Snowflake Permissions Reference
This section defines the privileges required for SailPoint Entro to integrate with Snowflake securely and effectively.
SailPoint Entro requires limited, read-only privileges through the ENTRO_ROLE. Identity metadata (users, roles, and grants) is collected through the Snowflake REST API using the dedicated ENTRO user.
Note: SailPoint Entro does not query, modify, or store table data. Access is strictly metadata-based.
Required Permissions
GRANT MONITOR ON ACCOUNT TO ROLE ENTRO_ROLE;
GRANT USAGE ON DATABASE SNOWFLAKE TO ROLE ENTRO_ROLE;
GRANT USAGE ON SCHEMA SNOWFLAKE.ACCOUNT_USAGE TO ROLE ENTRO_ROLE;
GRANT SELECT ON ALL VIEWS IN SCHEMA SNOWFLAKE.ACCOUNT_USAGE TO ROLE ENTRO_ROLE;
GRANT SELECT ON FUTURE VIEWS IN SCHEMA SNOWFLAKE.ACCOUNT_USAGE TO ROLE ENTRO_ROLE;
GRANT USAGE ON SCHEMA SNOWFLAKE.ORGANIZATION_USAGE TO ROLE ENTRO_ROLE;
GRANT SELECT ON ALL VIEWS IN SCHEMA SNOWFLAKE.ORGANIZATION_USAGE TO ROLE ENTRO_ROLE;
GRANT SELECT ON FUTURE VIEWS IN SCHEMA SNOWFLAKE.ORGANIZATION_USAGE TO ROLE ENTRO_ROLE;
Permissions Justification
| Privilege | Object | Purpose |
|---|---|---|
| MONITOR | ACCOUNT | Read-only visibility into account activity and audit logs |
| USAGE | DATABASE SNOWFLAKE | Access to the system database containing usage views |
| USAGE, SELECT | SNOWFLAKE.ACCOUNT_USAGE | Read-only access to account-level metadata views |
| USAGE, SELECT | SNOWFLAKE.ORGANIZATION_USAGE | Read-only access to organization-level metadata views |