is denied
How can I store this kind of data? Is my design correct?
Is it possible retrieve a list of users with all allowed roles?
Can you please write me a query (T-SQL based) for extract this information from db
thanks in advance
You can write the tables as you would expect. For instance, to get all the users in a group, when there are hierarchical groups, you would use a recursive CTE. Assume the group table is set up as:
create table groups (
groupid int,
member_userId int,
member_groupid int,
check (member_userId is NULL or member_groupid is null)
);
with usergroups as (
select groupid, member_userid, 1 as level
from groups
union all
select g.groupid, users.member_userid, 1+level
from users u join
groups g
on u.member_groupid = g.groupid
)
select *
from usergroups;