RBAC, DAC, and the Securable Object Hierarchy

Snowflake Management, Governance & Collaboration

Emily Melhuish

Technical Curriculum Developer, Snowflake

Introducing Claro

  • Global credit-building app Fake logo for Claro
Snowflake Management, Governance & Collaboration

The Access Problem

access_control.png

Snowflake Management, Governance & Collaboration

The Building Blocks

A privilege is a permission to act:

  • SELECT: read
  • INSERT: write
  • CREATE: build
Term Definition
Privilege Permission to perform an action (e.g. SELECT, INSERT, CREATE)
Object Anything a privilege can be granted on (table, schema, database, warehouse)
Role An entity to which privileges are granted; can be granted to users or other roles
User A person or service account that connects to Snowflake and holds roles
Snowflake Management, Governance & Collaboration

Role-Based Access Control (RBAC): How It Works

 

Flow from left ro right of privilege, role and user

Snowflake Management, Governance & Collaboration

Implementing RBAC

Grant privilege to a role

GRANT SELECT ON TABLE core.credit_scores
  TO ROLE analyst_role;

Assign role to a user

GRANT ROLE analyst_role TO USER maria;
1 [Snowflake: Access Control Privileges](https://docs.snowflake.com/en/user-guide/security-access-control-privileges)
Snowflake Management, Governance & Collaboration

Discretionary Access Control (DAC)

Partition showing dac before and after transfer

  • Every object has an owner = a role, not a person
  • RBAC defines the role structure
  • DAC determines what each role controls
Snowflake Management, Governance & Collaboration

Transferring Ownership

Transfer ownership to a different role

-- Current owner: SYSADMIN
GRANT OWNERSHIP ON TABLE core.credit_scores
  TO ROLE data_engineer
  REVOKE CURRENT GRANTS;
Snowflake Management, Governance & Collaboration

The Securable Object Hierarchy

Securable Object Hierarchy

Snowflake Management, Governance & Collaboration

Applying USAGE at Every Level

GRANT USAGE ON DATABASE <your_database>
  TO ROLE analyst_role;

GRANT USAGE ON SCHEMA core
  TO ROLE analyst_role;

GRANT SELECT ON TABLE core.credit_scores
  TO ROLE analyst_role;
Snowflake Management, Governance & Collaboration

System-Defined Roles

 

Role Responsibility
ACCOUNTADMIN Full account control
SYSADMIN Creates databases and warehouses
SECURITYADMIN Network policies, masking policies, role management
USERADMIN Creates users and assigns roles
PUBLIC Default role for every user
1 [Snowflake: Access Control Overview](https://docs.snowflake.com/en/user-guide/security-access-control-overview)
Snowflake Management, Governance & Collaboration

Let's practice!

Snowflake Management, Governance & Collaboration

Preparing Video For Download...