Program! Check out the free webinar or register for educations. You can always look back via recorded webinars.

scroll

Access Control in Snowflake

From Admin to Employee

Snowflake has a lot of possibilities when it comes to access control of different users. In this blog we show how the fictional company Luminary creates a partition based on different roles instead of individual users. Learn how to efficiently and securely manage data access, from system administration to individual employees.

RBAC Model in Snowflake

Snowflake uses the RBAC model, which stands for Role-Based Access Control. This means that access to data and functions is controlled based on roles rather than individual users.

In databases you will find many different objects, such as tables, views and stored procedures. To manage this efficiently, Snowflake uses roles. You then assign these roles to users. In this blog we will show you how we apply the extensive possibilities of Snowflake for access control to the fictitious company Luminary.

Snowflake access control

System Administration

In this blog, Luminary has, besides the stores, also departments for sales, finance and HR. Especially sales and finance use a lot of data for their decisions, but there are also many possibilities for HR. Specialized dashboards provide daily insight. Snowflake makes it possible for all departments to work with the data.

First, the administrator sets up the Snowflake environment by configuring the databases, schemas, and warehouses. The administrator has access to the role 'ACCOUNTADMIN'. Because the data is privacy-sensitive, she uses the principle of least privileges: An employee can only see the data that is relevant to him.

The system administrator creates three new roles: ADMIN_HR, ADMIN_SALES, and ADMIN_FINANCE. These roles are assigned to the managers within the departments. Each role is then given read-only rights to the relevant databases.

admin

We follow the hierarchy downwards. From the admin level, we need to redistribute the roles among the employees of the department. This way, the manager of the department has strong permissions, but cannot access the data of another department. Because the roles for the employees themselves are based on the admin role, you have the possibility to control access in great detail. When a new employee is hired, onboarding with Snowflake is also easy: After a new user has been created, you only need to assign the relevant role, namely that of Employee.

The bottom level of the Luminary role pyramid is at the level of individual employees. This role cannot delete records, of course, but it also cannot create new roles. In fact, this role cannot do more than strictly necessary, exactly how the principle of least privilege should be implemented. From the parent ADMIN role onwards, the relevant tables and views are already prepared. In this way, the Snowflake environment is neatly set up for use at all levels of the company.

CONTACT

Contact us!

Do you have any questions about assigning or arranging roles within Snowflake or would you like us to arrange it for you? Please feel free to contact us using the form below.

Name
This form is protected by reCAPTCHA, the privacy policy and with terms of service from Google apply.

Did you know that your browser is outdated?

To get the best possible user experience of our website, we recommend that you upgrade your browser to a newer version or a different browser. Click on the upgrade button to go to the download page.

Upgrade your browser here
Proceed at your own risk