How to grant roles usage on security integrations Snowflake - snowflake-cloud-data-platform

I'm trying to grant usage on a security integration I have created.
GRANT USAGE ON INTEGRATION <integration_name> TO ROLE test_role;
This should be the query that would grant usage, and it runs without error ('Statement executed successfully.'). But it doesn't do anything, I can't get any details on the security integration.
DESC SECURITY INTEGRATION <integration_name>
This is what I would like to run with the test_role, but it still says 'SQL access control error: Insufficient privileges to operate on integration '<integration_name>'.
Is it just not possbile to grant usage on a security integration?

As I see, only the owner of the security integration object can use DESCRIBE command on the object. You may change the ownership and test it:
USE ROLE accountadmin;
grant ownership on INTEGRATION test_integration to role test_role REVOKE CURRENT GRANTS;
USE ROLE test_role;
DESC SECURITY INTEGRATION test_integration;

Related

Ownership Priviledge on a Schema Empty in Snowflake

I've got Accountadmin role on this Snowflake account. I ran show grants on schema command in snowflake and get these privileges as on the screenshot.
Ownership privilege is empty and so it doesn't let me run grant ownership on schema "DATABASE_NAME"."SCHEMA_NAME" to accountadmin for the above schema to assign myself the ownership privilege.
I need to have ownership privilege to remove some tables from this schema.
Could someone suggest how to assign ownership privilege to accountadmin role for this schema?
This situation can be caused by user-initiated actions, if a grant is involving system owned entities (such as default) roles, and via using MANAGE GRANTS on ACCOUNT privilege to custom roles.
I would suggest opening a Support Case as we'd need to review all the grant changes that occurred on that schema to understand what caused the situation in the first place, and then revert it.
That said, you should still be able to execute this statement with either ACCOUNTADMIN or SECURITYADMIN:
use role accountadmin;
grant ownership on schema "DATABASE_NAME"."SCHEMA_NAME" to role accountadmin;

How to GRANT CREATE INTEGRATION to role SYSADMIN

We want to give SYSADMIN the privilege to create integrations for an automated pipeline.
We ran the following with the ACCOUNTADMIN role but got a syntax error
GRANT CREATE INTEGRATION TO ROLE SYSADMIN;
What is the correct statement for this?
Answer -
GRANT CREATE INTEGRATION ON ACCOUNT TO ROLE SYSADMIN;
GRANT CREATE INTEGRATION ON ACCOUNT TO ROLE SYSADMIN;
You can also refer to the syntax shared in the link below for the format of granting the privileges to roles
https://docs.snowflake.com/en/sql-reference/sql/grant-privilege.html#syntax

Insufficient privileges to operate on 'SYSTEM' running SHOW ORGANIZATION ACCOUNTS

I'm new to snowflake and trying to read through all the documentation. One of the subjects was account identifiers and provided SQL to show organization accounts. When trying to execute this under the ACCOUNTADMIN role, I receive the following error.
SHOW ORGANIZATION ACCOUNTS
SQL access control error: Insufficient privileges to operate on
'SYSTEM'
If account admin is the most powerful account, what else might be happening here?
You should execute this command as an ORGADMIN. Only organization administrators (users with the ORGADMIN role) can execute this SQL command.
https://docs.snowflake.com/en/sql-reference/sql/show-organization-accounts.html#usage-notes
Enabling the ORGADMIN role
https://docs.snowflake.com/en/user-guide/organizations-gs.html#enabling-the-orgadmin-role-for-an-account
https://docs.snowflake.com/en/user-guide/organizations-gs.html#assigning-the-orgadmin-role-to-a-user-or-role
https://docs.snowflake.com/en/user-guide/organizations.html#orgadmin-role
ACCOUNTADMIN is the highest privileged role in an account but Organisation is a level above accounts. Firstly you would need to be set up to use Organisations and then you would need to use the ORGADMIN role to run Organisation-level queries
Please run below statement to grant ORGADMIN role in your account. This will allow you to use Organizations feature.
use role ACCOUNTADMIN;
grant role orgadmin to user <username>;--Run with accountadmin role
Or
use role ACCOUNTADMIN;
grant role orgadmin to role <non-systemroles>;--Run with accountadmin role
Doc link: https://docs.snowflake.com/en/user-guide-organizations.html

Snowflake: SQL compilation error: Invalid object type 'INTEGRATION' to grant privileges from

I have created a security integration for external_oauth in Snowflake. I created it as an ACCOUNTADMIN. I can see the integration when I run SHOW INTEGRATIONS. I can also describe it using DESC. However, I can't GRANT USAGE ON the integration to a role and I can't GRANT OWNERSHIP to a different role. For both of these grant statements, I get the error "SQL compilation error: Invalid object type 'INTEGRATION' to grant privileges from".
I have tried running it as ACCOUNTADMIN, SYSADMIN, SECURITYADMIN. I don't understand why these two statements won't work:
GRANT OWNERSHIP ON INTEGRATION <integration name> TO ROLE SYSADMIN COPY CURRENT GRANTS;
GRANT USAGE ON INTEGRATION <integration name> TO ROLE <role name>;
the docs note:
Only account administrators (users with the ACCOUNTADMIN role) or a role with the global CREATE INTEGRATION privilege can execute this SQL command.
To own an object you have to be able to CREATE IT I assume..
but:
USE ROLE ACCOUNTADMIN;
create security integration external_oauth_azure_1 type = external_oauth
enabled = false
external_oauth_type = azure
external_oauth_issuer = '<AZURE_AD_ISSUER>'
external_oauth_jws_keys_url = 'https::example.com'
external_oauth_token_user_mapping_claim = 'upn'
external_oauth_snowflake_user_mapping_attribute = 'login_name';
GRANT CREATE INTEGRATION ON ACCOUNT TO ROLE SYSADMIN;
works, but still I cannot transfer ownership.
GRANT OWNERSHIP ON INTEGRATION external_oauth_azure_1 TO ROLE SYSADMIN COPY CURRENT GRANTS;
But swapping roles I can create one now as SYSAdmin:
use role SYSADMIN;
create security integration external_oauth_azure_2 type = external_oauth
enabled = false
external_oauth_type = azure
external_oauth_issuer = '<AZURE_AD_ISSUER2>'
external_oauth_jws_keys_url = 'https::example.com'
external_oauth_token_user_mapping_claim = 'upn'
external_oauth_snowflake_user_mapping_attribute = 'login_name';
I cannot see external_oauth_azure_1 but I can show external_oauth_azure_2
Feels like the security model is a little incomplete, seems like a support issue to resolve might be in order.

How can I grant "CREATE DATABASE" permissions to a role in Snowflake

I'm trying to create a Role hierarchy in Snowflake with a "top level" role which will be used for my helpdesk support team to manage users and resources within Snowflake. But this role cannot have access to any stored data due to compliance restrictions.
For user management, I've just granted SECURITYADMIN to the role and it seems to work pretty well. But for databases I would like to avoid using SYSADMIN as I would be inheriting the ability to view everything in the databases. So I've come up with a hierarchy that I think makes sense, which is basically the following with some added project roles:
ACCOUNTADMIN >--- HELPDESK (create/drop db then hand off to OU_MANAGER)
- OU_MANAGER (create/drop schema/tables and assign grants within the OU) > OU_MEMBER (usage on resources in db)
What I would like to do is create the databases with my HELPDESK role, then grant all on that db to the management role for the organizational unit and hand it off to them.
I'm not sure if this is possible in Snowflake, or if I just have my syntax wrong. But I get an error when I try to run a basic grant create database to role helpdesk, and I can't find anything definitive in the docs about granting this kind of access.
use role accountadmin;
grant create database on account to role helpdesk;

Resources