Required Permissions
Configure the permissions required to grant necessary access rights to resources or data within the system to perform connector operations.
Administrative Account Permissions
Complete the following to set up a Snowflake administrative account with the minimum required permissions for the listed operation:
-
Log in to Snowflake with the
ACCOUNTADMIN
role and execute the following command:CREATE USER "UserName";
-
Generate the public key. The public key is in the PEM format. For more information on generating the public key, refer to Generating Keys.
The following is an example of the public key in PEM format:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy+Fw2qv4Roud3l6tjPH4
zxybHjmZ5rhtCz9jppCV8UTWvEXxa88IGRIHbJ/PwKW/mR8LXdfI7l/9vCMXX4mk
...
-----END PUBLIC KEY-----
-
In the following command, replace
PublicKey
with the key you generated (do not include theBEGIN PUBLIC KEY
andEND PUBLIC KEY
lines):ALTER USER "UserName" SET RSA_PUBLIC_KEY='PublicKey';
For example:
CopyALTER USER MYUSER SET RSA_PUBLIC_KEY='MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1hhZwJvU4+MiD92bLLmf
zvdieU6TvuaSrjKJGtEndSWRR3p2pMFIzDWbbX1PHPqtt43C+meMtKtwMVl8JWEk
IawC7ZnfjHROufWVhpb+8DwhHuH/r7GWXCNCyjJTH/Z+htdIYFM/pbSKW1Qdt5X0
Bf5TGINAe9XxL2Zp5kqo8pYMiPGudgUdYQlMGZ6y1AH0Rcb76KUkoHNrJQA/xRI8
LSDMNJQSJo6rPGARD1Rn9ns0Z3M1qnoH6LOOX0GX3T4GU+ERwPaMVcMjkweSA3a1
sqLhq+9hpC8piW+LaEv2clj1Sp73m70qh/0l8Cb2O4sq7Iov8G8Iahe0LGLVQX3+
uQIDAQAB'; -
Use the following command to grant the
ACCOUNTADMIN
role to a user:GRANT ROLE ACCOUNTADMIN TO USER "UserName";
-
Use the following command to verify the user's public key fingerprint:
DESCRIBE USER "UserName";
SYSADMIN Role
Snowflake recommends creating a hierarchy of custom roles, with the top-most custom role assigned to the system role SYSADMIN
. For more information, refer to the Snowflake documentation.
Note
The linked document is not maintained by SailPoint and is subject to change without notice.
-
Use the following command to create a role:
CREATE ROLE "Rolename";
-
Use the following command to assign the SYSADMIN role to the new role:
GRANT ROLE "Rolename" TO ROLE SYSADMIN;
Role Permissions
Use the following command to grant a role to a user:
GRANT ROLE "Rolename" TO USER "UserName";
Use the following command to set a user's default role:
ALTER USER "UserName" SET DEFAULT_ROLE = "Rolename";
Test Connection Permissions
By default, when you create a user, it is assigned a bare minimum role (PUBLIC). Only a bare minimum role is required for to test your connection.
Account Aggregation Permissions
This command can only be executed by users with a role that has the MANAGE GRANTS global privilege.
GRANT MANAGE GRANTS ON ACCOUNT TO ROLE "Rolename";
Filter Data Permissions
Filter data permissions for account and group aggregation are as follows:
-
Ensure the following is already set:
ALTER USER "UserName" SET DEFAULT_ROLE = "Rolename";
-
Use the following command to create a virtual warehouse named
WAREHOUSENAME
:CREATE WAREHOUSE WAREHOUSENAME;
-
Use the following command so that
WAREHOUSENAME
becomes the user's default warehouse:ALTER USER "UserName" SET DEFAULT_WAREHOUSE=WAREHOUSENAME;
-
Use the following command to gives the
Rolename
role the ability to useWAREHOUSENAME
:GRANT USAGE ON WAREHOUSE WAREHOUSENAME TO ROLE "Rolename";
Group Aggregation Permissions
By default, when you create a user, it is assigned a bare minimum role (PUBLIC). Only a bare minimum role is required to perform a group aggregation.
CREATE Account Permissions
The CREATE command can only be executed by users with a role that has the CREATE USER global privilege.
GRANT CREATE USER ON ACCOUNT TO ROLE "Rolename";
MODIFY, ENABLE, DISABLE, UNLOCK, or CHANGE PASSWORD Permissions
Note the following with the OWNERSHIP privilege:
-
The OWNERSHIP privilege grants the ability to delete, alter, rename, and grant or revoke access to an object.
-
OWNERSHIP is a special privilege on an object that is automatically granted to the role that created the object, but can also be transferred to a different role by the owning role (or any role with the MANAGE GRANTS privilege) using the
GRANT OWNERSHIP
command. -
The OWNERSHIP privilege grants full control over an object. Only a single role can hold this privilege on a specific object at a time. For more information on the GRANT OWNERSHIP command, refer to the Snowflake documentation.
Only the role with the OWNERSHIP privilege on the user, or a higher role, can execute this command to modify most user properties.
To grant ownership permissions, use the following command:
GRANT OWNERSHIP ON USER "UserName" TO ROLE "Rolename";
Where UserName
refers to the name of the user that you are modifying.
Note
To modify, enable, disable, unlock, or change the password of a user, a minimum permission user assigned role should have ownership permission on the user who you are modifying.