How do I grant accountadmin role to a created role in active directory group ?
error that I get:
grant role accountadmin to role adaccountadmin
Circular role grants not allowed. Granting role ACCOUNTADMIN to adaccountadmin would create a cycle.
In Snowflake you grant a role to its parent role, not the other way round. see Snowflake Roles Syntax
ACCOUNTADMIN is a top level role in Snowflake so you cant make it the child of another role
Related
What permissions are required to access information_schema.warehouse_load_history from snowsql? I created a role and user like the below and this shows 0 results.
create role TESTROLE;
grant imported privileges on database SNOWFLAKE to role TESTROLE;
create user TEST_USER
LOGIN_NAME = TEST_USER
password = 'Testsnowflake$1234'
default_warehouse = TEST_WH
default_role = TESTROLE
default_namespace = SNOWFLAKE.INFORMATION_SCHEMA;
grant role TESTROLE to user TEST_USER;
grant usage on WAREHOUSE TEST_WH to role TESTROLE;
Please see this link for required privileges
https://docs.snowflake.com/en/sql-reference/functions/warehouse_load_history.html#usage-notes
To get results from this function, one of the following roles or
privileges are required:
The ACCOUNTADMIN role can get results from this function as it has all
of the global account permissions.
A role with the MONITOR USAGE global privilege on the ACCOUNT can
query this function for any warehouses in the account.
A role with the MONITOR privilege on the WAREHOUSE can query this
function for the warehouse it has permissions on.
A role with the OWNERSHIP privilege on the WAREHOUSE has all
permissions on the warehouse including MONITOR.
For more details, see Access Control Privileges.
When calling an Information Schema table function, the session must
have an INFORMATION_SCHEMA schema in use or the function name must be
fully-qualified. For more details, see Snowflake Information Schema.
Is there a way to do this?
There is a admin role which is the owner of the database, schema & all other objects.
There is tester role with only read/write permissions on 1 schema of the database.
The tester role needs to be a part of the admin role for that 1 specific schema (so that any new objects created - the ownership will be on the admin role).
Have to revoke access to users of the tester role access on all other schemas in the database
I've tried these scripts:
grant role testerrole to user tester1;
grant usage on database DEMODB to role adminrole;
grant usage on database DEMODB to role testerrole;
grant all on database DEMODB to role adminrole;
grant select,insert,update,delete in schema "DEMODB"."DEVSCHM" to role testerrole;
--Adding tester role in admin role
grant role adminrole to testerrole;
-- revoke all other schema access to tester1 (This fails. How to fix this?)
revoke usage on schema "DEMODB"."PRDSCHM" from user tester1;
revoke usage on schema "DEMODB"."QASSCHM" from user tester1;
Looking to accomplish this - The testerrole needs to be able to create objects in the DEVSCHM, but ownership of the object should still be held with adminrole
If I've understood your question, you want the admin role to own all objects regardless of the role that created them. If that is the case then just grant future ownership on the relevant objects to the admin role
I used the following statements:
USE ROLE SECURITYADMIN;
CREATE ROLE TEST_ROLE;
CREATE USER TEST_USER PASSWORD='PASSWORD', DEFAULT_ROLE='TEST_ROLE', DEFAULT_WAREHOUSE='MY_WH';
GRANT ROLE TEST_ROLE TO TEST_USER;
When I login with the TEST_USER, the user has access to all existing databases/schemas/tables/views. How come?
This is expected behaviour if the PUBLIC role was granted access to all your database objects.
By default, all users belong to the PUBLIC role.
You may check the privileges of the TEST_ROLE with this grant statement, which lists all privileges and roles granted to the role:
show grants to role TEST_ROLE;
and lists all users and roles to which the role has been granted:
show grants of role TEST_ROLE;
I'm new to snowflake and trying to read through all the documentation. One of the subjects was account identifiers and provided SQL to show organization accounts. When trying to execute this under the ACCOUNTADMIN role, I receive the following error.
SHOW ORGANIZATION ACCOUNTS
SQL access control error: Insufficient privileges to operate on
'SYSTEM'
If account admin is the most powerful account, what else might be happening here?
You should execute this command as an ORGADMIN. Only organization administrators (users with the ORGADMIN role) can execute this SQL command.
https://docs.snowflake.com/en/sql-reference/sql/show-organization-accounts.html#usage-notes
Enabling the ORGADMIN role
https://docs.snowflake.com/en/user-guide/organizations-gs.html#enabling-the-orgadmin-role-for-an-account
https://docs.snowflake.com/en/user-guide/organizations-gs.html#assigning-the-orgadmin-role-to-a-user-or-role
https://docs.snowflake.com/en/user-guide/organizations.html#orgadmin-role
ACCOUNTADMIN is the highest privileged role in an account but Organisation is a level above accounts. Firstly you would need to be set up to use Organisations and then you would need to use the ORGADMIN role to run Organisation-level queries
Please run below statement to grant ORGADMIN role in your account. This will allow you to use Organizations feature.
use role ACCOUNTADMIN;
grant role orgadmin to user <username>;--Run with accountadmin role
Or
use role ACCOUNTADMIN;
grant role orgadmin to role <non-systemroles>;--Run with accountadmin role
Doc link: https://docs.snowflake.com/en/user-guide-organizations.html
How to create a role in snowflake without any privileges or minimum privileges ?
I tried to create a role with parent role security-admin .
when I assign this role to user i am able to see databases of parent role also.
After I created role with parent role as public still I am able to see databases
what shall I do that a created role should not have access to any unless I grant it ?
When you create a role, it does not come with any privileges. The role can only access the objects granted to role PUBLIC:
use role accountadmin;
create role testing_role;
grant role testing_role to user gokhan;
use role testing_role;
show databases;
SAMPLE_DATA ...
show grants to role testing_role;
The last command will return zero rows. Are you sure you switch to the role when checking databases? Also note that UI has separate roles for worksheets and the tabs:
https://docs.snowflake.com/en/user-guide/ui-worksheet.html#overview-of-features
https://docs.snowflake.com/en/user-guide/security-access-control-considerations.html