While exploring Snowflake documentation on Audit Logging (user login history, object creation/deletion, query execution history etc), I found the below information.
But in my trail account, I didn't find any shared DB with name 'SNOWFLAKE'.
Would apreciate if someone can throw more light on this feature.
Neeraj
You need to choose the 'ACCOUNTADMIN' role in the context of your session to see that database.
You should set the ACCOUNTADMIN role in the context to access the SNOWFLAKE database.
Alternatively, As accountadmin, you can grant the privilege for viewing the data to other users as below.
Grant imported privileges on database snowflake to ; -- where is an existing/new role granted to
Changing the role in right upper corner is not sufficient. Yo uneed to change the role in the context.
After that, 'SNOWFLAKE' shared DB will be visible.
Related
I'm experiencing a strange behavior in Snowflake and couldn't find any explanation in the documentation.
use role accountadmin ;
use database some_database;
create schema test_schema;
drop schema test_schema;
Result:
SQL access control error: Insufficient privileges to operate on schema 'TEST_SCHEMA'
When I check the schemas with show schemas I find that the ownership of TEST_SCHEMA belongs to another role.
Snowflake documentation only says that the ownership of an object is set to the role which created it, and the only way to have it owned by another role is transfer of ownership.
I've tried granting usage on future schema to accountadmin, but it hasn't fixed the problem.
Any ideas?
The database probably has future grants set up on it that automatically assigns ownership of each new schema created
I just set up my snowflake instance to use google auth. I can log in with my google account, query tables, create roles, etc... Today I ran into an issue (two of them actually).
I run this script
SET ROLE ACCOUNTADMIN;
CREATE WAREHOUSE IF NOT EXISTS joe;
When I am logged in with my Google Account, I get the error message:
SQL access control error: Insufficient privileges to operate on account 'XXX99999'
When I am logging in with my Snowflake native account, it works. Both accounts have the ACCOUNTADMIN role and are using it.
This is all in the classic interface. When trying to switch over to Snowsight, my google account cannot login in. I click the [Authenticate with Google] and the screen refreshes, no error, but not now the button is disabled.
For the first error, the reason is that the user does not have any roles that has the privileges on the account where the operation is being done. To overcome that you need to assign the right set of roles to the user coming from Google IDP.
Please check the following documentation which details the levels for each of the database objects that requires privileges: https://docs.snowflake.com/en/sql-reference/sql/grant-privilege.html#syntax
For the second issue, which button is disabled "Snowsight" which is listed from Classic UI?
Please use the below scripts to create warehouse. You need to use role instead of set role.
use ROLE ACCOUNTADMIN; //To use accountadmin role
CREATE WAREHOUSE IF NOT EXISTS joe_wh; //to creare warehouse
To use SSO based login with Snowsight, Please migrate to advanced SAML as per
https://docs.snowflake.com/en/user-guide/admin-security-fed-auth-advanced.html#migrating-to-a-saml2-security-integration
I'm trying to create a Role hierarchy in Snowflake with a "top level" role which will be used for my helpdesk support team to manage users and resources within Snowflake. But this role cannot have access to any stored data due to compliance restrictions.
For user management, I've just granted SECURITYADMIN to the role and it seems to work pretty well. But for databases I would like to avoid using SYSADMIN as I would be inheriting the ability to view everything in the databases. So I've come up with a hierarchy that I think makes sense, which is basically the following with some added project roles:
ACCOUNTADMIN >--- HELPDESK (create/drop db then hand off to OU_MANAGER)
- OU_MANAGER (create/drop schema/tables and assign grants within the OU) > OU_MEMBER (usage on resources in db)
What I would like to do is create the databases with my HELPDESK role, then grant all on that db to the management role for the organizational unit and hand it off to them.
I'm not sure if this is possible in Snowflake, or if I just have my syntax wrong. But I get an error when I try to run a basic grant create database to role helpdesk, and I can't find anything definitive in the docs about granting this kind of access.
use role accountadmin;
grant create database on account to role helpdesk;
I am new to snowflake, As a DBA I got ACCOUNTADMIN access to start with. I have granted read access on information_schema.login_history and information_schema.query_history to our security application user, via a role.
The user is able to login and query above views. However, the account is not able to see all rows when query above views. Only returns login history of that user, query history of that user. I tested it from my end, switching role from ACCOUNTADMIN to the read role I have created, and I see the same thing.
Can anyone tell me what privileges I need to grant the role, so anyone using that role can see all login history?
There are two places where you can see login history -- in the Account Usage view or using the Information Schema table functions. The documentation here explains the differences.
After reviewing the differences, many customers will opt for giving non-admins access to Account_Usage views for auditing purposes. The grants needed for this are mentioned in the documentation here.
However, if you prefer giving the non-admin role access to the Information_Schema login_history table function, you may need to give a MONITOR grant on each desired user to this role as per the article here.
You need to grant monitor privileges to said role:
grant monitor usage on account to role custom;
This information can be accessed/viewed only by account administrators. To enable users who are not account administrators to access/view this information, Snowflake provides the global MONITOR USAGE privilege. Granting the MONITOR USAGE privilege to a role allows all users who are granted the role to access this historical/usage information.
In addition, with this privilege, the SHOW DATABASES and SHOW WAREHOUSES commands return the lists of all databases and warehouses in the account, respectively, regardless of other privilege grants.
Ref: https://docs.snowflake.com/en/user-guide/security-access-control-configure.html#enabling-non-account-administrators-to-monitor-usage-and-billing-history
I have two Snowflake account and need to clone or copy the databases and tables on the same region.
Solutions that I am trying to replicate:
Data Sharing Intro Reference
I read that:
"Snowflake supports using grants to provide granular access control to
selected objects (schemas, tables, secure views, and secure UDFs) in
the database (i.e., you grant access privileges for one or more
specific objects within the database)."
It sounds like I could share a UDF with the database I want to share with the account, but read only features. This is confirmed:
" ...but cannot perform any of the DML tasks that are allowed in a
full account (data loading, insert, update, etc.)."
Setting up one account as a provider:
USE ROLE ACCOUNTADMIN;
CREATE MANAGED ACCOUNT reader_acct1
ADMIN_NAME = user1 , ADMIN_PASSWORD = 'Sdfed43da!44' ,
TYPE = READER;
//create share
CREATE SHARE Articlelibary_share;
GRANT USAGE ON DATABASE Snapshots TO SHARE Articlelibary_share;
GRANT USAGE ON SCHEMA Snapshots.public TO SHARE Articlelibary_share;
GRANT SELECT ON TABLE Snapshots.public.Articlelibary_TEST TO SHARE Articlelibary_share;
However the error I am getting the error in my worksheet that says:
SQL compilation error: Database 'SNAPSHOTS' does not exist or not
authorized.
What I have found is that when I am in the ACCOUNTADMIN role I can see the snapshot table, however, in the SYSADMIN I cannot see the the Snapshots table.
So, how can I fix the Database/Table permissions so that I can add it to the share?
The activities of creating a share and allowing access to other accounts has to be performed only by the ACCOUNTADMIN and that is the reason for the error that you are seeing.
From Documentation it is very clear :
https://docs.snowflake.net/manuals/user-guide/data-sharing-gs.html#getting-started-with-secure-data-sharing
To perform the tasks described in this topic, you must use the ACCOUNTADMIN role.