I am looking for your suggestions on Snowflake Role based Access control hierarchy which I created for a Snowflake data warehousing project.
Basically, we need to maintain different client data with different databases. This database creation process is automated with a script including create databases(DEV, QA and PROD), roles etc.. for a specific client. Here I have created a hierarchy with 3 different default roles for a database.
ADMIN_{ENV}_{CLIENT_ID}
READ_WRITE_{ENV}_{CLIENT_ID}
READ_{ENV}_{CLIENT_ID}
Then I created a set of roles which have access to all databases like..
ADMIN_{ENV}_ALL
READ_WRITE_{ENV}_ALL
READ_{ENV}_ALL
Hope below image illustrates that..
My questions are:
Is this right approach to continue?
When creating database objects, which role should I use? SYSADMIN? For example: for creating database objects in CLIENT_1_DEV_DB database, should I use ADMIN_DEV_CLIENT_1 role or SYSADMIN?
ADMIN_DEV_CLIENT_1 role should be able to create new users and grant the privileges. In that case should I use USERADMIN or SECURITYADMIN? Are there any methods to restrict that to database level?
There is a use case to clone a schema in a database if any issue occurred. In that case How to manage the grants? When we clone a schema, the roles are not retained to the cloned schema. In that case what is the best approach to copy the grants. having another role with MANAGE GRANTS privileges and use that?
Hope you suggestions on these. Thanks
A couple of RBAC approaches articles to help you fine-tune yours:
https://servian.dev/snowflake-role-based-access-control-simplified-41a3ddf34729
https://medium.com/snowflake/a-functional-approach-for-snowflakes-role-based-access-controls-5f0e84e80146
https://www.analytics.today/blog/introducing-snowflake-rbac
Related
With the ability to allow secondary roles, is it a good practice to separate roles with 'usage' permissions on data warehouse compute from other roles which provide access to databases, schemas. tables? As example, I create a role called 'USE_DEV_DW". This role is granted usage to the DEV data warehouse compute. In parallel, I create a role that has usage on a specific set of databases and schemas. I then grant both roles to a user so that they can query the provided database tables using the separately provided compute (data warehouse). This way I can control what compute users have access to separate from what objects they can query. I don't see this being possible without the ability to provide for secondary roles? Looking to see if others have done something like this.
Even though there is no guidelines from Snowflake how to create the roles, the way you described makes sense.
When you have two layers of roles, let's call them database and functional,
it will be easier to create role hierarchies and assign them to users.
For illustration purposes assuming you have DEVELOPERS and ANALYSTS as your groups and you have SALES and PRODUCTS databases
You can create your roles and role hierarchies like this
Database Roles
R_DB_SALES_READ_WRITE
R_DB_SALES_READ
R_DB_PRODUCTS_READ_WRITE
R_DB_PRODUCTS_READ
Functional Roles
R_DEVELOPER
R_ANALYSTS
Role Hiercharchy
R_DEVELOPER
R_DB_SALES_READ_WRITE
R_DB_PRODUCTS_READ_WRITE
R_ANALYSTS
R_DB_SALES_READ
R_DB_PRODUCTS_READ
With this you only need to assign functional roles to users
I need to structure the roles in snowflake and need advise for it.
Currently, there are two databases: basedb and computedb. basedb is the database where we load the data and the data is not transformed. more like a landing zone.
computedb is where the transformation happens and there are dozens of functional teams and each would have a schema like content team has content schema and there could a schema which can be shared across multiple teams.
all the teams/ schema inside computedb can read from basedb but there are teams that are reading from transform schema of other teams and that is where I need assistance.
all custom roles are under sysadmin and we have a read and write role per schema.
Now analytics schema wants to read from sales and marketing schema as well.
should just give the read access of sales and marketing to analytics? like shown in picture (issue is that the teams might need to access more schemas in future from other schemas in transform)
or should we create a new role for all the schema in computedb which needs access to other schemas of computedb?
Open to more suggestions.
A role hierarchy is the easiest to build and maintain, whilst giving you flexibility.
Create role(s) that give you the required access to each schema.
Create a role for each team and assign to it the appropriate roles to give them access to the schemas they need
I would like to give access to a role and it should be able to create schemas, create tables, Materialized views ..etc. He should be able to do everything related to the database.
How to achieve this?
Thanks,
Xi
Two options:
Make the role the owner of the database
Grant the role the specific permissions you want it to have
I am trying to share my Snowflake Database(default metadata)--> Account_Usage schema --> Query_History table to another managed account (i.e. reader account) but the data is not visible in another account.
is there any way to share the snowflake database without duplicating the data?
I am getting error as Already Imported Database (i.e) SNowflake cannot be shared for Datashare option.
for a Managed account for usage, I Snowflake database and schemas are available but are not able to see the data which is available.
According to the documentation you can't re-share any database that is shared with you:
Shared databases and all the objects in the database cannot be forwarded (i.e. re-shared with other accounts).
Since the Snowflake database is one that is shared to you from Snowflake, this is probably why you're having issues.
If you need to do this your best bet is to create a table and populate it with the data you need from the Snowflake database and share that table instead. Although it is strange that you'd want to share this info with another account.
Your other option would be to create database/schema in your account with views over the account usage data that you want to share, create a role that can access only that, and then provide a user login with that role only to the group needing to do analytics on your data.
Now I can use beeline to create role and user, every user have his/her own database using admin role to grant, but I need to create a new database that all users can create tables in the public database, how to create database like that?
Users can not create tables in other databases and can only create tables under their own databases.
You need an authorization provider that supports Hive. Apache Sentry is a popular one.
You will need to create a Sentry role that allows access to certain databases only.
Then assign a (Linux) group to that role.
Any user in above group will get access privileges to certain databases only (because of step 1.)