I am orgadmin for my organization and wanted to create new user for one of the snowflake account. In primary URL i can create new user and role but how can be created for another account under organization umbrella?
Find the URL for the account you want to create the user.
Once you log in, you have to create the user in that account.
Related
I'm trying to set up Identity Server in a multi-tenancy environment but I'm struggling to get the ClientCredentials Grant Type and how I can audit record changes.
If I use the code flow grant type I obviously have a user & roles. I can then create an authorization policy based on the roles and the user. i.e. must be an authenticated user and have role "x".
As I have user data (and tenant data), I can then update my records with which user updated the record. e.g. Customer Bob was updated by user 999.
But how is this possible with an m2m account which I understand should use client credentials?
So Customer Bob is updated by the m2m account but who/what do I say updated the record? I understand that an m2m account doesn't have a user but something has still updated the customer record. I hope that makes sense.
can anyone explain the complete process to create a snowflake organization account and the way to attach/detach account from it? I looked into the snowflake console as well as in documentation but have not gotten clarity
You should submit a ticket to Snowflake Support to enable organization on one of your accounts. This will create the ORGADMIN role in the account. Then you can grant this role to one of your users. The user which has the ORGADMIN role can access the Organization page. From the organization page, you can see your existing accounts, and create new accounts. When you create a new account, it will be in your organization automatically.
If you have an account which you can't see on the organization page, that means the account was created in another organization. In this case, you need to submit a ticket to Snowflake Support and ask them to move your account to your organization.
Normally, it's expected that each customer should have one organization, but if you have multiple organizations, you can also ask Snowflake Support to move your account from one organization to antother (that's how you would detach). If you want to drop an account, you should also contact Snowflake Support, it can't be done through the organization page.
I am using Azure SQL database with sharding (single tenant approach). So, when the application connects to DB it goes into Shard and creates a proper connection to the tenant's DB (tenant is identified by login name).
However, we've been using a server admin credentials for that on a development stage.
Now, I'd like to create a separate application user with much more limited permissions compared to server admin.
In a very general case, what I want is to have a user that can connect to the Shard Map and figure out a connection string to any of the Shards, but have different permissions for each of the shards. For example, some application user may need to be able to connect to DB_1 with full read-write permissions, to DB_2 with read-only permissions and no permissions to connect to DB_3.
In a simpler case I just need a user that doesn't have any update permissions to ShardMap and other internal databases, but has a normal read/write/execute access to all tenant databases(shards).
I was googling around and din't find any good recipe how to do that, what are the best practices, etc.
I'd appreciate if someone could answer me or point to a docs.
Thank yuo!
In each database create a role for the Application Users, and grant the minimal permissions needed for the application to run. Granting permissions on the Schema level is a good choice here, as you don't have to manage object-level permissions.
create role ApplicationUsers;
grant select, insert, update, delete, execute on schema::dbo to ApplicationUsers;
Then if you want a single identity to access all the databases, create a login with a password. Then in each Tenant database create a user mapped to that login.
--create a server-level Login
create login AppUser with Password ='asdfAds01980(*)(*)(#&$)##';
--add a user mapped to that login in each database
create user AppUser for login AppUser;
alter role ApplicationUsres add member AppUser;
Or create a user in each database with a different password or a database user mapped to an Azure Active Directory identity.
create user AppUser with Password ='asdfAds01980(*)(*)(#&$)##';
alter role ApplicationUsers add member AppUser;
or
create user [tenant123user#mydomain.onmicrosoft.com] from external provider;
alter role ApplicationUsers add member [tenant123user#mydomain.onmicrosoft.com];
I want to create new user using admin user, however, get error doesn't have permission which probably no sysadmin roles due limitation from aws
so is there another way to create new user using my admin user?
Your account should be in securityadmin group. When you want to create new user.
For my application I decided that every user that is created via application and that is added to the database table Users is automatically added as a server login and database User. I figured out that it would help me keep track of logs allow me to and use Sql password policies (like password expiration).
I can insert a row into Users table with no problem and login, user and schema is added to the server/database via trigger. When I log in as a created user, I can then select, modify, delete data and create additional logins/users.
I decided to use Application role to allow all the users to have the same permissions. It works okay, but using Application role I cannot add new logins/users, I cannot reset or change their passwords either. Sql displays
User does not have permission to perform this action.
When I create new connection and not set application role, all users can create new users/logins etc.
As I'm new to Sql security, how do I grant those permissions not to users, but to the application role?
I would be very grateful for your help.