Snowflake Access Control — How to get it right, first time
This is the third blog in Slalom’s Snowflake series. In our last blog, we explored the different Snowflake Deployment Options.
In this post, we’ll be covering Snowflake access control.
Role-Based Access Control
Snowflake Role-based Access Control (RBAC) is arguably one of the main things that clients often struggle to get right on the first attempt.
Unlike most traditional databases, Snowflake users do not have any direct access or ownership of the objects. The users in snowflake are purely a set of login credentials. A user can perform tasks only after assuming a suitable role.
By default, Snowflake allows two methods for access control:
- Discretionary Access Control (DAC) — Each object has an owner role which can grant access on that object to other roles. This can be disabled by using managed schemas.
- Role-based Access Control (RBAC) — Access privileges are assigned to roles, which are in turn assigned to users.
Inheritance Model
Snowflake follows a vertical inheritance model for roles.
For example, the user shown in the diagram below must assume one of the six roles before they can perform any task. If they were to assume ‘Role-1’, they would only be able to access DB1, whereas if they assumed ‘Role-2’, they would be able to access all databases; DB1, DB2 and DB3.
By default, the objects are owned by the role that was used to create it and the owner role can also grant access on that object to any of the other roles (DAC).
Evidently, it is important to ensure that access control is implemented correctly to avoid any re-work during and post-implementation.
The following diagram illustrates an example of a role hierarchy for a single account deployment:
A simplified RBAC model using a custom role hierarchy that separates the logical environments is crucial for a secure and flexible implementation.
How Slalom can help
Slalom has the experience to help your business make the most of Snowflake and set the stage for long-term growth and sustainability.
Our Snowflake credentials include:
- Snowflake Partner of the Year for three consecutive years — 2018, 2019 and 2020
- Over 200 Snowflake certified consultants
- Over 300 Snowflake projects delivered
In our next blog in the series, we cover data security in Snowflake.
David Oyegoke is a Data & Analytics Consultant based in Slalom’s London, UK office. Ashish Billore is a Data & Analytics Solution Architect, also based in Slalom’s London, UK office.
Slalom is a modern consulting firm focused on strategy, technology, and business transformation.
