I understand that the first user of the snowflake will be an Accountadmin. But, What other roles does he have access to by default, and does only the first user of the snowflake have Accountadmin role access by default?
The default set of role that a user gets is Public. Along with this, the administrator designated user has accountadmin role assigned to it.
https://docs.snowflake.com/en/user-guide/security-access-control-configure.html
https://docs.snowflake.com/en/user-guide/admin-user-management.html
https://docs.snowflake.com/en/user-guide/admin-user-management.html#user-roles
The accountadmin role can be assigned to different users if there is a requirement for multiple admins but this should be a very careful exercise.
If you set up a new account (trial / on-demand) you get ACCOUNTADMIN and every role.
If you are on capacity plan the first user gets the four roles as described
Through design of an established account, i.e. you're a customer and an administrator in your company has set up access for you then you can set up with a default role
If you are not, and no admin has been done to assign a role to you then you get public, which (if properly designed) gives you access to nothing ;)
Related
I am trying to select the table(T1) which has different role as owner.
Then I have granted the access to DB or SCHEMA using ACCOUNTADMIN privilege still I am not able to access sample table(T1).
Then I thinking to connect any one of existing user to the role and get an access, unfortunately no user are active in that role.
Please share your suggestion/opinion for how to get an access or how to change the ownership of the table. Appreciate your help.
Thanks.
I have created some limited administrators in my Azure Active Directory. These should only be able to manage certain users. For this I added the users that should be managed to an administative unit and gave the administrators the "User Adminsitrator" role for the administrative unit. They can now edit/ manage all aspects of the users as intended. However, they cannot delete the users.
This should be possible. Here is the description of the user administrator role from Microsoft:
"Users with this role can create and manage all aspects of users and
groups. Additionally, this role includes the ability to manage support
tickets and monitors service health. Some restrictions apply. For
example, this role does not allow deleting a global administrator.
User account administrators can change passwords for users, helpdesk
administrators, and other user account administrators only".
The users in the administrative unit are of course not administrators.
If I assign the administrators the "user administrator" role for the whole AAD tenant, then they can delete users.
Here Microsoft also clearly describes that with this role you should have the right to delete users: https://learn.microsoft.com/de-de/azure/active-directory/roles/permissions-reference#user-administrator
Does anyone understand why this role does not work properly anymore if you assign it to an administrative unit?
Thanks in advance
The user administrator in a Administrative unit can manage all aspects of users and groups, and of course it also includes removing users from the Administrative unit.
However, it cannot delete the user within the scope of the tenant, because the user is created within the scope of the tenant, but the scope of the granted user administrator is limited to one or more Administrative units.
In addition, you only added the user in the Administrative unit instead of creating the user in the Administrative unit, so you definitely cannot delete the user in the tenant scope. Therefore, if you want to delete the user in the tenant scope, you can only grant the user the user administrator role within the tenant scope.
You have to be a Privileged Role Administrator or Global Administrator to add or remove administrative unit members (source).
User Administrator at the Directory level is not sufficient. Custom roles might be another option.
Creating and deleting users in the Directory is a different scope.
At first there is no authentication in mongodb, so I created one for one database with readWrite role.
Now I want to create more users for other databases but as this user doesn't have the privileges to create other users I'm stuck.
The documentation clearly says:
With access control enabled, ensure you have a user with userAdmin or userAdminAnyDatabase role in the admin database. This user can administrate user and roles such as: create users, grant or revoke roles from users, and create or modify customs roles.
If you haven't created such user, you cannot create it now with authentication and access rights enabled. I gues you need to restart the MongoDB server without authentication enabled, create that admin user, and restart the MongoDB server again with authentication enabled.
I highly recommend you read to complete documentation how to enable authentication first to understand the complete concept, before you follow it step by step. Otherwise it might be confusing and creating such state you are currently locked in and cannot continue with all actions.
I am new to snowflake, As a DBA I got ACCOUNTADMIN access to start with. I have granted read access on information_schema.login_history and information_schema.query_history to our security application user, via a role.
The user is able to login and query above views. However, the account is not able to see all rows when query above views. Only returns login history of that user, query history of that user. I tested it from my end, switching role from ACCOUNTADMIN to the read role I have created, and I see the same thing.
Can anyone tell me what privileges I need to grant the role, so anyone using that role can see all login history?
There are two places where you can see login history -- in the Account Usage view or using the Information Schema table functions. The documentation here explains the differences.
After reviewing the differences, many customers will opt for giving non-admins access to Account_Usage views for auditing purposes. The grants needed for this are mentioned in the documentation here.
However, if you prefer giving the non-admin role access to the Information_Schema login_history table function, you may need to give a MONITOR grant on each desired user to this role as per the article here.
You need to grant monitor privileges to said role:
grant monitor usage on account to role custom;
This information can be accessed/viewed only by account administrators. To enable users who are not account administrators to access/view this information, Snowflake provides the global MONITOR USAGE privilege. Granting the MONITOR USAGE privilege to a role allows all users who are granted the role to access this historical/usage information.
In addition, with this privilege, the SHOW DATABASES and SHOW WAREHOUSES commands return the lists of all databases and warehouses in the account, respectively, regardless of other privilege grants.
Ref: https://docs.snowflake.com/en/user-guide/security-access-control-configure.html#enabling-non-account-administrators-to-monitor-usage-and-billing-history
I'm working on improving the user experience for our org when logging into snowflake. We have adfs sso enabled and are provisioning mapping users to roles using azure ad. I had a colleague attempt to sign in with SSO who didn't have a user account created in snowflake and they were greeted with
"The signed in user <user#email.com> is not assigned to a role for the application (Snowflake)".
My question is, is it possible to have users sign into snowflake without being mapped to a default role, perhaps only have the public role assigned, and without being synced with azure ad.
If it is, i'd appreciate any pointers to documentation i can reference. The goal is to get all users that can SSO, to by default be able to login
AD group syncing occurs every 40 minutes in Microsoft, and I don't believe it's possible to force a sync or change this time frame. In addition, like the OP mentioned Snowflake cannot connect to an on-prem ADFS server so all users must be in Azure AD.
AD group syncing is somewhat configurable via the "Scope" (see Step 15 of this tutorial)
If your Scope is set to "Sync only assigned users and groups", you can either
Change the scope to "Sync all users and groups" (may cause issues if you don't want to import all this data into Snowflake)
or
Confirm that your desired users' AD group is one of those assigned to be synced to Snowflake (requires manually assigning these users, or that all of these users are part of the same AD group that you choose to sync to Snowflake).
By seeing the error its not allowing user who don't have appropriate role for the application.
In these why can't we create generic stored procedure to assign default role and instance to new user based on the group they belong to.! Each time if we add any new user then we have to run stored procedure to assign default role and object prior to his login to snowflake.