How to allow sysadmin to create role? - snowflake-cloud-data-platform

SYSADMIN role cannot create roles at the moment or at least that's what I learned from the docs. Does anyone know how to allow SYSADMIN to create roles?

You can grant the CREATE ROLE privilege to a role. Why not create a custom role that meets your needs instead of manipulating a system-defined role? https://docs.snowflake.net/manuals/user-guide/security-access-control-privileges.html#global-privileges

Only roles which inherit the privileges of the the SECURITYADMIN role will be able to create users. From the docs:
The security administrator (SECURITYADMIN) role includes the privileges to create and manage users and roles
This means you should be able to add the SYSADMIN role as a member of the SECURITYADMIN role and you'll be able to manage users and roles with SYSADMIN.
As #SuzyLockwood has mentioned though, you should probably create a separate role to manage these objects

Related

create db from share from different role in reader account Snowflake

I have a share(i.e. shareTest_share) in accountAdmin role in one of my reader accounts in snowflake.
Now I want to create a database from this, but from sysAdmin role.
The statement for creating database is:
CREATE or replace DATABASE shareTest_db FROM SHARE mukulanalytics.shareTest_share
This is giving permission issue since I am trying to execute it from the sysAdmin role instead of accountAdmin role which has the access to shareTest_share share.
Error:
SQL access control error: Insufficient privileges to operate on foreign share 'SHARETEST_SHARE'
How can I create a database from share in a different role with share in another role?
You will have to grant the IMPORT SHARE privilege to SYSADMIN/any other users
use role accountadmin
grant import share on account to sysadmin
use role sysadmin
create database TEST from share <>
https://docs.snowflake.com/en/user-guide/security-access-privileges-shares.html
the privileges required to achieve this are described here: https://docs.snowflake.com/en/user-guide/security-access-privileges-shares.html

Snowflake - Give full access on database to role; revoke access on specific schemas to user that is part of the role

Is there a way to do this?
There is a admin role which is the owner of the database, schema & all other objects.
There is tester role with only read/write permissions on 1 schema of the database.
The tester role needs to be a part of the admin role for that 1 specific schema (so that any new objects created - the ownership will be on the admin role).
Have to revoke access to users of the tester role access on all other schemas in the database
I've tried these scripts:
grant role testerrole to user tester1;
grant usage on database DEMODB to role adminrole;
grant usage on database DEMODB to role testerrole;
grant all on database DEMODB to role adminrole;
grant select,insert,update,delete in schema "DEMODB"."DEVSCHM" to role testerrole;
--Adding tester role in admin role
grant role adminrole to testerrole;
-- revoke all other schema access to tester1 (This fails. How to fix this?)
revoke usage on schema "DEMODB"."PRDSCHM" from user tester1;
revoke usage on schema "DEMODB"."QASSCHM" from user tester1;
Looking to accomplish this - The testerrole needs to be able to create objects in the DEVSCHM, but ownership of the object should still be held with adminrole
If I've understood your question, you want the admin role to own all objects regardless of the role that created them. If that is the case then just grant future ownership on the relevant objects to the admin role

Insufficient privileges to operate on 'SYSTEM' running SHOW ORGANIZATION ACCOUNTS

I'm new to snowflake and trying to read through all the documentation. One of the subjects was account identifiers and provided SQL to show organization accounts. When trying to execute this under the ACCOUNTADMIN role, I receive the following error.
SHOW ORGANIZATION ACCOUNTS
SQL access control error: Insufficient privileges to operate on
'SYSTEM'
If account admin is the most powerful account, what else might be happening here?
You should execute this command as an ORGADMIN. Only organization administrators (users with the ORGADMIN role) can execute this SQL command.
https://docs.snowflake.com/en/sql-reference/sql/show-organization-accounts.html#usage-notes
Enabling the ORGADMIN role
https://docs.snowflake.com/en/user-guide/organizations-gs.html#enabling-the-orgadmin-role-for-an-account
https://docs.snowflake.com/en/user-guide/organizations-gs.html#assigning-the-orgadmin-role-to-a-user-or-role
https://docs.snowflake.com/en/user-guide/organizations.html#orgadmin-role
ACCOUNTADMIN is the highest privileged role in an account but Organisation is a level above accounts. Firstly you would need to be set up to use Organisations and then you would need to use the ORGADMIN role to run Organisation-level queries
Please run below statement to grant ORGADMIN role in your account. This will allow you to use Organizations feature.
use role ACCOUNTADMIN;
grant role orgadmin to user <username>;--Run with accountadmin role
Or
use role ACCOUNTADMIN;
grant role orgadmin to role <non-systemroles>;--Run with accountadmin role
Doc link: https://docs.snowflake.com/en/user-guide-organizations.html

Snowflake role creation with minimum privileges

How to create a role in snowflake without any privileges or minimum privileges ?
I tried to create a role with parent role security-admin .
when I assign this role to user i am able to see databases of parent role also.
After I created role with parent role as public still I am able to see databases
what shall I do that a created role should not have access to any unless I grant it ?
When you create a role, it does not come with any privileges. The role can only access the objects granted to role PUBLIC:
use role accountadmin;
create role testing_role;
grant role testing_role to user gokhan;
use role testing_role;
show databases;
SAMPLE_DATA ...
show grants to role testing_role;
The last command will return zero rows. Are you sure you switch to the role when checking databases? Also note that UI has separate roles for worksheets and the tabs:
https://docs.snowflake.com/en/user-guide/ui-worksheet.html#overview-of-features
https://docs.snowflake.com/en/user-guide/security-access-control-considerations.html

How to create snowflake security admin role and at same time restrict the permission only on one database

Environment: snowflake database.
i am trying to find a way to create a role which have security admin permission but should limit the permission only to specific database. is this doable or not? if so, anyone can help me on this? thanks so much.
Thanks, Alex
SECURITYADMIN is a role created by default in Snowflake and a lot of his permissions are not database-related (for example role and user management). Indeed most of the database-related grants belongs to SYSADMIN role.
So if you want to create a custom role having limited permissions on a specific database. You should list the permission which are database related and grant this permissions to the custom role.
For example if you want to give all privileges to a role on a specific database you can use :
GRANT ALL PRIVILEGES ON DATABASE my_db TO ROLE my_custom_role;
Roles are account-level, not db-level objects. So I am guessing you are trying actually to do the same role mgmt that SECURITYADMIN does, but at db-level. In that case:
use role SECURITYADMIN;
create role SECURITYADMIN_DB1;
grant create user, create role to SECURITYADMIN_DB1;
After that create Access Roles for your db:
https://docs.snowflake.com/en/user-guide/security-access-control-considerations.html#aligning-object-access-with-business-functions
Then assign all access roles to the custom SECURITYADMIN_DB1 role, so your role will manage that particular db only.

Resources