Overview

Snowflake provides a set of pre-defined roles (such as SYSADMIN and ACCOUNTADMIN), but the use of these powerful roles should be restricted to appropriate personnel. Instead, Snowflake recommends that customers create a custom role hierarchy that reflects the data and user community's security requirements within each Snowflake account.

This blog post presents a methodology for developing just such a security model using Snowflake’s Role-Based Access Control (RBAC) scheme. It recommends an approach that distinguishes object access roles from user functional roles and then describes how to build a unified security model that combines both types of roles.

Background

Snowflake’s RBAC scheme defines who can access and perform operations on specific objects (tables, views, schemas, etc.) within an account. Roles are the entities to which privileges on securable database objects can be granted and revoked and are assigned to users to allow them to perform actions required for business functions in their organization. It looks something like…