Snowflake warehouse: get all roles (including inherited ones) assigned to a user - snowflake-cloud-data-platform

I am trying to get all the roles a user is part of. In my case, the user is part of an admin role which inherits another role ingestor, this inherits another role analyst. If I query from snowflake like as follows:
show grants to user <userid>
This lists only the admin role but not other two roles (ingestor, analyst). If the same user logs into snowflake, he could see all three roles available for him in the role dropdown.
Need help to get all explicit roles irrespective of role inheritance.

As a start, the views "SNOWFLAKE"."ACCOUNT_USAGE"."GRANTS_TO_USERS" and "SNOWFLAKE"."ACCOUNT_USAGE"."GRANTS_TO_ROLES" in combination have the information you need,
but are only accessible to ACCOUNTADMIN
You also have:
SELECT * FROM "MY_DATABASE"."INFORMATION_SCHEMA"."ENABLED_ROLES";
SELECT * FROM "MY_DATABASE"."INFORMATION_SCHEMA"."APPLICABLE_ROLES";
The latter looks like a good place to start.
Edit primo 2023:
If you want to make your own near-instant expanded GRANTS_TO_ROLES, you can follow these lines:
Get roles with SHOW ROLES; RESULT_SCAN()
Iterate over roles above with SHOW GRANTS TO ROLE <role>; RESULT_SCAN()
Iterate over ALL_USER_NAMES() with SHOW GRANTS TO USER <user>; RESULT_SCAN()
Finally create a SELECT statement with a recursive Common Table Expression expanding the nested roles

i found the best way to find all roles with inherited roles.
just run below SQL.
SELECT CURRENT_AVAILABLE_ROLES()

Related

RBAC for default access

Need some inputs on RBAC governance.
Scenario::
There is a role in QA READ_ROLE_QA and that has access to 2 schemas ie.,
schema_etl & schema_load
Now under schema_etl if any objects are getting created i.e., tables & view then by default who ever has access to the role "READ_ROLE_QA" is able to see those objects.
But if any object gets created under schema "schema_load" then all users who has access to the role "READ_ROLE_QA" is not able to even see those objects.
What inputs needed ::
How to ensure what access needs to be given to the role "READ_ROLE_QA" so that any object which gets created under schema "schema_load", by default are visible to the users having role "READ_ROLE_QA".
Currently "USAGE" privileges are there to the role "READ_ROLE_QA" for the schema "schema_load".
Appreciate any help inputs on this request.
Please check out FUTURE GRANTS in Snowflake: https://docs.snowflake.com/en/sql-reference/sql/grant-privilege.html#future-grants-on-database-or-schema-objects
The following statement gives the role READ_ROLE_QA access to all future created tables in your schema schema_load. (Other privileges like USAGE given.)
grant select on future tables in schema <database>.schema_load to role READ_ROLE_QA;

Snowflake : List out all roles and their access level to each Database objects

I need to get all the roles and their access to each database objects whether is it Read access or Write access
In Snowflake, I tried as below
show roles
select * from table(RESULT_SCAN (LAST_QUERY_ID()));
I'd like to show ALL grants for ALL roles in one table. My best guess would be to write a procedure that iterates through all the role names, executes the above code, and outputs the result to a table.
Is there a better way of doing this?
I also checked this view GRANTS_TO_ROLES , but not sure if this gives me all the roles for all the database

Switching user roles in snowflake

I am switching my Snowflake roles in my account console but, in my worksheet context, the role doesn't automatically reflect. Do I need to change this in both the places all the time?
Let's say you switch your role from A to B in the upper right corner and you want to execute the query with role B. In this case you also have to switch the role in the worksheet to B.
The role on your worksheet-level "overwrites" the role in your upper right corner.
You can change the role on the worksheet-level by using the GUI or executing USE ROLE xy;.
The role mentioned under your username on the top right-hand corner is for the option available to the left of the same console. This is totally independent of the role selected in each worksheet.
for example, For accountadmin role - you would able to see an additional option like Account, which will not be able with PUBLIC role. You can try to switch between the roles.
The role selected in the worksheet defines your access privileges on the database objects. The SQL statements executed are evaluated with the worksheet role.
You can user properties such as Default_role, Default_warehosue & default_namespace(db &schema). Details here
This will help to get your user context set with the defaults on every new worksheet created.

Roles Metadata Tables in Snowflake

I need to check the roles and grants given to users, but from the metadata tables.
Basically, I need the metadata table, where I can query this, using multiple roles, eg. XXX, YYY,ZZZ. I need this to get the hierarchy of the roles that might have been granted.
I can do show grants OF role XXX - This'll give me all the users/ roles to which this role is granted, but I have to do for one role at a time.
If I do
SELECT *
FROM SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_USERS
WHERE ROLE='XXX'
AND DELETED_ON IS null;
It gives me only the users who have been granted this role, not the roles itself.
If I check on GRANTS_TO_ROLES table - it gives me the actual privileges given for that role, but not the other roles to which the particular role is granted to.
What you can do is use the SHOW syntax rather than select:
show roles in account;
will give you the full list of roles (still coming from metadata). Not sure what exactly you want to do with them further, but in case you'd actually want to proceed the results as a query you can follow it by
select * from table(result_scan(last_query_id()));
and use to join with other tables or just to copy into some sort of temporary table and join further from there
You mentioned the hierarchy - I suspect you want to see which roles are granted to other roles..
Try this:
show grants of role Your_Role
In the table returned you will see that some roles are assigned to other roles and to users..i.e. column granted_to

Roles in Cubes (SSAS)

My current Cube has two roles:
AdminSec: are for a few users only and refers to a Group of administrators in my Active Directory.
GlobalSec: refers to "Everyone" and gives everyone access to read all data.
We are now planning to incorporate a new department (MinimalDepartment) in our company. This department should not have access to very much of the information in our company, so my plan is to create a third role (DepartmentSec) and assigning a new Active Directory Group (MinimalDepartment) to this role. Also I will limit the access to my dimension data by deselecting all departments and only grant access to the relevant department in the Department dimension.
My question is: If an employee is a member of the Active Directory Group MinimalDepartment will they then only be able to see the data in the cube which the role DepartmentSec allows (which is what I want)? Or will they be able to see all data as they are also part of "everyone" and therefore also the role GlobalSec?
If it is the latter is it then possible somehow to create the role so "everyone" has access except those in AD-group MinimalDepartment?
It seems that I have to create a new group in my AD which contains all the departments which I want to include and then use this instead of "everyone". Fortunately my IT-supports could tell me that we already have this group so for me its not a problem.

Resources