Snowflake role creation with minimum privileges - snowflake-cloud-data-platform

How to create a role in snowflake without any privileges or minimum privileges ?
I tried to create a role with parent role security-admin .
when I assign this role to user i am able to see databases of parent role also.
After I created role with parent role as public still I am able to see databases
what shall I do that a created role should not have access to any unless I grant it ?

When you create a role, it does not come with any privileges. The role can only access the objects granted to role PUBLIC:
use role accountadmin;
create role testing_role;
grant role testing_role to user gokhan;
use role testing_role;
show databases;
SAMPLE_DATA ...
show grants to role testing_role;
The last command will return zero rows. Are you sure you switch to the role when checking databases? Also note that UI has separate roles for worksheets and the tabs:
https://docs.snowflake.com/en/user-guide/ui-worksheet.html#overview-of-features
https://docs.snowflake.com/en/user-guide/security-access-control-considerations.html

Related

snowflake table creation 08_15_2022

how to perform joins and how to maintain warehouse?
I have tried:
create table table_name values i int, nm string;
How to create a role in snowflake without any privileges or minimum privileges ?
I tried to create a role with parent role security-admin .
when I assign this role to user i am able to see databases of parent role also.
After I created role with parent role as public still I am able to see databases
what shall I do that a created role should not have access to any unless I grant it ?
When you CREATE ROLE, it's an independent object and does not come with any privileges:
use role accountadmin;
create role empty_role;
show grants to role empty_role;
The last command does not return anything even if it is created by the accountadmin role.
grant role empty_role to user gokhan;
use role empty_role;
show databases;
As the new role has no additional access, the last command shows the databases which the PUBLIC role has access. I hope this explains why you see some databases when you switch to your new role.

Snowflake - Give full access on database to role; revoke access on specific schemas to user that is part of the role

Is there a way to do this?
There is a admin role which is the owner of the database, schema & all other objects.
There is tester role with only read/write permissions on 1 schema of the database.
The tester role needs to be a part of the admin role for that 1 specific schema (so that any new objects created - the ownership will be on the admin role).
Have to revoke access to users of the tester role access on all other schemas in the database
I've tried these scripts:
grant role testerrole to user tester1;
grant usage on database DEMODB to role adminrole;
grant usage on database DEMODB to role testerrole;
grant all on database DEMODB to role adminrole;
grant select,insert,update,delete in schema "DEMODB"."DEVSCHM" to role testerrole;
--Adding tester role in admin role
grant role adminrole to testerrole;
-- revoke all other schema access to tester1 (This fails. How to fix this?)
revoke usage on schema "DEMODB"."PRDSCHM" from user tester1;
revoke usage on schema "DEMODB"."QASSCHM" from user tester1;
Looking to accomplish this - The testerrole needs to be able to create objects in the DEVSCHM, but ownership of the object should still be held with adminrole
If I've understood your question, you want the admin role to own all objects regardless of the role that created them. If that is the case then just grant future ownership on the relevant objects to the admin role

Why does a newly created snowflake role has access to all existing databases?

I used the following statements:
USE ROLE SECURITYADMIN;
CREATE ROLE TEST_ROLE;
CREATE USER TEST_USER PASSWORD='PASSWORD', DEFAULT_ROLE='TEST_ROLE', DEFAULT_WAREHOUSE='MY_WH';
GRANT ROLE TEST_ROLE TO TEST_USER;
When I login with the TEST_USER, the user has access to all existing databases/schemas/tables/views. How come?
This is expected behaviour if the PUBLIC role was granted access to all your database objects.
By default, all users belong to the PUBLIC role.
You may check the privileges of the TEST_ROLE with this grant statement, which lists all privileges and roles granted to the role:
show grants to role TEST_ROLE;
and lists all users and roles to which the role has been granted:
show grants of role TEST_ROLE;

Snowflake :: Role to Privilege mapping information

I need information within Snowflake which captures "Role to Privilege mapping".
Example :: If I am an user "USER_01" & I have the role as "ANALYST", then this "ANALYST" role has access to which all the objects (database/schema/table/etc..) in Snowflake account I would need that information.
Any pointers like queries/metadata tables/etc.. would help as there has to be some metadata tables which would keep this role to privilege mapping.
For e.g., queries like :
show grants to user USER_01
--> This gives what role has been assigned to this user. But this do not convey any information regarding what all privileges has been given to that role. Like if this role has got below access:
grant usage on database DB_01 to role analyst;
grant all privileges on schema schema_01 to role analyst;
grant all privileges on all tables in schema schema_01 to role analyst;
SHOW GRANTS:
SHOW GRANTS TO ROLE <role_name>
Key point: Access Control Framework
Role-based Access Control (RBAC): Access privileges are assigned to roles, which are in turn assigned to users.
Access priviliges are not assigned directly to users.
If you want to list all the privileges given to a user, you may use the stored procedure described in this KB article:
https://community.snowflake.com/s/article/How-to-Capture-Snowflake-Users-Roles-and-Grants-Into-a-Table

How to allow sysadmin to create role?

SYSADMIN role cannot create roles at the moment or at least that's what I learned from the docs. Does anyone know how to allow SYSADMIN to create roles?
You can grant the CREATE ROLE privilege to a role. Why not create a custom role that meets your needs instead of manipulating a system-defined role? https://docs.snowflake.net/manuals/user-guide/security-access-control-privileges.html#global-privileges
Only roles which inherit the privileges of the the SECURITYADMIN role will be able to create users. From the docs:
The security administrator (SECURITYADMIN) role includes the privileges to create and manage users and roles
This means you should be able to add the SYSADMIN role as a member of the SECURITYADMIN role and you'll be able to manage users and roles with SYSADMIN.
As #SuzyLockwood has mentioned though, you should probably create a separate role to manage these objects

Resources