I am switching my Snowflake roles in my account console but, in my worksheet context, the role doesn't automatically reflect. Do I need to change this in both the places all the time?
Let's say you switch your role from A to B in the upper right corner and you want to execute the query with role B. In this case you also have to switch the role in the worksheet to B.
The role on your worksheet-level "overwrites" the role in your upper right corner.
You can change the role on the worksheet-level by using the GUI or executing USE ROLE xy;.
The role mentioned under your username on the top right-hand corner is for the option available to the left of the same console. This is totally independent of the role selected in each worksheet.
for example, For accountadmin role - you would able to see an additional option like Account, which will not be able with PUBLIC role. You can try to switch between the roles.
The role selected in the worksheet defines your access privileges on the database objects. The SQL statements executed are evaluated with the worksheet role.
You can user properties such as Default_role, Default_warehosue & default_namespace(db &schema). Details here
This will help to get your user context set with the defaults on every new worksheet created.
Related
Need some inputs on RBAC governance.
Scenario::
There is a role in QA READ_ROLE_QA and that has access to 2 schemas ie.,
schema_etl & schema_load
Now under schema_etl if any objects are getting created i.e., tables & view then by default who ever has access to the role "READ_ROLE_QA" is able to see those objects.
But if any object gets created under schema "schema_load" then all users who has access to the role "READ_ROLE_QA" is not able to even see those objects.
What inputs needed ::
How to ensure what access needs to be given to the role "READ_ROLE_QA" so that any object which gets created under schema "schema_load", by default are visible to the users having role "READ_ROLE_QA".
Currently "USAGE" privileges are there to the role "READ_ROLE_QA" for the schema "schema_load".
Appreciate any help inputs on this request.
Please check out FUTURE GRANTS in Snowflake: https://docs.snowflake.com/en/sql-reference/sql/grant-privilege.html#future-grants-on-database-or-schema-objects
The following statement gives the role READ_ROLE_QA access to all future created tables in your schema schema_load. (Other privileges like USAGE given.)
grant select on future tables in schema <database>.schema_load to role READ_ROLE_QA;
Creating a read-only user in pgAdmin 4 is a little tricky.
Here is a guide on how I did it.
First of all a few words about the process.
The whole process is based on editing a schema (very simple and safe) for your DB, so this creates limitations for using the method for all the DBs you have unless you edit schemas for each DB (again, it is easy).
First, we have to open a main dialogue, select the target DB you need the read-only user for -> Schemas -> right mouse click on "public" schema -> Properties.
In the opened window go to "Default privileges" and click the "+" in the right corner.
In the "Grantee" column enter: "pg_read_all_data",
in "Privileges" column click on the field and you will see options. Enable only "Select".
On the rest tabs (Sequences, Functions, Types) you can do the same (Select or Usage).
Hit "Save".
In the left sidebar scroll down and find "Login/Group Roles". Click right button -> Create -> Login/Group Role.
OR if you have an existed user role you want to make read-only, click the right button on it and select "Properties".
In the opened window enter the name of the user, on the "Definition" tab enter a password, on the "Previliges" tab select "Can login" and "Inherit rights from the parent roles?"
In the "Membership" tab hit "+" in the "Member of" table and type "pg_read_all_data" into the "User/Role" column.
In the "Parameters" tab hit "+".
Select "role" in the "Name" column's dropdown,
type "pg_read_all_data" in the "Value" column.
In the "Database" column select the desired DB (where you have edited the schema in the previous steps).
Note, you can add more rows with the same settings for different databases (of course, if those DBs have edited schemas as shown above).
Click "Save".
Now you can log into your PhpPgAdmin (or psql or wherever you need) under this user and do only selects. A real read-only user role.
I hope it will help someone.
I don't have enough reputation to comment on your very helpful post, but wanted to add that the public schema by default gives full access to the PUBLIC role (implicit role that all users belong to).
So you would first need to revoke this access.
This can be done in pgAdmin in the Security tab of the schema properties dialog, or with the SQL command
REVOKE CREATE ON SCHEMA public FROM PUBLIC;
See also:
Issue creating read-only user in PostgreSQL that results in user with greater permission with public schema
PostgreSQL - Who or what is the "PUBLIC" role?
I need to check the roles and grants given to users, but from the metadata tables.
Basically, I need the metadata table, where I can query this, using multiple roles, eg. XXX, YYY,ZZZ. I need this to get the hierarchy of the roles that might have been granted.
I can do show grants OF role XXX - This'll give me all the users/ roles to which this role is granted, but I have to do for one role at a time.
If I do
SELECT *
FROM SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_USERS
WHERE ROLE='XXX'
AND DELETED_ON IS null;
It gives me only the users who have been granted this role, not the roles itself.
If I check on GRANTS_TO_ROLES table - it gives me the actual privileges given for that role, but not the other roles to which the particular role is granted to.
What you can do is use the SHOW syntax rather than select:
show roles in account;
will give you the full list of roles (still coming from metadata). Not sure what exactly you want to do with them further, but in case you'd actually want to proceed the results as a query you can follow it by
select * from table(result_scan(last_query_id()));
and use to join with other tables or just to copy into some sort of temporary table and join further from there
You mentioned the hierarchy - I suspect you want to see which roles are granted to other roles..
Try this:
show grants of role Your_Role
In the table returned you will see that some roles are assigned to other roles and to users..i.e. column granted_to
I am trying to get all the roles a user is part of. In my case, the user is part of an admin role which inherits another role ingestor, this inherits another role analyst. If I query from snowflake like as follows:
show grants to user <userid>
This lists only the admin role but not other two roles (ingestor, analyst). If the same user logs into snowflake, he could see all three roles available for him in the role dropdown.
Need help to get all explicit roles irrespective of role inheritance.
As a start, the views "SNOWFLAKE"."ACCOUNT_USAGE"."GRANTS_TO_USERS" and "SNOWFLAKE"."ACCOUNT_USAGE"."GRANTS_TO_ROLES" in combination have the information you need,
but are only accessible to ACCOUNTADMIN
You also have:
SELECT * FROM "MY_DATABASE"."INFORMATION_SCHEMA"."ENABLED_ROLES";
SELECT * FROM "MY_DATABASE"."INFORMATION_SCHEMA"."APPLICABLE_ROLES";
The latter looks like a good place to start.
Edit primo 2023:
If you want to make your own near-instant expanded GRANTS_TO_ROLES, you can follow these lines:
Get roles with SHOW ROLES; RESULT_SCAN()
Iterate over roles above with SHOW GRANTS TO ROLE <role>; RESULT_SCAN()
Iterate over ALL_USER_NAMES() with SHOW GRANTS TO USER <user>; RESULT_SCAN()
Finally create a SELECT statement with a recursive Common Table Expression expanding the nested roles
i found the best way to find all roles with inherited roles.
just run below SQL.
SELECT CURRENT_AVAILABLE_ROLES()
My current Cube has two roles:
AdminSec: are for a few users only and refers to a Group of administrators in my Active Directory.
GlobalSec: refers to "Everyone" and gives everyone access to read all data.
We are now planning to incorporate a new department (MinimalDepartment) in our company. This department should not have access to very much of the information in our company, so my plan is to create a third role (DepartmentSec) and assigning a new Active Directory Group (MinimalDepartment) to this role. Also I will limit the access to my dimension data by deselecting all departments and only grant access to the relevant department in the Department dimension.
My question is: If an employee is a member of the Active Directory Group MinimalDepartment will they then only be able to see the data in the cube which the role DepartmentSec allows (which is what I want)? Or will they be able to see all data as they are also part of "everyone" and therefore also the role GlobalSec?
If it is the latter is it then possible somehow to create the role so "everyone" has access except those in AD-group MinimalDepartment?
It seems that I have to create a new group in my AD which contains all the departments which I want to include and then use this instead of "everyone". Fortunately my IT-supports could tell me that we already have this group so for me its not a problem.