Skip to content

Snowflake Permissions Reference

This section defines the privileges required for SailPoint Entro to integrate with Snowflake securely and effectively.

SailPoint Entro requires limited, read-only privileges through the ENTRO_ROLE. Identity metadata (users, roles, and grants) is collected through the Snowflake REST API using the dedicated ENTRO user.

Note: SailPoint Entro does not query, modify, or store table data. Access is strictly metadata-based.

Required Permissions

GRANT MONITOR ON ACCOUNT TO ROLE ENTRO_ROLE;
GRANT USAGE ON DATABASE SNOWFLAKE TO ROLE ENTRO_ROLE;
GRANT USAGE ON SCHEMA SNOWFLAKE.ACCOUNT_USAGE TO ROLE ENTRO_ROLE;
GRANT SELECT ON ALL VIEWS IN SCHEMA SNOWFLAKE.ACCOUNT_USAGE TO ROLE ENTRO_ROLE;
GRANT SELECT ON FUTURE VIEWS IN SCHEMA SNOWFLAKE.ACCOUNT_USAGE TO ROLE ENTRO_ROLE;
GRANT USAGE ON SCHEMA SNOWFLAKE.ORGANIZATION_USAGE TO ROLE ENTRO_ROLE;
GRANT SELECT ON ALL VIEWS IN SCHEMA SNOWFLAKE.ORGANIZATION_USAGE TO ROLE ENTRO_ROLE;
GRANT SELECT ON FUTURE VIEWS IN SCHEMA SNOWFLAKE.ORGANIZATION_USAGE TO ROLE ENTRO_ROLE;

Permissions Justification

Privilege Object Purpose
MONITOR ACCOUNT Read-only visibility into account activity and audit logs
USAGE DATABASE SNOWFLAKE Access to the system database containing usage views
USAGE, SELECT SNOWFLAKE.ACCOUNT_USAGE Read-only access to account-level metadata views
USAGE, SELECT SNOWFLAKE.ORGANIZATION_USAGE Read-only access to organization-level metadata views