Required Permissions

Configure the permissions required to grant necessary access rights to resources or data within the system to perform connector operations.

Administrative Account Permissions
SYSADMIN Role
Role Permissions
Test Connection Permissions
Account Aggregation Permissions
Filter Data Permissions
Group Aggregation Permissions
CREATE Account Permissions
MODIFY, ENABLE, DISABLE, UNLOCK, or CHANGE PASSWORD Permissions

Administrative Account Permissions

Complete the following to set up a Snowflake administrative account with the minimum required permissions for the listed operation:

Log in to Snowflake with the ACCOUNTADMIN role and execute the following command:

CREATE USER "UserName";
Generate the public key. The public key is in the PEM format. For more information on generating the public key, refer to Generating Keys.

The following is an example of the public key in PEM format:

-----BEGIN PUBLIC KEY-----

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy+Fw2qv4Roud3l6tjPH4

zxybHjmZ5rhtCz9jppCV8UTWvEXxa88IGRIHbJ/PwKW/mR8LXdfI7l/9vCMXX4mk

...

-----END PUBLIC KEY-----

In the following command, replace PublicKey with the key you generated (do not include the BEGIN PUBLIC KEY and END PUBLIC KEY lines):

ALTER USER "UserName" SET RSA_PUBLIC_KEY='PublicKey';

For example:

Copy

ALTER USER MYUSER SET RSA_PUBLIC_KEY='MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1hhZwJvU4+MiD92bLLmf
zvdieU6TvuaSrjKJGtEndSWRR3p2pMFIzDWbbX1PHPqtt43C+meMtKtwMVl8JWEk
IawC7ZnfjHROufWVhpb+8DwhHuH/r7GWXCNCyjJTH/Z+htdIYFM/pbSKW1Qdt5X0
Bf5TGINAe9XxL2Zp5kqo8pYMiPGudgUdYQlMGZ6y1AH0Rcb76KUkoHNrJQA/xRI8
LSDMNJQSJo6rPGARD1Rn9ns0Z3M1qnoH6LOOX0GX3T4GU+ERwPaMVcMjkweSA3a1
sqLhq+9hpC8piW+LaEv2clj1Sp73m70qh/0l8Cb2O4sq7Iov8G8Iahe0LGLVQX3+
uQIDAQAB';

Use the following command to grant the ACCOUNTADMIN role to a user:

GRANT ROLE ACCOUNTADMIN TO USER "UserName";
Use the following command to verify the user's public key fingerprint:

DESCRIBE USER "UserName";

SYSADMIN Role

Snowflake recommends creating a hierarchy of custom roles, with the top-most custom role assigned to the system role SYSADMIN. For more information, refer to the Snowflake documentation.

Note
The linked document is not maintained by SailPoint and is subject to change without notice.

Use the following command to create a role:

CREATE ROLE "Rolename";
Use the following command to assign the SYSADMIN role to the new role:

GRANT ROLE "Rolename" TO ROLE SYSADMIN;

Role Permissions

Use the following command to grant a role to a user:

GRANT ROLE "Rolename" TO USER "UserName";

Use the following command to set a user's default role:

ALTER USER "UserName" SET DEFAULT_ROLE = "Rolename";

Test Connection Permissions

By default, when you create a user, it is assigned a bare minimum role (PUBLIC). Only a bare minimum role is required for to test your connection.

Account Aggregation Permissions

This command can only be executed by users with a role that has the MANAGE GRANTS global privilege.

GRANT MANAGE GRANTS ON ACCOUNT TO ROLE "Rolename";

Filter Data Permissions

Filter data permissions for account and group aggregation are as follows:

Ensure the following is already set:

ALTER USER "UserName" SET DEFAULT_ROLE = "Rolename";
Use the following command to create a virtual warehouse named WAREHOUSENAME:

CREATE WAREHOUSE WAREHOUSENAME;
Use the following command so that WAREHOUSENAME becomes the user's default warehouse:

ALTER USER "UserName" SET DEFAULT_WAREHOUSE=WAREHOUSENAME;
Use the following command to gives the Rolename role the ability to use WAREHOUSENAME:

GRANT USAGE ON WAREHOUSE WAREHOUSENAME TO ROLE "Rolename";

Group Aggregation Permissions

By default, when you create a user, it is assigned a bare minimum role (PUBLIC). Only a bare minimum role is required to perform a group aggregation.

CREATE Account Permissions

The CREATE command can only be executed by users with a role that has the CREATE USER global privilege.

GRANT CREATE USER ON ACCOUNT TO ROLE "Rolename";

MODIFY, ENABLE, DISABLE, UNLOCK, or CHANGE PASSWORD Permissions

Note the following with the OWNERSHIP privilege:

The OWNERSHIP privilege grants the ability to delete, alter, rename, and grant or revoke access to an object.
OWNERSHIP is a special privilege on an object that is automatically granted to the role that created the object, but can also be transferred to a different role by the owning role (or any role with the MANAGE GRANTS privilege) using the GRANT OWNERSHIP command.
The OWNERSHIP privilege grants full control over an object. Only a single role can hold this privilege on a specific object at a time. For more information on the GRANT OWNERSHIP command, refer to the Snowflake documentation.

Only the role with the OWNERSHIP privilege on the user, or a higher role, can execute this command to modify most user properties.

To grant ownership permissions, use the following command:

GRANT OWNERSHIP ON USER "UserName" TO ROLE "Rolename";

Where UserName refers to the name of the user that you are modifying.

Note
To modify, enable, disable, unlock, or change the password of a user, a minimum permission user assigned role should have ownership permission on the user who you are modifying.

Feedback is provided as an informational resource only and does not form part of SailPoint's official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.


	You are here: