Can anyone please get me out of confusion in scope of Reader Account and Consumer Account. I was in assumption that Reader account is created by provider to help consumer account. But here in official diagram Consumer Account is having direct access on DB(left) of Provider Account link
The main difference is that you are responsible for the cost of the warehouse, managing users, and roles of a reader account. For a consumer account you are not responsible for any of that.
As an example:
You have your Snowflake account and you need to share data with two of your vendors (A & B). Vendor A has their own Snowflake account; Vendor B doesn't have their own Snowflake account.
First you setup a data SHARE object so that both vendors can access the data without logging into your account.
The Provider Account is you. You are providing them with data.
The Consumer Account is Vendor A. You will add their Snowflake account to the SHARE object to provide them data to their Snowflake account, and they will use their warehouses to query the data.
The Reader Account is Vendor B. Since Vendor B doesn't have a Snowflake account, you will create a MANAGED ACCOUNT object. This will supply you with a Snowflake account name and URL that you can give to Vendor B. You must then add the account name to the SHARE you created in the beginning. Next you must login to the reader account as the admin, create a database from the share, create users, roles, and at least one warehouse to use. When Vendor B logins into that managed account URL they will only be able to see data in the database from the share (same as Vendor A).
Related
I am using the below queries to create a share and add objects to it:
CREATE SHARE IF NOT EXISTS my_db_my_schema_my_table;
GRANT USAGE ON DATABASE my_db TO SHARE my_db_my_schema_my_table;
GRANT USAGE ON SCHEMA my_db.my_schema TO SHARE my_db_my_schema_my_table;
GRANT SELECT ON TABLE my_db.my_schema.my_table TO SHARE my_db_my_schema_my_table;
Now, I am using the below query to add the accounts:
ALTER SHARE my_db_my_schema_my_table ADD ACCOUNTS=AB60942;
This works fine. No errors. Also, I can see in the share details that this account name was added under Full Accounts.
Below are my current role permissions:
However, I am not able to see anything under the other account. What exactly am I missing here?
P.S: I am trying to refrain myself from using accountadmin role.
You must use the ACCOUNTADMIN role (or a role granted the IMPORT SHARES global privilege) to perform these tasks:
Do you see your shares in the available /inbound shares on the consumer account?
show shares;
Have you created a database from the share on the consumer account?
https://docs.snowflake.com/en/user-guide/data-share-consumers.html#creating-a-database-from-a-share
Are your consumer and the main account in the same region? If they are in different regions, follow this document: https://docs.snowflake.com/en/user-guide/secure-data-sharing-across-regions-plaforms.html
Is it possible to add for example azure aadb2c for Snowflake reader account ? There is no real documentation about it.
For the regular account you can do that, but for reader there is really no info about it.
The purpose of the Snowflake Reader account is used by a non-Snowflake customer to consume the database shared by the Provider.
The operation such as Okta SSO configuration is the same as the regular account.
Interesting question! I did set up Okta on the reader accounts and can confirm it works! The steps are exactly the same as a normal account.
Everything in the snowflake setup needs to be done by the consumer account admin role (the reader account owner).
can anyone explain the complete process to create a snowflake organization account and the way to attach/detach account from it? I looked into the snowflake console as well as in documentation but have not gotten clarity
You should submit a ticket to Snowflake Support to enable organization on one of your accounts. This will create the ORGADMIN role in the account. Then you can grant this role to one of your users. The user which has the ORGADMIN role can access the Organization page. From the organization page, you can see your existing accounts, and create new accounts. When you create a new account, it will be in your organization automatically.
If you have an account which you can't see on the organization page, that means the account was created in another organization. In this case, you need to submit a ticket to Snowflake Support and ask them to move your account to your organization.
Normally, it's expected that each customer should have one organization, but if you have multiple organizations, you can also ask Snowflake Support to move your account from one organization to antother (that's how you would detach). If you want to drop an account, you should also contact Snowflake Support, it can't be done through the organization page.
I have a specific problem to which I couldn't find any answer online.
The situation is the following:
We created a Canvas app that connects to the Azure SQL database. We set the connection type to be AAD integrated.
Users that are members of the AD can see the data in the app, but guest users, even though we gave them all the rights and PowerApps plan, cannot see the data. they recieve the same authorization window as members, but when they click on allow, the app starts but no data is being pulled from the SQL database.
When we try to connect directly to the Azure SQL database with the guest user email and credentials (via SQL server management studio), everything works as expected and the guest can see all the tables.
When we use implicitly shared connection (with SQL server authentification), guests can see the data, but we need to use AAD integrated due to its security.
So far we tried:
Changing PA environment from sandbox to production
Adding special permissions in SQL database like database owner etc
Trying out different AAD guest user settings, eq- setting that guest users have the same privileges as members (picture below).
Nothing seems to work. I would be more than happy if you could tell me how to make this work or even push me in the right direction.
I've reproduced your problem in my side. Here's my experience.
After assigning powerapp license(I use O365 E5 here) to guest account and share the app to this account, I can visit the app but can't see the data in the table. I assume that it resulted from the connector hasn't been shared, but it's true that this connector can't be shared because of no 'share button'.
Then I tried to add access policy to my guest account with these two sql:
CREATE USER [tiny-wa_outlook.com#EXT##xx.onmicrosoft.com] FROM EXTERNAL PROVIDER;
GRANT SELECT ON dbo.tinyTest TO [tiny-wa_outlook.com#EXT##xx.onmicrosoft.com];
Pls note here, I used the User Principal Name here(can find the principal name in azure ad->users), I also tested to use 'tiny-wa#outlook.com' in the sql but after executing successfully, it didn't work.
So I think you can try to use the sql above to add your guests accounts and make them can access the powerapp.
Here's some related docs:
create contained users mapped to azure ad identities
Share app resources
add table permission to user
==========================UPDATE==========================
Share my experience of this troubleshot.
First I need to create a power app but I found that after creating the connector with sql server azure ad authentication, it can't connect to the sql server, the error message is like 'Credentials are missing or not valid. inner exception: The credentials provided for the SQL source are invalid', solution is add my admin account as sql server instance Active Directory Admin.
Then I choose a table and successfully create a sample app. With the creating account, I can visit the app but other accounts can't. Here needs to share the app and it's related connectors to other users. But other accounts still can't reach the app because of no license. Because sql server connector is premium connector, so I assign O365 E3 license here. I met an error when assign license, the user's 'Usage location' can't be null or it can't assign license in M365 admin center.
Then I met similar error with Op, the difference is that both member account and guest account can't see the data in app. I try to find the way to share the connector to these uses but failed, I haven't made sure if those connectors without share button can be shared to others. So I have no options to study if this kind of connectors are authenticated in other ways so they don't need to be shared at all.
Next actions is using the account which used to create the sql server and database to sign in database and execute the sqls above.
Then the member account can see data in the power app while the guest account can't see. The reason is I used xx#outlook.com as the parameter in the sql, when I used xx_outlook.com#EXT##xx.onmicrosoft.com, it worked finally.
Hope this can also help you.
===================================================
For creating my demo app: First, I'm sure my environment isn't a sandbox(the environment in the screenshot below). And I think it's easy to create a demo app, and my app is simple, just choose to create an app from data and then select sql server as the connector, next I choose auzre ad auth and click the connector, enter server name and database name then choose a table, after that my app has created. That table has one row of data so when I signed in the app with the creating account, I see it in the screen while other accounts(member or guests) can't.
My sql server instance and database are created long time ago, but I'm sure I followed this tutorial to create them.
This appears to still be a limitation to access to Azure SQL via PA connector for guest users:
https://powerusers.microsoft.com/t5/Power-Apps-Ideas/Azure-SQL-to-PowerApps-Connector-AAD-doesn-t-work-for-guest/idi-p/1637817
If the "guest" does NOT have a PowerApps Per-App/Per-User plan, they cannot use your PowerApps with SQL data source (Note: SQL is a premium connector).
Determine exactly which type of license the guest has. Then, either your organization or the guest (or guest's org) must purchase one of these licenses. $5/$10/$20 per month depending on your use case.
REF
I'm working on improving the user experience for our org when logging into snowflake. We have adfs sso enabled and are provisioning mapping users to roles using azure ad. I had a colleague attempt to sign in with SSO who didn't have a user account created in snowflake and they were greeted with
"The signed in user <user#email.com> is not assigned to a role for the application (Snowflake)".
My question is, is it possible to have users sign into snowflake without being mapped to a default role, perhaps only have the public role assigned, and without being synced with azure ad.
If it is, i'd appreciate any pointers to documentation i can reference. The goal is to get all users that can SSO, to by default be able to login
AD group syncing occurs every 40 minutes in Microsoft, and I don't believe it's possible to force a sync or change this time frame. In addition, like the OP mentioned Snowflake cannot connect to an on-prem ADFS server so all users must be in Azure AD.
AD group syncing is somewhat configurable via the "Scope" (see Step 15 of this tutorial)
If your Scope is set to "Sync only assigned users and groups", you can either
Change the scope to "Sync all users and groups" (may cause issues if you don't want to import all this data into Snowflake)
or
Confirm that your desired users' AD group is one of those assigned to be synced to Snowflake (requires manually assigning these users, or that all of these users are part of the same AD group that you choose to sync to Snowflake).
By seeing the error its not allowing user who don't have appropriate role for the application.
In these why can't we create generic stored procedure to assign default role and instance to new user based on the group they belong to.! Each time if we add any new user then we have to run stored procedure to assign default role and object prior to his login to snowflake.