Please help me with the query to find the warehouses that are allowed to use for a specific user/role in snowflakes(or) for all the users and roles in snowflakes instance.
As an example metadata query to see which roles are granted access to a warehouse:
use role securityadmin;
show grants on warehouse warehouse_name;
Replace warehouse_name with the name of your warehouse and use whatever role you prefer as long as it has visibility into the warehouse.
Then you can execute this command if you'd like to see which users have a certain role:
show grants of role role_name;
Doc References:
https://docs.snowflake.com/en/sql-reference/sql/show-grants.html
https://docs.snowflake.com/en/user-guide/security-access-control-overview.html
Related
I need information within Snowflake which captures "Role to Privilege mapping".
Example :: If I am an user "USER_01" & I have the role as "ANALYST", then this "ANALYST" role has access to which all the objects (database/schema/table/etc..) in Snowflake account I would need that information.
Any pointers like queries/metadata tables/etc.. would help as there has to be some metadata tables which would keep this role to privilege mapping.
For e.g., queries like :
show grants to user USER_01
--> This gives what role has been assigned to this user. But this do not convey any information regarding what all privileges has been given to that role. Like if this role has got below access:
grant usage on database DB_01 to role analyst;
grant all privileges on schema schema_01 to role analyst;
grant all privileges on all tables in schema schema_01 to role analyst;
SHOW GRANTS:
SHOW GRANTS TO ROLE <role_name>
Key point: Access Control Framework
Role-based Access Control (RBAC): Access privileges are assigned to roles, which are in turn assigned to users.
Access priviliges are not assigned directly to users.
If you want to list all the privileges given to a user, you may use the stored procedure described in this KB article:
https://community.snowflake.com/s/article/How-to-Capture-Snowflake-Users-Roles-and-Grants-Into-a-Table
I want to create a role on snowflake limited only to one database and one schema and give there a read access on all tables.
I create a role, grant:
grant usage on database1,
grant usage on database1.schema1,
grat select on all tables in database1.schema1,
and I grant usage and operate on one warehouse1.
However, additionally to this I am seeing also other databases and other schemas with this role, despite no grants were added, also there is additional warehouse to warehouse1.
How I can limit access with this role and not see something that appear as default
'databases' even for roles with no grants?
Regards
P
You will be able to find out what the role can and cannot do.
Check the which users and/or roles are granted the privilege of the role:
show grants of role ;
Then check what privileges were given to the role:
show grants to role ;
All the users are granted the PUBLIC role. Hence, never grant any privileges to the PUBLIC role, as this simply means giving the whole world access to a database, schema and tables/views etc.
I would like a new role which can query snowflake account usage. Currently only Account Admin have this privilege and don’t want to assign Account Admin for required users.
The IMPORTED PRIVILEGES grant would allow a non-admin role access to the SNOWFLAKE.ACCOUNT_USAGE schemas (docs). There is also a MONITOR USAGE global grant which allows similar billing and usage monitoring but through information_schema functions instead. See the documentation here -- particularly the table is helpful to explain the differences between these two options.
These are some of the more common built-in grant options for a billing-monitoring role, but if you need a more custom solution, you can always create some custom SQL (perhaps stored procedure and task for maintenance) that copies only the desired admin results from ACCOUNT_USAGE to a custom table/view. Then you can grant access to that custom object to your non-admins.
I am new to snowflake, As a DBA I got ACCOUNTADMIN access to start with. I have granted read access on information_schema.login_history and information_schema.query_history to our security application user, via a role.
The user is able to login and query above views. However, the account is not able to see all rows when query above views. Only returns login history of that user, query history of that user. I tested it from my end, switching role from ACCOUNTADMIN to the read role I have created, and I see the same thing.
Can anyone tell me what privileges I need to grant the role, so anyone using that role can see all login history?
There are two places where you can see login history -- in the Account Usage view or using the Information Schema table functions. The documentation here explains the differences.
After reviewing the differences, many customers will opt for giving non-admins access to Account_Usage views for auditing purposes. The grants needed for this are mentioned in the documentation here.
However, if you prefer giving the non-admin role access to the Information_Schema login_history table function, you may need to give a MONITOR grant on each desired user to this role as per the article here.
You need to grant monitor privileges to said role:
grant monitor usage on account to role custom;
This information can be accessed/viewed only by account administrators. To enable users who are not account administrators to access/view this information, Snowflake provides the global MONITOR USAGE privilege. Granting the MONITOR USAGE privilege to a role allows all users who are granted the role to access this historical/usage information.
In addition, with this privilege, the SHOW DATABASES and SHOW WAREHOUSES commands return the lists of all databases and warehouses in the account, respectively, regardless of other privilege grants.
Ref: https://docs.snowflake.com/en/user-guide/security-access-control-configure.html#enabling-non-account-administrators-to-monitor-usage-and-billing-history
Could you please help me query, which can tell me which role has which tables access. E.g. Role Sales has access to t1, t2 and Role Analyst has access to t2. Thank you
You can check which roles have access to a certain table by running SHOW GRANTS.
Examples:
List all privileges of a role: SHOW GRANTS TO yourRole;
List all privileges on an object: SHOW GRANTS ON TABLE myTable;
More info and other variations can be found here: https://docs.snowflake.com/en/sql-reference/sql/show-grants.html
On top of that you may query the information schema view TABLE_PRIVILEGES to see more information: https://docs.snowflake.com/en/sql-reference/info-schema/table_privileges.html
Note here: You only see objects here for which the current role of your session has access privileges.